The engineers behind the findings

What made you start a security firm focused exclusively on Nigerian fintech?

I kept seeing the same pattern: fintech startups raising funding, shipping fast, and hiring a generic security firm for the compliance checkbox. The reports would come back clean because nobody tested the business logic, just the surface. A company processing millions in daily transactions would get the same test as a WordPress blog. I started Simpa Labs because fintech security requires understanding how money moves through software. You can't test a payment flow if you've never built one.

What's the most common vulnerability you find in Nigerian fintech applications?

Broken access control. Almost every first-time engagement. The application works perfectly from the UI, but the API behind it doesn't enforce ownership checks. A customer can pull another customer's transaction history by changing an ID parameter. A deactivated agent can still process transactions because the status check only happens at login, not at execution. These aren't exotic zero-days. They're logic mistakes that scanners can't detect because they don't understand what the application is supposed to do.

How do you approach testing differently from larger cybersecurity firms?

We don't have a SOC, a GRC team, or a compliance consulting wing. All of that creates incentive misalignment. A firm that sells you monitoring has an incentive to find things that need monitoring, not things that need fixing. We only do one thing: test applications manually and give your engineering team findings they can act on this sprint. Every engagement is scoped to your actual product surface, your specific user roles, and the integrations that matter for your business.

What does a typical week of testing look like for your team?

Day one is mapping. We walk through the entire application as every user role, documenting every endpoint, every state transition, every trust boundary. Days two through four are exploitation. We're testing authentication chains, authorization boundaries, payment flows, and integration surfaces. Racing withdrawal requests against each other, chaining session weaknesses into account takeover paths, testing what happens when your KYC provider returns unexpected data. The final days are documentation and report writing. Every finding gets severity, proof-of-concept, business impact, and a fix your engineers can merge.

What should a CTO look for when evaluating a pentest firm?

Three things. First, ask who is actually testing. If the firm can't name the tester and their certifications, that's a problem. Second, ask for a redacted sample report. The depth of findings tells you whether they test manually or run Nessus and reformat the output. Third, ask if retesting is included. A firm that charges extra for retesting sees the engagement as a transaction, not a partnership. The retest is how you verify the work actually improved your security posture.

How do you see fintech security evolving in Nigeria over the next few years?

The CBN's 2024 cybersecurity framework raised the bar, and the NDPA added real financial penalties for data mishandling. That's positive pressure. But the biggest shift I see is founders treating security as a product quality metric rather than a compliance cost. The fintechs that will win trust and scale are the ones that can demonstrate to investors, regulators, and enterprise partners that their application has been tested by someone who knows how to break it, not just someone who knows how to scan it.