Frequently Asked Questions

Yes. Both SAMA CSF and NCA ECC require periodic penetration testing. SAMA requires at least annual penetration testing of critical systems, applications, and infrastructure. NCA ECC similarly mandates regular vulnerability assessments and penetration tests. Results must be documented and remediation tracked.

Under SAMA CSF Control 3.3.6 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. Here are the key requirements: **Frequency:** - External penetration testing: At minimum annually, and after any significant infrastructure change - Internal network penetration testing: At least once per year - Application-level testing (including internet-facing banking apps): Annually or post major releases **Scope Requirements:** - Tests must cover critical assets including core banking systems, payment infrastructure, and internet-facing applications - Social engineering and phishing simulations should be included as part of a holistic assessment - Red team exercises are encouraged for mature security programs **Methodology & Documentation:** - Testing must follow a recognized methodology such as PTES, OWASP, or NIST SP 800-115 - All findings must be formally documented, risk-rated, and tracked through to remediation - SAMA expects evidence of remediation timelines and sign-off by senior management **Third-Party Testers:** - SAMA CSF recommends using qualified, independent third-party testers to ensure objectivity - Testers should hold relevant certifications (OSCP, CREST, CEH) **Practical Tip:** Align your penetration testing schedule with your annual SAMA CSF self-assessment cycle to ensure findings feed directly into your compliance reporting. Maintain a dedicated vulnerability register and present remediation status in CISO board reports.

Under SAMA CSF Control Domain 3.3 (Cybersecurity Risk Management) and specifically Control 3.3.2, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management program. SAMA mandates at minimum an annual external penetration test, with internal penetration testing also required on at least an annual basis. However, best practice — and what most SAMA examiners expect — is semi-annual testing for Tier 1 institutions, and after any major infrastructure change. Key requirements include: **Scope:** Tests must cover external-facing systems, internal networks, web and mobile banking applications, APIs, and increasingly, cloud environments. **Methodology:** SAMA expects testing to follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115. Tests should include both automated scanning and manual exploitation attempts. **Testers:** Engagements should be conducted by qualified third-party firms (not internal teams alone) with demonstrable credentials such as OSCP, CREST, or equivalent certifications. **Remediation Tracking:** Findings must be risk-rated, remediated within defined SLAs (critical findings typically within 15–30 days), and validated through re-testing. All results must be formally reported to the CISO and Board Risk Committee. **NCA ECC Alignment:** NCA ECC Article 2-7 (Cybersecurity Assessment) reinforces penetration testing obligations for critical national infrastructure entities, which includes licensed financial institutions. Practical tip: Maintain a penetration testing register within your GRC platform, tracking scope, findings, remediation status, and attestation sign-offs to demonstrate compliance during SAMA regulatory examinations.

Penetration testing is a mandatory control under both SAMA CSF (Domain 4 – Cybersecurity Operations, Control 4.3) and NCA ECC (Article 3-14), and must be conducted with a structured, risk-based approach. **Frequency & Scope:** SAMA CSF requires financial institutions to perform penetration tests at least annually, and after any significant infrastructure change. Tests must cover external-facing systems, internal networks, critical applications, and payment systems. NCA ECC extends this to include OT/ICS environments where applicable. **Methodology:** Tests should follow recognized frameworks such as PTES, OWASP (for web applications), or TIBER-EU adapted for Saudi context. All test phases — reconnaissance, exploitation, post-exploitation, and reporting — must be documented. **Authorization & Governance:** A formal Rules of Engagement (RoE) document must be signed before testing begins, clearly scoping in-bounds and out-of-bounds systems. SAMA expects board-level visibility on penetration testing outcomes. **Vendor Requirements:** Third-party penetration testing vendors must meet SAMA CSF's third-party assurance criteria. Firms should hold recognized certifications such as CREST, OSCP, or equivalent. NCA-approved vendors are preferred for government-linked entities. **Remediation Tracking:** Findings must be risk-rated (Critical, High, Medium, Low) and tracked through a formal remediation plan with defined SLAs. SAMA expects retesting of critical findings within 30 days. **Reporting:** Executive summaries should be presented to senior management and the CISO, with detailed technical reports retained for regulatory review upon request. Our platform helps teams manage the full pentest lifecycle — from vendor selection and scoping to finding remediation tracking aligned with SAMA and NCA expectations.

Under SAMA CSF Control 3.3.8 (Vulnerability Management) and Control 3.3.9 (Penetration Testing), Saudi banks are required to conduct structured penetration testing as part of their cybersecurity assurance program. Key requirements include: **Frequency:** External penetration tests must be performed at least annually, while critical systems and internet-facing infrastructure should be tested more frequently — ideally every six months or after significant changes. **Scope:** Tests must cover network infrastructure, web applications, mobile banking platforms, APIs, and internal segmentation controls. Social engineering and physical security assessments are strongly recommended. **Methodology:** SAMA expects tests to follow internationally recognized methodologies such as OWASP, PTES, or NIST SP 800-115. All findings must be risk-rated and tracked through formal remediation workflows. **Third-Party Testers:** SAMA CSF recommends using qualified independent testers for external assessments. Testers should hold recognized certifications (e.g., OSCP, CREST, CEH). **Reporting & Remediation:** Critical and high-severity findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Results must be reported to the CISO and Board Risk Committee. **Regulatory Reporting:** Significant vulnerabilities discovered during testing may trigger mandatory notification obligations, especially if they expose customer data, potentially intersecting with PDPL breach notification requirements. Banks should maintain a penetration testing register and integrate results into their overall risk register to demonstrate continuous compliance during SAMA regulatory examinations.

Saudi financial institutions must conduct penetration testing as a core component of their cybersecurity assurance program. Under SAMA CSF Control 3.3.5, member organizations are required to perform regular penetration tests covering network infrastructure, applications, and critical systems—at minimum annually, and after any significant change to the environment. NCA ECC Article 2-14 similarly mandates ethical hacking exercises to validate the effectiveness of implemented controls. Key requirements include: **Scope Definition:** Tests must cover external perimeter, internal network segments, web and mobile banking applications, APIs, and SWIFT infrastructure where applicable. **Qualified Testers:** Engagements should be conducted by certified professionals (OSCP, CEH, GPEN) from approved vendors, with clear scoping agreements and rules of engagement signed before testing begins. **Methodology:** Follow a structured methodology such as PTES or OWASP Testing Guide. Social engineering and phishing simulations are strongly encouraged to test human controls. **Reporting & Remediation:** Findings must be risk-rated, reported to senior management, and tracked to closure. SAMA CSF requires documented evidence of remediation for critical and high findings within defined SLAs. **Red Team Exercises:** For Tier-1 banks, full-scope red team operations (simulating advanced persistent threats) are recommended at least every two years to satisfy the spirit of SAMA's continuous assurance requirements. All penetration test reports and remediation records should be retained for regulatory review and presented during SAMA onsite examinations. Integrating pentest findings into your risk register ensures traceability across your GRC platform.

Under SAMA CSF Control 3.3.5 (Vulnerability Management) and Control 3.3.6 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration tests at defined intervals — at minimum annually, and additionally following any major infrastructure change, new product launch, or significant system upgrade. Key requirements include: **Scope:** Tests must cover external-facing assets, internal network segments, web applications, mobile banking platforms, APIs, and critical backend systems such as core banking and payment infrastructure. **Methodology:** Engagements should follow recognized methodologies such as OWASP for applications, PTES, or TIBER-EU (adapted for Saudi context). Tests must include both black-box and gray-box scenarios. **Qualified Testers:** SAMA expects tests to be conducted by qualified third-party providers or a sufficiently independent internal red team. Testers should hold recognized certifications such as OSCP, CREST, or CEH. **Reporting & Remediation:** Post-test, findings must be formally documented with severity ratings (CVSS scoring recommended), root-cause analysis, and a tracked remediation plan. Critical and high findings typically require remediation within 30–90 days depending on SAMA's risk classification. **Evidence Retention:** Reports and remediation evidence must be retained and made available to SAMA during regulatory examinations. Practically, your platform should maintain a penetration testing calendar, track open findings against SLA timelines, and generate evidence packages for auditor review. Integrating pentest findings into your risk register ensures they feed into SAMA's broader risk management cycle.

Saudi financial institutions are required to conduct regular penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.6, member organizations must perform penetration testing at least annually and after any significant infrastructure change. NCA ECC-1:2018 Article 3-7 reinforces this by mandating vulnerability assessments and ethical hacking exercises for critical systems. Key requirements include: **Scope & Methodology:** Tests must cover external perimeter, internal networks, web applications, APIs, and mobile banking platforms. Methodology should align with industry standards such as OWASP and PTES. **Qualified Testers:** Engagements must be conducted by certified professionals (OSCP, CEH, or equivalent) from vendors with demonstrable financial-sector experience. SAMA expects independence — internal teams should not test their own systems without oversight. **Reporting & Remediation:** All critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Results must be documented and presented to the board-level cybersecurity committee. **Red Team Exercises:** For Tier-1 banks and systemically important institutions, SAMA increasingly expects threat-led penetration testing (TLPT) inspired by frameworks like TIBER-EU, simulating advanced persistent threat (APT) scenarios. **Retesting:** After remediation, retesting is mandatory to confirm closure of vulnerabilities. Practical tip: Maintain a penetration testing register that tracks scope, findings, remediation status, and retest outcomes. This register serves as critical evidence during SAMA regulatory examinations and NCA audits, demonstrating a proactive and structured approach to offensive security assurance.

Under SAMA CSF Control Domain 3.3 (Cybersecurity Operations), Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management and threat assessment programs. Here are the key requirements: **Frequency Requirements:** - External penetration tests: At minimum annually, or after any significant infrastructure change - Internal network penetration tests: At minimum annually - Application-level testing (web, mobile, API): Before major releases and at least once per year - Red team exercises: Recommended every 18–24 months for Tier 1 institutions **Scope Considerations:** Tests must cover internet-facing systems, core banking platforms, payment infrastructure, and SWIFT environments. Per SAMA CSF Control 3.3.5, identified vulnerabilities must be remediated within defined SLAs based on severity: Critical (15 days), High (30 days), Medium (90 days). **Tester Qualification:** SAMA expects tests to be performed by qualified and independent parties. Internal teams may conduct routine assessments, but external, independent testers are required for annual formal engagements. Testers should hold recognized certifications such as OSCP, CEH, or CREST. **Reporting & Governance:** Penetration test results must be formally documented, reviewed by the CISO, and reported to the Board Risk Committee where material findings exist. Retesting must confirm remediation effectiveness. **NCA ECC Alignment:** NCA ECC Article 2-12 also mandates technical vulnerability assessments, so aligning your pentest program satisfies both frameworks simultaneously, reducing compliance overhead significantly.

Under SAMA CSF Control 3.3.7 (Vulnerability Management), Saudi banks and financial institutions are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. SAMA mandates at minimum an annual external penetration test, with internal assessments recommended bi-annually. For critical internet-facing systems and core banking platforms, more frequent testing is strongly advised. Key requirements include: **Scope**: Tests must cover external perimeters, internal networks, web applications, mobile banking apps, APIs, and social engineering vectors. ATM infrastructure and payment switching systems require dedicated assessments. **Methodology**: Engagements should follow recognized frameworks such as PTES, OWASP WSTG, or TIBER-SA (the Saudi adaptation of threat intelligence-based ethical red teaming). **Provider Qualification**: Testers must hold relevant certifications (OSCP, CREST, CEH) and ideally be accredited by NCA or SAMA-recognized bodies. Avoid using internal staff for external assessments to maintain objectivity. **Reporting & Remediation**: All critical and high findings must be remediated within 30 days per SAMA CSF expectations. A formal remediation tracking register should be maintained and reviewed by the CISO. **Board Reporting**: Results must be escalated to the Board-level Risk Committee or equivalent, per SAMA CSF governance requirements (Control 3.1.4). Beyond SAMA, NCA ECC Article 2-5 also requires vulnerability assessments and red team exercises for entities classified as critical national infrastructure. Aligning both frameworks in a unified pentest schedule reduces duplication and demonstrates mature security governance to regulators.

Saudi financial institutions are required to conduct regular penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.5, member organizations must perform threat-led penetration testing at least annually, and after any significant infrastructure or application change. NCA ECC Article 2-7 similarly mandates vulnerability assessments and penetration tests as part of ongoing technical security evaluations. Key requirements include: **Scope Definition:** Tests must cover external-facing systems, internal networks, critical applications (including mobile banking and payment platforms), and API endpoints. **Qualified Testers:** Engagements must be conducted by certified professionals (e.g., OSCP, CREST, CEH) or approved third-party security firms. SAMA expects institutions to verify vendor credentials before engagement. **Methodology:** Tests should follow recognized frameworks such as PTES or OWASP for web/API testing. Results must be documented with CVSS-scored findings, proof-of-concept evidence, and remediation timelines. **Remediation Tracking:** Critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities per SAMA expectations. Evidence of remediation must be retained for audit purposes. **Reporting to Board/Senior Management:** Summarized results should be escalated to the CISO and board-level risk committees as part of cybersecurity KPI reporting. **Retesting:** A formal retest must validate that identified vulnerabilities have been effectively closed before sign-off. Financial institutions should also consider Threat-Led Penetration Testing (TLPT) frameworks like TIBER-SA, which SAMA has been aligning with for advanced institutions. Maintaining a penetration testing register with dates, scope, findings, and remediation status is considered best practice and will be reviewed during SAMA regulatory inspections.

Penetration testing for Saudi fintechs must satisfy both SAMA CSF Control 3.4.5 (Vulnerability and Penetration Testing) and NCA ECC Control 2-8 (Technical Vulnerability Management). Here is a structured compliance-driven approach: (1) **Frequency Requirements** — SAMA CSF mandates external penetration testing at least annually and after significant infrastructure changes. Internal testing should occur semi-annually. NCA ECC aligns with this cadence for Critical National Infrastructure-adjacent entities. (2) **Scope Definition** — Tests must cover external-facing applications, APIs, mobile banking apps, internal network segments, and social engineering vectors. For fintechs handling payment data, cardholder environment testing may also trigger PCI DSS scope considerations. (3) **Qualified Testers** — SAMA expects tests to be performed by independent, qualified personnel. Internally, testers should hold certifications such as OSCP, CEH, or GPEN. External providers should demonstrate familiarity with Saudi regulatory expectations. (4) **Reporting Standards** — Reports must include executive summaries, technical findings categorized by CVSS severity, evidence screenshots, and remediation roadmaps with defined SLAs. SAMA examiners will review these reports during assessments. (5) **Remediation Tracking** — Critical and High findings must be remediated within 30 days per SAMA CSF expectations, with evidence of closure documented. (6) **Retesting** — Conduct mandatory retesting after critical vulnerability remediation to confirm closure. Maintain a penetration testing register with historical results to demonstrate program maturity to regulators and auditors.

Under SAMA CSF Control 3.3.5 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their broader cybersecurity assurance program. Here are the key requirements and practical guidance: **Frequency Requirements:** - External penetration tests: At minimum annually, and after any significant infrastructure or application change - Internal penetration tests: At least once per year - Red team exercises: Recommended every 18–24 months for mature security programs **Scope Considerations:** Tests must cover internet-facing systems, core banking applications, SWIFT environments, mobile banking apps, and internal network segments. API security testing is increasingly critical for fintechs. **Vendor Qualification:** SAMA expects tests to be conducted by qualified third-party providers with demonstrable certifications (OSCP, CREST, CEH) or by a sufficiently independent internal red team. Results must not be self-assessed without independent validation. **Reporting and Remediation:** Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and remediated within defined SLAs — Critical findings typically within 15–30 days. Evidence of remediation must be retained for audit purposes. **NCA ECC Alignment:** NCA ECC Article 2-10 on cybersecurity testing reinforces these requirements for entities under NCA scope, including financial sector entities dual-regulated by both SAMA and NCA. **Practical Tip:** Integrate penetration test findings into your risk register and track them through your GRC platform to demonstrate continuous compliance posture to SAMA examiners during regulatory reviews.

Saudi banks must conduct penetration testing as a core component of their cybersecurity assurance program, with obligations rooted in both SAMA CSF Control 3.3.7 and NCA ECC Domain 2-7. Here is what compliance teams need to know: **Frequency and Scope:** - SAMA CSF requires at least annual penetration testing for critical systems, with additional testing after significant infrastructure changes. - NCA ECC mandates testing across internal networks, external-facing applications, and critical assets. **Methodology Requirements:** - Tests must follow recognized methodologies such as PTES, OWASP, or TIBER-EU for threat-led exercises. - Both black-box and gray-box approaches should be included depending on asset criticality. **Tester Qualifications:** - Testers must be independent — either a qualified internal red team or an accredited third-party firm. - Preferred certifications include OSCP, CEH, and CREST, with the testing firm ideally registered with NCA-approved service providers. **Reporting and Remediation:** - A formal report must document findings by severity (Critical, High, Medium, Low). - SAMA expects remediation of critical and high findings within defined SLAs — typically 30 days for critical vulnerabilities. - Evidence of remediation must be retained for audit purposes. **Regulatory Submission:** - Summary results and remediation status may be required during SAMA examinations. - NCA assessments may also request penetration test reports as part of ECC compliance evidence. Practical tip: Maintain a penetration testing register that tracks scope, findings, remediation deadlines, and closure evidence. This significantly simplifies regulatory examination cycles.

A Vulnerability Assessment (VA) identifies and classifies security weaknesses in systems without actively exploiting them — it tells you what vulnerabilities exist. A Penetration Test (PT) goes further by actively attempting to exploit discovered vulnerabilities to determine the real-world impact — it tells you what an attacker could actually achieve. For regulatory compliance, both are often required.

For SAMA-regulated institutions, at minimum annually for all critical systems. For NCA ECC entities, at least annually. Best practice recommends: external PT annually, internal PT annually, web application PT for every major release, red team exercises every 1–2 years, and continuous vulnerability scanning.

Under SAMA CSF Control 3.3.5 (Vulnerability Management), Saudi banks and financial institutions are required to conduct penetration testing as part of a broader vulnerability management program. At a minimum, external penetration tests must be performed annually, while internal tests and application-level assessments are recommended at least once per year or after any significant infrastructure or application change. Key requirements include: **Scope:** Testing must cover external-facing systems, internal networks, critical applications (including mobile banking and APIs), and any newly deployed cloud infrastructure. **Methodology:** Tests should follow recognized methodologies such as OWASP for web/API testing, PTES, or NIST SP 800-115 guidelines. Red team exercises simulating advanced persistent threats (APTs) are strongly recommended for Tier-1 banks. **Qualified Testers:** Engagements must be conducted by qualified, independent professionals — either internal teams with proper segregation or NCA-licensed third-party providers. **Reporting & Remediation:** A formal remediation plan must be produced post-assessment, with critical and high findings remediated within defined SLAs (typically 30 days for critical findings). Evidence of remediation must be documented for regulatory review. **NCA Alignment:** NCA ECC Article 2-7 also mandates technical assessments including penetration testing for entities under its scope, requiring findings to be tracked through a formal risk register. Best practice recommendation: Integrate penetration testing results into your GRC platform to automatically update risk ratings, trigger remediation workflows, and generate audit-ready reports ahead of SAMA and NCA regulatory examinations.

Under SAMA CSF Control 3.3.6 (Vulnerability Management), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. The framework mandates at minimum an annual external and internal penetration test, with additional tests triggered by significant infrastructure changes, new system deployments, or post-incident reviews. Key requirements include: **Scope:** Tests must cover external-facing assets, internal network segments, web applications, APIs, and critical banking systems such as core banking platforms and payment gateways. **Methodology:** Engagements should follow recognized methodologies such as PTES, OWASP Testing Guide, or NIST SP 800-115 to ensure consistency and thoroughness. **Qualified Testers:** SAMA expects tests to be performed by qualified, independent parties — either certified internal teams (OSCP, CEH, CREST) or approved external vendors. Independence is critical; the testing team must not have been involved in building or maintaining the tested systems. **Reporting & Remediation:** Findings must be formally documented with risk ratings (Critical, High, Medium, Low), root cause analysis, and actionable remediation guidance. SAMA CSF requires that critical and high findings be remediated within defined SLAs — typically 30 days for critical vulnerabilities. **Evidence for Audits:** All penetration test reports, remediation evidence, and retesting results must be retained and made available to SAMA examiners upon request. Practical tip: Align your penetration testing calendar with your annual SAMA CSF self-assessment cycle so that test results can directly inform your compliance posture and risk register updates.

Under SAMA CSF Control Domain 3.3 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their ongoing cybersecurity assurance program. Key requirements include: **Frequency:** External penetration tests must be performed at least annually, while critical systems and internet-facing applications should be tested after any significant change or major release. Internal network penetration testing is also required on a periodic basis. **Scope:** Tests must cover external perimeter, internal network segments, web applications (including mobile banking apps), and APIs. Social engineering assessments may also be included. **Methodology:** SAMA expects tests to follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Findings must be risk-rated and tracked to remediation. **Third-Party Testers:** SAMA recommends engaging qualified, independent external parties for penetration testing to ensure objectivity. Internal red team exercises can supplement but should not replace external assessments. **Remediation & Reporting:** Critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Results must be documented and reported to senior management and the board's audit or risk committee. **NCA ECC Alignment:** NCA ECC Article 2-7 also mandates vulnerability assessments and penetration testing for critical national infrastructure operators, including banks classified under CNI. Practical tip: Build a penetration testing calendar aligned to your change management cycle, ensuring post-deployment tests are triggered automatically for high-risk system changes.

Under SAMA CSF Control Domain 3.3 (Cybersecurity Assessment), Saudi banks and financial institutions are required to conduct regular penetration testing as part of their broader vulnerability management and assurance program. Key requirements include: **Frequency**: External penetration tests must be performed at least annually, while critical internet-facing systems and core banking platforms should be tested more frequently — ideally semi-annually or after any significant infrastructure change. **Scope**: Tests must cover network infrastructure, web applications, mobile banking apps, internal systems, and social engineering vectors. SAMA expects tests to simulate realistic threat actor behavior relevant to the financial sector. **Methodology**: Tests should follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115. Both black-box and gray-box approaches are acceptable, but gray-box is generally preferred for depth. **Qualified Testers**: Engagements must be conducted by qualified third parties or an internal red team with demonstrable competency. Certifications such as OSCP, CREST, or CEH are commonly referenced. **Remediation Tracking**: All critical and high findings must be remediated within defined SLAs (typically 30–60 days for critical), with evidence documented for SAMA examination. **Reporting to Board**: Per SAMA CSF Control 3.1, significant security findings from penetration tests must be escalated to senior management or the board's risk committee. Complement your penetration testing program with NCA ECC Article 2-4 controls around vulnerability assessments to ensure dual-framework alignment and avoid gaps during regulatory inspections.

Saudi financial institutions are required to conduct regular penetration testing as part of their cybersecurity assurance activities. Under SAMA CSF Control 3.3.7, member organizations must perform threat-led penetration testing at least annually, covering both internal and external attack surfaces, including web applications, APIs, network infrastructure, and critical business systems. NCA ECC-1:2018 Article 3-5 further mandates vulnerability assessments and penetration tests as part of a continuous cybersecurity evaluation cycle. Practically, your penetration testing program should include: • **Scope definition**: Cover internet-facing assets, internal networks, SWIFT environments, mobile banking apps, and OT/IoT where applicable. • **Methodology**: Align with recognized standards such as PTES, OWASP, or TIBER-EU (increasingly referenced by SAMA for threat intelligence-led testing). • **Qualified testers**: Use certified professionals (OSCP, CREST, or equivalent) — ideally from an approved third-party firm independent of your IT team. • **Remediation tracking**: All critical and high findings must have documented remediation plans with defined SLAs, typically 30 days for critical issues per SAMA expectations. • **Reporting to governance**: Results and remediation status should be reported to the CISO and Board Risk Committee as part of cybersecurity KPI reporting. Financial institutions undergoing SAMA CSF maturity assessments will be evaluated on the frequency, depth, and follow-up quality of their penetration testing activities. Failing to demonstrate a mature testing program is one of the most common gaps identified during SAMA examinations. Integrating your pentest findings into your risk register and vulnerability management workflow ensures continuous improvement and audit readiness.

Under SAMA CSF Control 3.3.6 (Vulnerability Management) and Control 3.4.3 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their ongoing cybersecurity assurance program. **Minimum Requirements:** - **Frequency:** Full-scope penetration tests must be conducted at least annually, with targeted assessments triggered by major infrastructure changes, new application deployments, or post-incident reviews. - **Scope:** Tests must cover external perimeter, internal network, web and mobile banking applications, APIs, and critical payment systems (including SWIFT environments). - **Methodology:** Tests should follow recognized methodologies such as PTES, OWASP Testing Guide, or TIBER-EU (increasingly adopted by SAMA for systemic banks). - **Testers:** Engagements must be conducted by qualified third-party specialists or a sufficiently independent internal red team. SAMA expects clear independence — internal IT staff conducting their own tests is not considered sufficient. - **Remediation Tracking:** All identified findings must be risk-rated, assigned to owners, and remediated within defined SLAs — critical findings typically within 30 days. - **Reporting to Board:** Summary results and remediation status should be reported to the Cybersecurity Committee and Board Risk Committee at least annually per SAMA CSF governance requirements. **Practical Tip:** Align your penetration testing calendar with your SAMA CSF self-assessment cycle so that test results feed directly into your maturity scoring. NCA ECC Article 2-9 also independently mandates periodic technical assessments, so a single well-scoped engagement can satisfy both frameworks simultaneously.

Under SAMA CSF Control 3.3.6 (Vulnerability Management) and Control 3.3.7 (Penetration Testing), Saudi banks and financial institutions are required to conduct comprehensive penetration testing as part of a formal, risk-based cybersecurity program. SAMA mandates that penetration tests be performed at least annually, and additionally whenever significant changes occur to critical systems, infrastructure, or applications. The scope of testing must cover external-facing assets, internal networks, web and mobile banking applications, APIs, and critical backend systems. Tests should be conducted by qualified third-party providers with recognized certifications such as OSCP, CREST, or equivalent. Banks are also expected to maintain clear rules of engagement, scoping documents, and formal remediation tracking. Following each test, institutions must produce a detailed findings report and implement a remediation plan with defined timelines — typically critical findings within 15 days, high findings within 30 days, per SAMA's supervisory expectations. Retesting to verify remediation is strongly recommended. Beyond annual testing, SAMA CSF encourages adopting a continuous threat-led penetration testing (TLPT) approach, aligned with frameworks like TIBER-EU adapted for the Saudi context. The NCA ECC Article 2-14 also reinforces vulnerability assessment and penetration testing obligations for entities under its jurisdiction. Practically, CISOs should ensure penetration testing is integrated into the annual security calendar, budgeted appropriately, and findings are escalated to the Board-level Risk Committee as required under SAMA's governance expectations. Maintaining a remediation register and sharing anonymized threat intelligence with SAMA and FINCYBER further demonstrates a mature security posture.

Saudi financial institutions are required to conduct regular penetration testing as part of their cybersecurity posture management. Under SAMA CSF Control 3.3.4, member organizations must perform technical vulnerability assessments and penetration tests at least annually, and after any significant change to critical systems or infrastructure. NCA ECC Article 2-14 reinforces this by mandating ethical hacking exercises for entities classified under national critical infrastructure. Key requirements include: **Scope Definition:** Tests must cover external-facing assets, internal network segments, web and mobile banking applications, APIs, and SWIFT-connected systems. Social engineering and phishing simulations should also be included. **Methodology:** Use recognized frameworks such as OWASP, PTES, or TIBER-EU adapted for Saudi context. Tests must simulate real-world threat actors relevant to the financial sector. **Provider Qualification:** Penetration testing providers should be qualified and, where possible, certified under recognized bodies (CREST, OSCP, CEH). SAMA expects firms to use independent third parties rather than internal teams for objective assessments. **Remediation Tracking:** Findings must be risk-rated, remediated within defined SLAs (critical findings within 30 days per SAMA guidance), and retested to confirm closure. **Reporting to Governance:** Results must be reported to the CISO and Board-level risk committee, with trends tracked over time. Fintechs operating under SAMA's regulatory sandbox should align with the same controls, even in early stages, to avoid compliance gaps upon full licensing. Maintaining a penetration testing register and integrating findings into your risk register are practical steps toward demonstrating continuous compliance.

Under SAMA CSF Control Domain 3.3 (Cyber Security Operations), financial institutions are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. SAMA mandates that penetration tests be performed at least annually, with additional tests triggered by significant infrastructure changes, new application deployments, or post-incident assessments. Key requirements include: **Scope:** Tests must cover external-facing systems, internal networks, web and mobile banking applications, and API endpoints. Social engineering assessments are strongly recommended. **Qualified Testers:** Engagements must be conducted by qualified professionals holding recognized certifications such as OSCP, CEH, or CREST. External testers must be vetted and bound by strict NDAs. **Methodology:** Tests should align with industry frameworks such as OWASP (for applications) and PTES or NIST SP 800-115 for infrastructure. NCA ECC Article 2-14 further requires that findings be classified by severity and remediated within defined SLAs. **Reporting and Remediation:** All critical and high findings must be remediated within 30 days, with documented evidence presented to the Board Risk Committee. SAMA expects that remediation status is tracked in a formal register. **Red Team Exercises:** Mature institutions are encouraged to move beyond standard pen testing toward threat-led red team operations aligned with TIBER-SA or CBEST frameworks. Failure to meet penetration testing obligations can result in SAMA supervisory action, including mandatory remediation orders or increased regulatory scrutiny during annual assessments. Our platform helps you schedule, track, and document all penetration testing activities within a unified GRC dashboard.

Under SAMA CSF Control 3.3.7 (Vulnerability Management) and Control 3.3.8 (Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. Key requirements include: **Frequency:** External penetration tests must be performed at least annually, while internal tests should align with significant infrastructure changes, major application releases, or post-incident reviews. High-risk systems such as internet banking platforms, payment gateways, and core banking infrastructure warrant more frequent testing. **Scope:** Tests must cover network infrastructure, web and mobile applications, API endpoints, and internal systems. Social engineering and phishing simulation exercises are also encouraged under the broader security assurance program. **Methodology:** SAMA expects tests to follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Both black-box and gray-box approaches may be applicable depending on the target system. **Qualified Testers:** Testing must be conducted by qualified professionals — either internal red teams with verifiable credentials or third-party firms approved and vetted through the bank's vendor risk process. NCA also recommends testers hold certifications such as OSCP, CEH, or equivalent. **Reporting and Remediation:** Findings must be documented in a formal report with risk-rated vulnerabilities. Critical and high findings should follow a remediation SLA — typically 30 days for critical issues per SAMA's risk appetite guidelines. Evidence of remediation must be retained for audit purposes. Non-compliance with SAMA CSF penetration testing requirements can result in regulatory findings during SAMA examinations, so maintaining a test register with clear scheduling, scope, and remediation tracking is essential.

Saudi banks must conduct penetration testing as a core component of their cybersecurity assurance program. Under SAMA CSF Control 3.3.6, member organizations are required to perform regular penetration tests covering both internal and external attack surfaces, including network infrastructure, web applications, and APIs. NCA ECC Article 2-14 further mandates that critical national infrastructure entities — which includes Tier-1 banks — conduct penetration testing at least annually, and after any significant system change. Practically speaking, your penetration testing program should: 1. **Scope comprehensively**: Cover internet-facing applications, internal network segments, privileged access systems, and SWIFT infrastructure if applicable. 2. **Use qualified testers**: Engage certified professionals (OSCP, CEH, CREST-certified) or approved third-party firms. SAMA expects evidence of tester qualifications. 3. **Follow a methodology**: Align with PTES, OWASP Testing Guide, or NIST SP 800-115 to ensure structured and repeatable results. 4. **Test frequency**: At minimum annually for full-scope tests; quarterly vulnerability assessments are considered best practice for high-risk systems. 5. **Remediate and re-test**: SAMA CSF requires documented remediation plans with defined timelines. Critical findings (CVSS ≥ 9.0) should be remediated within 30 days. 6. **Report to governance**: Summarized findings must be presented to the CISO and Board Risk Committee as part of the cybersecurity oversight cycle. Importantly, red team exercises (adversary simulation) are increasingly expected by SAMA examiners as a maturity indicator beyond standard penetration testing. Maintaining a register of all testing activities, findings, and remediation evidence is essential for regulatory examination readiness.

Under SAMA CSF Control Domain 3.3 (Cyber Security Operations), Saudi banks and financial institutions are required to conduct regular penetration testing as part of a robust vulnerability management program. Specifically, SAMA CSF mandates that penetration tests be performed at least annually, and additionally after any significant infrastructure changes, major application releases, or material changes to the network architecture. Tests must cover external-facing assets, internal network segments, web and mobile banking applications, and critical back-office systems. The scope should align with TIBER-SA (Threat Intelligence-Based Ethical Red Teaming) guidelines for systemically important institutions, simulating advanced persistent threat (APT) actor techniques. Findings must be risk-rated, documented, and remediated within defined SLAs — critical findings typically within 30 days per SAMA expectations. Practically, your penetration testing program should: 1. Engage CREST-accredited or equivalent qualified testers. 2. Produce a formal report submitted to senior management and the Board Risk Committee. 3. Track remediation through your GRC platform with evidence of closure. 4. Feed results back into your risk register and threat intelligence cycle. NCA ECC-1:2018 Article 2-13 also reinforces the need for periodic technical assessments. Non-compliance can trigger SAMA supervisory actions, so maintaining documented evidence of test cycles and remediation is critical for regulatory examinations.

Under SAMA CSF Control 3.3.7 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their ongoing cybersecurity assurance program. Key requirements include: **Frequency**: External penetration tests must be performed at least annually, while internal assessments should align with major infrastructure changes or new system deployments. **Scope**: Tests must cover external-facing systems, internal networks, web applications, APIs, and mobile banking channels. Social engineering assessments are also strongly recommended. **Methodology**: Tests should follow recognized frameworks such as PTES, OWASP, or NIST SP 800-115. Red team exercises are increasingly expected for Tier 1 banks. **Independence**: SAMA expects engagements to be conducted by qualified, independent third-party providers — not solely internal teams. Providers should hold certifications such as OSCP, CREST, or equivalent. **Reporting & Remediation**: Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and presented to senior management. Remediation timelines for Critical and High findings typically should not exceed 30 and 90 days respectively. **Regulatory Notification**: Critical vulnerabilities discovered during testing that indicate active exploitation risk may trigger SAMA's incident notification obligations. Banks should also cross-reference NCA ECC Article 2-14 on technical vulnerability management, which reinforces the requirement for periodic testing across government-affiliated financial entities. Maintaining a penetration testing register and tracking remediation progress is essential for demonstrating compliance during SAMA assessments.

Saudi financial institutions are required to conduct structured penetration testing programs under both SAMA CSF (Control 3.3.3) and NCA ECC (Domain 2-7). Here is what your organization must implement: **Frequency and Scope:** - External and internal penetration tests must be performed at least annually, and after any significant infrastructure change. - Scope should cover internet-facing assets, internal networks, core banking systems, mobile/web applications, and APIs used for open banking or fintech integrations. **Methodology:** Tests must follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115. Red team exercises simulating advanced persistent threats (APTs) are strongly recommended for Tier-1 banks. **Provider Requirements:** - Testers must be qualified (OSCP, CEH, CREST-certified preferred) and independent from the internal IT team. - SAMA expects that external providers are vetted through your third-party risk management process. **Reporting and Remediation:** - All findings must be documented with risk ratings (Critical/High/Medium/Low). - Critical and High findings must be remediated within 30 and 90 days respectively, with evidence provided to your CISO and compliance function. - Retesting must confirm remediation closure before sign-off. **Documentation for Regulators:** Maintain penetration test reports, remediation logs, and closure evidence for a minimum of five years, as SAMA examiners routinely request this during assessments. A mature program also integrates penetration test findings into your risk register and feeds lessons learned back into your security awareness and architecture review processes.

Under SAMA CSF Control 3.3.5 (Vulnerability Management) and Control 3.4 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration tests at defined intervals and upon significant changes to their IT environment. **Minimum Frequency Requirements:** - External penetration testing: At least annually - Internal network penetration testing: At least annually - Application-layer testing (web, mobile, API): After every major release or significant code change - Red team exercises: Recommended every 18–24 months for Tier-1 institutions **Scope Considerations:** Tests must cover all critical systems including core banking platforms, internet banking portals, mobile applications, SWIFT interfaces, and payment gateways. NCA ECC Article 2-4-1 further reinforces this by requiring vulnerability assessments and ethical hacking exercises as part of an organization's ongoing cyber hygiene. **Practical Guidance:** 1. Engage CREST-accredited or equivalent qualified testing firms 2. Ensure test scope is formally approved by the CISO before engagement begins 3. Document all findings in a remediation register with risk-rated priorities 4. Critical and high findings should be remediated within 30 and 90 days respectively, per SAMA expectations 5. Retain all penetration test reports for at least 5 years for audit purposes **Retesting:** SAMA expects evidence of remediation verification — simply closing tickets is insufficient. Formal retesting or compensating control documentation is required. Financial institutions should integrate penetration testing results into their risk register and report significant findings to the board-level risk committee, ensuring governance visibility into technical vulnerabilities.

Under SAMA CSF Control 3.3.7, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management program. The framework mandates at minimum an annual external and internal penetration test, with additional testing triggered by significant infrastructure changes, new application deployments, or post-incident reviews. Practically, most mature financial institutions conduct: - **External network penetration tests**: At least annually, targeting internet-facing assets, APIs, and open banking interfaces. - **Internal network tests**: Annually or after major network topology changes. - **Web and mobile application testing**: Per SAMA CSF 3.3.6, critical applications such as core banking systems and mobile banking apps should be tested at least annually or before major releases. - **Red team exercises**: Recommended biennially for Tier 1 banks to simulate advanced persistent threats. Tests must be performed by qualified, independent third parties — ideally CREST-accredited or holding equivalent certifications recognized by SAMA. Findings must be formally documented, risk-rated, and remediated within defined timelines: critical vulnerabilities typically within 15–30 days per internal SLA benchmarks. Remediation evidence must be retained and made available during SAMA regulatory examinations. Additionally, NCA ECC Article 2-7 aligns with these requirements, mandating periodic technical assessments to identify exploitable weaknesses. A key gap often found during audits is the absence of re-testing after remediation — ensure your program includes a formal verification cycle. Integrating penetration test findings into your risk register and board reporting cycle demonstrates governance maturity that both SAMA examiners and NCA auditors look for.

Saudi financial institutions are required to conduct penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.5, member organizations must perform regular penetration testing across all critical systems, applications, and network infrastructure to identify exploitable vulnerabilities before adversaries do. Testing must be risk-based, covering external and internal threat scenarios. NCA ECC Article 2-13 reinforces this by mandating periodic technical assessments including red team exercises and vulnerability assessments for entities classified under national critical infrastructure. Practical requirements include: - **Annual minimum frequency** for full-scope penetration tests, with additional testing after significant system changes or new deployments. - **Scope coverage**: web applications, APIs, internal networks, Active Directory environments, and SWIFT interfaces where applicable. - **Qualified testers**: Engagements should be conducted by certified professionals (OSCP, CREST, CEH) or accredited third-party firms approved by the institution's risk committee. - **Remediation tracking**: All critical and high findings must have documented remediation plans with defined SLAs — typically 30 days for critical, 90 days for high severity. - **Retest validation**: Remediated vulnerabilities must be retested to confirm closure before sign-off. - **Reporting to board**: SAMA CSF requires that penetration testing results and remediation status be reported to senior management and the board risk committee. Financial institutions should also consider including social engineering and phishing simulations to test human-layer defenses. Maintaining a pentest register and evidence trail is essential during SAMA regulatory examinations.

Saudi financial institutions must conduct penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.9, member organizations are required to perform regular penetration tests covering internal networks, external-facing systems, web applications, and critical infrastructure. Tests must be conducted at least annually, and additionally after any significant infrastructure or application change. NCA ECC-1:2018 Article 3.3 reinforces this by mandating vulnerability assessments and penetration tests for national critical systems, with findings tracked to closure. For financial institutions classified as critical national infrastructure, the frequency expectation is higher — often semi-annual. Practical guidance for compliance teams: 1. **Scope broadly**: Include core banking systems, payment gateways, APIs, mobile banking apps, and cloud environments. 2. **Use qualified providers**: Engage testers certified under OSCP, CREST, or equivalent, and verify the firm is approved by NCA or holds recognized accreditations. 3. **Define rules of engagement**: Document scope, testing windows, emergency contacts, and out-of-scope systems before testing begins. 4. **Track remediation**: SAMA CSF requires evidence that identified vulnerabilities are remediated within defined SLAs — critical findings typically within 30 days. 5. **Report to governance**: Share summarized findings with the Board Risk Committee or CISO as part of your cybersecurity assurance reporting. Red team exercises simulating advanced persistent threats (APT) are increasingly expected for Tier 1 banks. Ensure your penetration testing program feeds directly into your vulnerability management lifecycle to demonstrate continuous improvement to regulators.

Penetration testing is a mandatory cybersecurity control under both SAMA CSF and NCA ECC, and Saudi financial institutions must meet specific requirements across scope, frequency, and reporting. **SAMA CSF Requirements (Control 3.3.5 – Vulnerability Management)** SAMA expects Member Organizations to conduct external and internal penetration tests at least annually, and additionally after significant infrastructure changes. Tests must cover network infrastructure, web applications, mobile banking apps, APIs, and critical internal systems. **NCA ECC Requirements (ECC-1: 2-5 Vulnerability Assessment)** NCA ECC mandates regular vulnerability assessments and penetration testing as part of the organization's security assurance program. Government-affiliated financial entities may also be subject to the National Penetration Testing Framework (NPTF) guidelines. **Scope Recommendations for Banks & Fintechs:** - External network penetration testing (internet-facing assets) - Internal network segmentation testing - Web and mobile application testing (OWASP Top 10) - API security testing for open banking interfaces - Social engineering and phishing simulations - ATM and POS security assessments (for retail banks) **Testing Frequency Best Practice:** - Full penetration test: Annually at minimum - Critical application testing: After every major release - Vulnerability scans: Monthly or quarterly - Red team exercises: Every 18–24 months for Tier-1 institutions **Reporting & Remediation:** All penetration test reports must be retained and made available during SAMA or NCA audits. Critical and high-severity findings must be remediated within 30 and 90 days respectively, with documented evidence of closure. **Practical Tip:** Ensure your penetration testing provider is qualified (CREST-accredited or equivalent) and that your Rules of Engagement (RoE) document is signed before testing begins to protect both parties legally.

Under SAMA CSF Control Domain 3.3 (Cybersecurity Operations), Saudi banks are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. Specifically, SAMA CSF mandates the following: **Frequency Requirements:** - External penetration testing: at minimum annually, and after any significant infrastructure change - Internal penetration testing: at minimum annually - Critical systems (e.g., core banking, payment gateways): recommended semi-annually - Web application penetration testing: before any major release and annually thereafter **Scope Expectations:** Tests must cover network infrastructure, web and mobile applications, APIs, and social engineering vectors. Red team exercises are strongly encouraged for Tier-1 institutions. **Testing Standards:** SAMA expects tests to follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Testers should hold relevant certifications (OSCP, CREST, CEH). **Remediation Obligations:** Critical and high findings must be remediated within defined SLAs — typically 15 days for critical vulnerabilities. All findings must be tracked, with evidence provided to internal audit and SAMA examiners upon request. **Reporting:** A formal penetration test report must be reviewed by senior management and the CISO. Residual risk acceptance must be documented and approved. NCA ECC Article 2-7 similarly mandates vulnerability assessments and ethical hacking exercises for government-affiliated entities. Aligning both frameworks in a unified testing calendar reduces duplication and ensures comprehensive coverage across all regulatory obligations.

Under SAMA CSF Control 3.3.8, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management program. Here are the critical requirements: **Frequency & Scope:** - External and internal penetration tests must be performed at least annually - Tests should also be triggered after significant infrastructure changes, major application releases, or following a security incident - Scope must cover internet-facing systems, internal networks, core banking applications, and mobile/web channels **Methodology & Standards:** - Tests should follow recognized methodologies such as OWASP, PTES, or OSSTMM - Red team exercises are encouraged for mature security programs to simulate advanced persistent threats (APTs) - NCA ECC Control 2-5-3 further reinforces the need for periodic technical assessments **Provider Requirements:** - SAMA expects penetration testing to be conducted by qualified, independent parties — internal teams alone are generally insufficient for compliance evidence - Testers should hold relevant certifications (OSCP, CREST, CEH) and ideally be approved by a recognized body **Remediation & Reporting:** - Critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities - A formal remediation tracking process must be documented and evidence retained for SAMA examination - Retest validation is mandatory to confirm fixes are effective **Practical Tip:** Integrate penetration testing results into your risk register and present them to the board-level risk committee to demonstrate governance alignment per SAMA CSF Domain 3.

Under SAMA CSF Control 3.3.4 (Vulnerability Management) and Control 3.3.5 (Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a formal, risk-based security assessment program. SAMA mandates at minimum an annual external and internal penetration test, with additional testing triggered after significant infrastructure changes, new product launches, or major system upgrades. Key requirements include: **Scope:** Tests must cover network infrastructure, web applications, mobile banking platforms, APIs, and critical internal systems. SWIFT environments require dedicated testing per SWIFT CSCF controls. **Methodology:** Tests should follow recognized frameworks such as PTES, OWASP, or OSSTMM, ensuring both black-box and grey-box scenarios are covered. **Qualified Testers:** SAMA expects tests to be conducted by qualified, independent third parties or an internal red team with verifiable certifications (e.g., OSCP, CEH, CREST). Testers must be separate from the teams that built or manage the tested systems. **Reporting & Remediation:** Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and remediated within defined SLAs — typically 30 days for Critical findings and 90 days for High. Evidence of remediation must be retained for audit purposes. **Board Visibility:** Per SAMA CSF governance requirements, penetration testing results and remediation status should be reported to senior management or the Board Risk Committee at least annually. Financial institutions should also align their penetration testing program with NCA ECC Article 2-11 (Security Assessment and Testing), which reinforces similar expectations for all critical national infrastructure entities. A mature program treats pen testing not as a checkbox exercise but as a continuous intelligence-gathering mechanism to validate defensive controls.

Under SAMA CSF Control 3.3.7, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management and cyber resilience programs. At minimum, banks must perform: (1) Annual full-scope penetration tests covering external perimeter, internal network, web applications, and APIs; (2) Targeted tests following any significant infrastructure change, application release, or major incident; (3) Red team exercises at least once every two years for Tier-1 institutions. Tests must be conducted by qualified third-party providers or a certified internal team — testers must hold recognized certifications such as OSCP, CREST, or equivalent. Methodology should align with industry standards like OWASP Testing Guide and PTES. Critical findings (Critical/High severity) must be remediated within 30–90 days depending on risk rating, and evidence of remediation must be documented and retained. Results must be reported to the CISO and Board Risk Committee. Additionally, NCA ECC Article 2-14 reinforces the requirement for periodic technical assessments. Our platform supports this by automating finding tracking, generating SAMA-aligned remediation reports, and maintaining a full audit trail for regulatory review.