Help Center
Frequently Asked Questions
Find answers to your questions about cybersecurity and the CISO Consulting platform
Suggested Answer
Penetration Testing 75
Yes. Both SAMA CSF and NCA ECC require periodic penetration testing. SAMA requires at least annual penetration testing of critical systems, applications, and infrastructure. NCA ECC similarly mandates regular vulnerability assessments and penetration tests. Results must be documented and remediation tracked.
Was this helpful?
Under SAMA CSF Control 3.3.6 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. Here are the key requirements:
**Frequency:**
- External penetration testing: At minimum annually, and after any significant infrastructure change
- Internal network penetration testing: At least once per year
- Application-level testing (including internet-facing banking apps): Annually or post major releases
**Scope Requirements:**
- Tests must cover critical assets including core banking systems, payment infrastructure, and internet-facing applications
- Social engineering and phishing simulations should be included as part of a holistic assessment
- Red team exercises are encouraged for mature security programs
**Methodology & Documentation:**
- Testing must follow a recognized methodology such as PTES, OWASP, or NIST SP 800-115
- All findings must be formally documented, risk-rated, and tracked through to remediation
- SAMA expects evidence of remediation timelines and sign-off by senior management
**Third-Party Testers:**
- SAMA CSF recommends using qualified, independent third-party testers to ensure objectivity
- Testers should hold relevant certifications (OSCP, CREST, CEH)
**Practical Tip:** Align your penetration testing schedule with your annual SAMA CSF self-assessment cycle to ensure findings feed directly into your compliance reporting. Maintain a dedicated vulnerability register and present remediation status in CISO board reports.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cybersecurity Risk Management) and specifically Control 3.3.2, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management program. SAMA mandates at minimum an annual external penetration test, with internal penetration testing also required on at least an annual basis. However, best practice — and what most SAMA examiners expect — is semi-annual testing for Tier 1 institutions, and after any major infrastructure change.
Key requirements include:
**Scope:** Tests must cover external-facing systems, internal networks, web and mobile banking applications, APIs, and increasingly, cloud environments.
**Methodology:** SAMA expects testing to follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115. Tests should include both automated scanning and manual exploitation attempts.
**Testers:** Engagements should be conducted by qualified third-party firms (not internal teams alone) with demonstrable credentials such as OSCP, CREST, or equivalent certifications.
**Remediation Tracking:** Findings must be risk-rated, remediated within defined SLAs (critical findings typically within 15–30 days), and validated through re-testing. All results must be formally reported to the CISO and Board Risk Committee.
**NCA ECC Alignment:** NCA ECC Article 2-7 (Cybersecurity Assessment) reinforces penetration testing obligations for critical national infrastructure entities, which includes licensed financial institutions.
Practical tip: Maintain a penetration testing register within your GRC platform, tracking scope, findings, remediation status, and attestation sign-offs to demonstrate compliance during SAMA regulatory examinations.
Was this helpful?
Penetration testing is a mandatory control under both SAMA CSF (Domain 4 – Cybersecurity Operations, Control 4.3) and NCA ECC (Article 3-14), and must be conducted with a structured, risk-based approach.
**Frequency & Scope:** SAMA CSF requires financial institutions to perform penetration tests at least annually, and after any significant infrastructure change. Tests must cover external-facing systems, internal networks, critical applications, and payment systems. NCA ECC extends this to include OT/ICS environments where applicable.
**Methodology:** Tests should follow recognized frameworks such as PTES, OWASP (for web applications), or TIBER-EU adapted for Saudi context. All test phases — reconnaissance, exploitation, post-exploitation, and reporting — must be documented.
**Authorization & Governance:** A formal Rules of Engagement (RoE) document must be signed before testing begins, clearly scoping in-bounds and out-of-bounds systems. SAMA expects board-level visibility on penetration testing outcomes.
**Vendor Requirements:** Third-party penetration testing vendors must meet SAMA CSF's third-party assurance criteria. Firms should hold recognized certifications such as CREST, OSCP, or equivalent. NCA-approved vendors are preferred for government-linked entities.
**Remediation Tracking:** Findings must be risk-rated (Critical, High, Medium, Low) and tracked through a formal remediation plan with defined SLAs. SAMA expects retesting of critical findings within 30 days.
**Reporting:** Executive summaries should be presented to senior management and the CISO, with detailed technical reports retained for regulatory review upon request.
Our platform helps teams manage the full pentest lifecycle — from vendor selection and scoping to finding remediation tracking aligned with SAMA and NCA expectations.
Was this helpful?
Under SAMA CSF Control 3.3.8 (Vulnerability Management) and Control 3.3.9 (Penetration Testing), Saudi banks are required to conduct structured penetration testing as part of their cybersecurity assurance program. Key requirements include:
**Frequency:** External penetration tests must be performed at least annually, while critical systems and internet-facing infrastructure should be tested more frequently — ideally every six months or after significant changes.
**Scope:** Tests must cover network infrastructure, web applications, mobile banking platforms, APIs, and internal segmentation controls. Social engineering and physical security assessments are strongly recommended.
**Methodology:** SAMA expects tests to follow internationally recognized methodologies such as OWASP, PTES, or NIST SP 800-115. All findings must be risk-rated and tracked through formal remediation workflows.
**Third-Party Testers:** SAMA CSF recommends using qualified independent testers for external assessments. Testers should hold recognized certifications (e.g., OSCP, CREST, CEH).
**Reporting & Remediation:** Critical and high-severity findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Results must be reported to the CISO and Board Risk Committee.
**Regulatory Reporting:** Significant vulnerabilities discovered during testing may trigger mandatory notification obligations, especially if they expose customer data, potentially intersecting with PDPL breach notification requirements.
Banks should maintain a penetration testing register and integrate results into their overall risk register to demonstrate continuous compliance during SAMA regulatory examinations.
Was this helpful?
Saudi financial institutions must conduct penetration testing as a core component of their cybersecurity assurance program. Under SAMA CSF Control 3.3.5, member organizations are required to perform regular penetration tests covering network infrastructure, applications, and critical systems—at minimum annually, and after any significant change to the environment. NCA ECC Article 2-14 similarly mandates ethical hacking exercises to validate the effectiveness of implemented controls.
Key requirements include:
**Scope Definition:** Tests must cover external perimeter, internal network segments, web and mobile banking applications, APIs, and SWIFT infrastructure where applicable.
**Qualified Testers:** Engagements should be conducted by certified professionals (OSCP, CEH, GPEN) from approved vendors, with clear scoping agreements and rules of engagement signed before testing begins.
**Methodology:** Follow a structured methodology such as PTES or OWASP Testing Guide. Social engineering and phishing simulations are strongly encouraged to test human controls.
**Reporting & Remediation:** Findings must be risk-rated, reported to senior management, and tracked to closure. SAMA CSF requires documented evidence of remediation for critical and high findings within defined SLAs.
**Red Team Exercises:** For Tier-1 banks, full-scope red team operations (simulating advanced persistent threats) are recommended at least every two years to satisfy the spirit of SAMA's continuous assurance requirements.
All penetration test reports and remediation records should be retained for regulatory review and presented during SAMA onsite examinations. Integrating pentest findings into your risk register ensures traceability across your GRC platform.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability Management) and Control 3.3.6 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration tests at defined intervals — at minimum annually, and additionally following any major infrastructure change, new product launch, or significant system upgrade.
Key requirements include:
**Scope:** Tests must cover external-facing assets, internal network segments, web applications, mobile banking platforms, APIs, and critical backend systems such as core banking and payment infrastructure.
**Methodology:** Engagements should follow recognized methodologies such as OWASP for applications, PTES, or TIBER-EU (adapted for Saudi context). Tests must include both black-box and gray-box scenarios.
**Qualified Testers:** SAMA expects tests to be conducted by qualified third-party providers or a sufficiently independent internal red team. Testers should hold recognized certifications such as OSCP, CREST, or CEH.
**Reporting & Remediation:** Post-test, findings must be formally documented with severity ratings (CVSS scoring recommended), root-cause analysis, and a tracked remediation plan. Critical and high findings typically require remediation within 30–90 days depending on SAMA's risk classification.
**Evidence Retention:** Reports and remediation evidence must be retained and made available to SAMA during regulatory examinations.
Practically, your platform should maintain a penetration testing calendar, track open findings against SLA timelines, and generate evidence packages for auditor review. Integrating pentest findings into your risk register ensures they feed into SAMA's broader risk management cycle.
Was this helpful?
Saudi financial institutions are required to conduct regular penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.6, member organizations must perform penetration testing at least annually and after any significant infrastructure change. NCA ECC-1:2018 Article 3-7 reinforces this by mandating vulnerability assessments and ethical hacking exercises for critical systems.
Key requirements include:
**Scope & Methodology:** Tests must cover external perimeter, internal networks, web applications, APIs, and mobile banking platforms. Methodology should align with industry standards such as OWASP and PTES.
**Qualified Testers:** Engagements must be conducted by certified professionals (OSCP, CEH, or equivalent) from vendors with demonstrable financial-sector experience. SAMA expects independence — internal teams should not test their own systems without oversight.
**Reporting & Remediation:** All critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Results must be documented and presented to the board-level cybersecurity committee.
**Red Team Exercises:** For Tier-1 banks and systemically important institutions, SAMA increasingly expects threat-led penetration testing (TLPT) inspired by frameworks like TIBER-EU, simulating advanced persistent threat (APT) scenarios.
**Retesting:** After remediation, retesting is mandatory to confirm closure of vulnerabilities.
Practical tip: Maintain a penetration testing register that tracks scope, findings, remediation status, and retest outcomes. This register serves as critical evidence during SAMA regulatory examinations and NCA audits, demonstrating a proactive and structured approach to offensive security assurance.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cybersecurity Operations), Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management and threat assessment programs. Here are the key requirements:
**Frequency Requirements:**
- External penetration tests: At minimum annually, or after any significant infrastructure change
- Internal network penetration tests: At minimum annually
- Application-level testing (web, mobile, API): Before major releases and at least once per year
- Red team exercises: Recommended every 18–24 months for Tier 1 institutions
**Scope Considerations:**
Tests must cover internet-facing systems, core banking platforms, payment infrastructure, and SWIFT environments. Per SAMA CSF Control 3.3.5, identified vulnerabilities must be remediated within defined SLAs based on severity: Critical (15 days), High (30 days), Medium (90 days).
**Tester Qualification:**
SAMA expects tests to be performed by qualified and independent parties. Internal teams may conduct routine assessments, but external, independent testers are required for annual formal engagements. Testers should hold recognized certifications such as OSCP, CEH, or CREST.
**Reporting & Governance:**
Penetration test results must be formally documented, reviewed by the CISO, and reported to the Board Risk Committee where material findings exist. Retesting must confirm remediation effectiveness.
**NCA ECC Alignment:**
NCA ECC Article 2-12 also mandates technical vulnerability assessments, so aligning your pentest program satisfies both frameworks simultaneously, reducing compliance overhead significantly.
Was this helpful?
Under SAMA CSF Control 3.3.7 (Vulnerability Management), Saudi banks and financial institutions are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. SAMA mandates at minimum an annual external penetration test, with internal assessments recommended bi-annually. For critical internet-facing systems and core banking platforms, more frequent testing is strongly advised.
Key requirements include:
**Scope**: Tests must cover external perimeters, internal networks, web applications, mobile banking apps, APIs, and social engineering vectors. ATM infrastructure and payment switching systems require dedicated assessments.
**Methodology**: Engagements should follow recognized frameworks such as PTES, OWASP WSTG, or TIBER-SA (the Saudi adaptation of threat intelligence-based ethical red teaming).
**Provider Qualification**: Testers must hold relevant certifications (OSCP, CREST, CEH) and ideally be accredited by NCA or SAMA-recognized bodies. Avoid using internal staff for external assessments to maintain objectivity.
**Reporting & Remediation**: All critical and high findings must be remediated within 30 days per SAMA CSF expectations. A formal remediation tracking register should be maintained and reviewed by the CISO.
**Board Reporting**: Results must be escalated to the Board-level Risk Committee or equivalent, per SAMA CSF governance requirements (Control 3.1.4).
Beyond SAMA, NCA ECC Article 2-5 also requires vulnerability assessments and red team exercises for entities classified as critical national infrastructure. Aligning both frameworks in a unified pentest schedule reduces duplication and demonstrates mature security governance to regulators.
Was this helpful?
Saudi financial institutions are required to conduct regular penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.5, member organizations must perform threat-led penetration testing at least annually, and after any significant infrastructure or application change. NCA ECC Article 2-7 similarly mandates vulnerability assessments and penetration tests as part of ongoing technical security evaluations.
Key requirements include:
**Scope Definition:** Tests must cover external-facing systems, internal networks, critical applications (including mobile banking and payment platforms), and API endpoints.
**Qualified Testers:** Engagements must be conducted by certified professionals (e.g., OSCP, CREST, CEH) or approved third-party security firms. SAMA expects institutions to verify vendor credentials before engagement.
**Methodology:** Tests should follow recognized frameworks such as PTES or OWASP for web/API testing. Results must be documented with CVSS-scored findings, proof-of-concept evidence, and remediation timelines.
**Remediation Tracking:** Critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities per SAMA expectations. Evidence of remediation must be retained for audit purposes.
**Reporting to Board/Senior Management:** Summarized results should be escalated to the CISO and board-level risk committees as part of cybersecurity KPI reporting.
**Retesting:** A formal retest must validate that identified vulnerabilities have been effectively closed before sign-off.
Financial institutions should also consider Threat-Led Penetration Testing (TLPT) frameworks like TIBER-SA, which SAMA has been aligning with for advanced institutions. Maintaining a penetration testing register with dates, scope, findings, and remediation status is considered best practice and will be reviewed during SAMA regulatory inspections.
Was this helpful?
Penetration testing for Saudi fintechs must satisfy both SAMA CSF Control 3.4.5 (Vulnerability and Penetration Testing) and NCA ECC Control 2-8 (Technical Vulnerability Management). Here is a structured compliance-driven approach: (1) **Frequency Requirements** — SAMA CSF mandates external penetration testing at least annually and after significant infrastructure changes. Internal testing should occur semi-annually. NCA ECC aligns with this cadence for Critical National Infrastructure-adjacent entities. (2) **Scope Definition** — Tests must cover external-facing applications, APIs, mobile banking apps, internal network segments, and social engineering vectors. For fintechs handling payment data, cardholder environment testing may also trigger PCI DSS scope considerations. (3) **Qualified Testers** — SAMA expects tests to be performed by independent, qualified personnel. Internally, testers should hold certifications such as OSCP, CEH, or GPEN. External providers should demonstrate familiarity with Saudi regulatory expectations. (4) **Reporting Standards** — Reports must include executive summaries, technical findings categorized by CVSS severity, evidence screenshots, and remediation roadmaps with defined SLAs. SAMA examiners will review these reports during assessments. (5) **Remediation Tracking** — Critical and High findings must be remediated within 30 days per SAMA CSF expectations, with evidence of closure documented. (6) **Retesting** — Conduct mandatory retesting after critical vulnerability remediation to confirm closure. Maintain a penetration testing register with historical results to demonstrate program maturity to regulators and auditors.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their broader cybersecurity assurance program. Here are the key requirements and practical guidance:
**Frequency Requirements:**
- External penetration tests: At minimum annually, and after any significant infrastructure or application change
- Internal penetration tests: At least once per year
- Red team exercises: Recommended every 18–24 months for mature security programs
**Scope Considerations:**
Tests must cover internet-facing systems, core banking applications, SWIFT environments, mobile banking apps, and internal network segments. API security testing is increasingly critical for fintechs.
**Vendor Qualification:**
SAMA expects tests to be conducted by qualified third-party providers with demonstrable certifications (OSCP, CREST, CEH) or by a sufficiently independent internal red team. Results must not be self-assessed without independent validation.
**Reporting and Remediation:**
Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and remediated within defined SLAs — Critical findings typically within 15–30 days. Evidence of remediation must be retained for audit purposes.
**NCA ECC Alignment:**
NCA ECC Article 2-10 on cybersecurity testing reinforces these requirements for entities under NCA scope, including financial sector entities dual-regulated by both SAMA and NCA.
**Practical Tip:**
Integrate penetration test findings into your risk register and track them through your GRC platform to demonstrate continuous compliance posture to SAMA examiners during regulatory reviews.
Was this helpful?
Saudi banks must conduct penetration testing as a core component of their cybersecurity assurance program, with obligations rooted in both SAMA CSF Control 3.3.7 and NCA ECC Domain 2-7. Here is what compliance teams need to know:
**Frequency and Scope:**
- SAMA CSF requires at least annual penetration testing for critical systems, with additional testing after significant infrastructure changes.
- NCA ECC mandates testing across internal networks, external-facing applications, and critical assets.
**Methodology Requirements:**
- Tests must follow recognized methodologies such as PTES, OWASP, or TIBER-EU for threat-led exercises.
- Both black-box and gray-box approaches should be included depending on asset criticality.
**Tester Qualifications:**
- Testers must be independent — either a qualified internal red team or an accredited third-party firm.
- Preferred certifications include OSCP, CEH, and CREST, with the testing firm ideally registered with NCA-approved service providers.
**Reporting and Remediation:**
- A formal report must document findings by severity (Critical, High, Medium, Low).
- SAMA expects remediation of critical and high findings within defined SLAs — typically 30 days for critical vulnerabilities.
- Evidence of remediation must be retained for audit purposes.
**Regulatory Submission:**
- Summary results and remediation status may be required during SAMA examinations.
- NCA assessments may also request penetration test reports as part of ECC compliance evidence.
Practical tip: Maintain a penetration testing register that tracks scope, findings, remediation deadlines, and closure evidence. This significantly simplifies regulatory examination cycles.
Was this helpful?
Penetration testing for Saudi fintechs is not optional — it is a regulatory obligation under both SAMA CSF Control 3.3.6 and NCA ECC Control 2-13. Getting it right requires deliberate planning across scope, methodology, and reporting.
**Regulatory Baseline:**
- SAMA CSF requires vulnerability assessments and penetration tests to be conducted at least annually and after any significant system change.
- NCA ECC Article 2-13 mandates technical vulnerability management including periodic penetration testing for entities under NCA scope.
**Scope Considerations for Fintechs:**
Your testing scope should cover: web and mobile applications (open banking APIs, payment gateways), internal network infrastructure, cloud environments (AWS, Azure, or local providers), and any SWIFT or card-processing integrations.
**Methodology Standards:**
Use recognized methodologies such as OWASP Testing Guide for applications, PTES or OSSTMM for infrastructure, and TIBER-SA guidelines if applicable for threat-intelligence-led testing in the financial sector.
**Tester Qualification:**
SAMA expects testers to be independent — either a qualified internal red team or an accredited third-party firm. NCA recommends using certified professionals (OSCP, CEH, or equivalent). Testers must sign NDAs and operate under formal rules of engagement.
**Reporting & Remediation:**
Deliverable reports must include executive summaries for board-level reporting, technical findings mapped to CVSS scores, and remediation timelines. SAMA expects critical findings to be remediated within 30 days.
**Continuous Testing:**
Beyond annual tests, fintechs should integrate automated scanning (DAST/SAST) into CI/CD pipelines to catch vulnerabilities before production deployment, demonstrating a mature DevSecOps posture to regulators.
Was this helpful?
Saudi financial institutions must conduct penetration testing as a core control under both SAMA CSF (Control 3.3.6 – Vulnerability Management) and NCA ECC (Domain 2-7: Penetration Testing). Here is what compliance teams need to know:
**Frequency Requirements:**
- External penetration testing: At minimum annually, and after any significant infrastructure change
- Internal network testing: At least once per year
- Web application and API testing: Before major releases and annually thereafter
**Scope Considerations:**
Tests must cover internet-facing assets, internal network segments, critical banking applications (core banking, payment gateways), and increasingly, mobile banking apps. SAMA expects testing to extend to systems that process, store, or transmit customer financial data.
**Provider Requirements:**
SAMA CSF recommends engaging qualified third-party providers. Testers should hold recognized certifications (OSCP, CEH, CREST) and operate under a formal rules of engagement document signed by senior management.
**Reporting & Remediation:**
Findings must be categorized by severity (Critical, High, Medium, Low). Critical and High findings require documented remediation plans with tracked timelines — typically 30 days for Critical issues per SAMA expectations. Evidence of remediation must be retained for audit purposes.
**Regulatory Reporting:**
Material vulnerabilities discovered during testing that pose systemic risk may trigger notification obligations to SAMA under the cybersecurity incident reporting framework.
**Practical Tip:** Integrate penetration testing results into your GRC platform's risk register to ensure findings feed directly into your risk treatment process and board-level reporting cycles.
Was this helpful?
Under SAMA CSF Control 3.3.7, Saudi banks and financial institutions are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. At a minimum, penetration tests must be performed annually and after any significant infrastructure or application changes. SAMA expects tests to cover both external and internal attack surfaces, including network infrastructure, web applications, APIs, and mobile banking platforms.
For practical implementation, your penetration testing program should include: (1) Scope definition covering all critical assets as classified under your asset management policy; (2) Use of qualified testers — SAMA recommends CREST-accredited or equivalently certified providers; (3) Methodology aligned with OWASP, PTES, or NIST SP 800-115; (4) Full documentation of findings with CVSS-scored vulnerabilities; and (5) A remediation tracking process with defined SLAs — critical findings typically require remediation within 30 days.
Results must be presented to senior management and the Board Risk Committee. Retesting after remediation is mandatory to close the loop. NCA ECC Article 2-7 also reinforces these requirements for entities under NCA jurisdiction. Fintech firms licensed by SAMA should align their testing cadence with their risk profile — higher-risk platforms may require quarterly assessments. Our platform supports end-to-end pentest lifecycle management, from scope planning to remediation tracking and regulatory reporting.
Was this helpful?
Under SAMA CSF Control 3.3.6 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as a core component of their cybersecurity assurance program. Key requirements include:
**Frequency:** External penetration tests must be conducted at least annually, while critical systems and internet-facing applications should be tested after every significant change or release. Internal network assessments are recommended semi-annually for high-risk environments.
**Scope:** Tests must cover external perimeters, internal networks, web and mobile banking applications, APIs, and increasingly cloud-hosted infrastructure. Social engineering and phishing simulations are also expected under SAMA's broader cyber resilience expectations.
**Methodology:** SAMA expects assessments to follow recognized methodologies such as OWASP (for applications), PTES, or NIST SP 800-115. Red team exercises are encouraged for mature organizations to simulate advanced persistent threats.
**Qualified Testers:** Engagements should be conducted by qualified third parties with relevant certifications (OSCP, CEH, CREST) and must maintain independence from the development and operations teams.
**Remediation Tracking:** Findings must be risk-rated, tracked to closure, and evidenced for SAMA examination. Critical and high findings typically require remediation within 30–90 days depending on risk appetite.
**Reporting:** Results must be formally documented and presented to senior management and the Board Risk Committee where applicable.
Integrating penetration testing into your GRC platform allows automated tracking of findings, remediation workflows, and audit-ready reporting aligned to SAMA examination cycles.
Was this helpful?
Saudi banks must conduct penetration testing as a mandatory security assurance activity under both SAMA CSF (Control 3.3.6) and NCA ECC (Control ECC-2-1-3). Here is what compliance teams need to know:
**Frequency & Scope:** SAMA CSF requires penetration testing at least annually, and after any significant infrastructure or application change. Tests must cover external perimeter, internal network, web applications, mobile banking apps, and critical APIs.
**Methodology:** Tests should follow recognized frameworks such as PTES, OWASP Testing Guide (for applications), or TIBER-SA — the Saudi adaptation of the TIBER-EU threat intelligence-based ethical red teaming framework, which SAMA has increasingly encouraged for mature institutions.
**Tester Qualifications:** Engagements must be conducted by qualified professionals holding certifications such as OSCP, CEH, or CREST, and ideally performed by independent third parties to avoid conflicts of interest.
**Remediation Obligations:** SAMA CSF requires that findings be risk-rated, remediated within defined SLAs based on severity (critical findings typically within 15–30 days), and tracked to closure with evidence.
**Reporting:** Results must be reported to senior management and the board-level risk committee. NCA ECC further requires that critical vulnerabilities discovered are reported through appropriate governance channels.
**Practical Tip:** Maintain a penetration testing register within your GRC platform, linking each test to the relevant assets, findings, remediation tickets, and retesting evidence. This creates an auditable trail for both SAMA examiners and NCA assessors during compliance reviews.
Was this helpful?
Under SAMA CSF Control 3.3.4 and the broader Vulnerability Assessment and Penetration Testing (VAPT) domain, Saudi banks and financial institutions are required to conduct penetration testing as a core component of their cyber resilience program. SAMA mandates that penetration tests be performed at least annually for external-facing systems, and additionally after any significant infrastructure change, system upgrade, or merger and acquisition activity.
Key requirements include:
**Scope:** Tests must cover external perimeters, internal networks, critical applications (including internet banking and mobile platforms), and SWIFT environments where applicable.
**Methodology:** Engagements should follow recognized standards such as PTES (Penetration Testing Execution Standard), OWASP for application testing, and TIBER-SA for threat intelligence-led red team exercises, which SAMA increasingly encourages for Tier-1 institutions.
**Provider Qualification:** Third-party penetration testing firms must be assessed for technical competency. SAMA expects institutions to verify tester credentials (e.g., OSCP, CREST, CEH) and ensure testers sign appropriate NDAs and data handling agreements aligned with PDPL obligations.
**Reporting & Remediation:** All critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Findings must be tracked, risk-accepted with CISO sign-off where necessary, and reported to the Board Risk Committee.
**Retesting:** A formal retest must validate remediation effectiveness before closure.
Our GRC platform automates the tracking of VAPT findings, links them to SAMA CSF controls, and generates board-ready remediation status reports — ensuring your compliance posture remains audit-ready at all times.
Was this helpful?
The NCA Essential Cybersecurity Controls (ECC) — specifically ECC-2: 1-2 (Cybersecurity Assessment) — require organizations to conduct regular penetration testing as part of a broader vulnerability assessment program. Here is how to build a compliant, effective pentest program:
**1. Frequency and Scope Requirements**
NCA ECC mandates at minimum annual penetration testing of critical systems. For financial institutions also under SAMA CSF Control 3.2, testing should occur: annually for infrastructure, after any major system change, and following significant security incidents. Scope must include external-facing assets, internal network segments, and web/mobile banking applications.
**2. Methodology Standards**
Adopt recognized methodologies — PTES (Penetration Testing Execution Standard), OWASP Testing Guide for web applications, and TIBER-EU or CBEST framework principles for advanced threat simulation in financial contexts. Document your chosen methodology in your pentest policy.
**3. Vendor Qualification**
Engaging a qualified, independent pentest provider is mandatory — avoid internal-only testing for compliance purposes. Preferred vendors should hold CREST accreditation or equivalent, and testers should carry certifications like OSCP, CEH, or GPEN. Verify they have experience in Saudi financial sector environments.
**4. Rules of Engagement and Legal Authorization**
Before any test begins, obtain written authorization covering all in-scope systems. For cloud-hosted systems on AWS, Azure, or Alibaba Cloud (popular in KSA), obtain provider-specific pentest authorization to remain compliant with cloud agreements.
**5. Remediation Tracking and Reporting**
All critical and high findings must be remediated within 30 days, medium findings within 90 days. Track remediation in your vulnerability management system and conduct a retest to verify closure. Submit findings summary to your CISO and risk committee — NCA may request evidence during audits.
**6. Red Team vs. Pentest**
For mature organizations, consider graduating to red team exercises that simulate nation-state or advanced persistent threat (APT) actors — aligned with SAMA's expectations for Tier 1 banks.
Was this helpful?
Penetration testing (pentest) is explicitly required under both SAMA CSF and NCA ECC, and Saudi financial institutions must go beyond basic vulnerability scanning to satisfy regulators. Here is the mandatory framework:
**SAMA CSF Requirements (Control 3.3.5 & Vulnerability Management Domain):**
SAMA mandates that financial institutions conduct comprehensive penetration tests at least annually and after any significant infrastructure change. Tests must cover external perimeter, internal network, web applications, and mobile banking platforms. Findings must be risk-rated, remediated within defined SLAs (critical findings typically within 30 days), and evidence submitted during SAMA examinations.
**NCA ECC Requirements (ECC-1: 2-7 & Threat Management Controls):**
NCA ECC requires threat-informed testing that simulates real-world attack scenarios relevant to Saudi Arabia's threat landscape — including supply chain attacks, credential harvesting, and API abuse targeting open banking environments.
**Mandatory Scope Elements:**
- External network and internet-facing assets (including cloud-hosted systems)
- Web and mobile application testing (OWASP Top 10 methodology)
- Internal network segmentation validation
- Social engineering and phishing simulations
- SWIFT/payment infrastructure testing for banks
- API security testing for fintechs under SAMA Open Banking Framework
**Tester Qualifications:**
SAMA strongly recommends using qualified third-party testers holding OSCP, CREST, or equivalent certifications. Internal red team exercises can supplement but not replace independent assessments.
**Reporting:**
Deliverable reports must include executive summaries, technical findings with CVSS scoring, proof-of-concept evidence, and a remediation roadmap. Retain pentest reports for a minimum of 5 years per SAMA record-keeping requirements.
For fintechs under SAMA's regulatory sandbox, penetration testing is a prerequisite before obtaining a full operating license.
Was this helpful?
Both SAMA CSF and NCA ECC impose explicit penetration testing obligations on Saudi financial institutions, making this a non-negotiable compliance activity rather than an optional security exercise. Under SAMA CSF Control 3.3.5 (Vulnerability Management), member organizations must conduct regular penetration tests against their critical systems, applications, and network infrastructure. NCA ECC Article 2-14 similarly mandates periodic penetration testing as part of the broader vulnerability management lifecycle. Key requirements and scoping guidance: (1) Frequency — SAMA expects penetration tests at least annually for critical systems and after significant infrastructure changes, new product launches, or major application updates. NCA ECC aligns with this cadence for government-linked financial entities. (2) Scope Definition — tests must cover external-facing assets (internet-exposed applications, APIs, VPNs), internal network segments, Active Directory environments, and mobile/web banking applications. Scope should map directly to your asset inventory register. (3) Methodology — tests should follow recognized methodologies such as PTES (Penetration Testing Execution Standard), OWASP (for web and API testing), and TIBER-SA principles for threat-intelligence-led red team exercises at advanced maturity levels. (4) Tester Independence — SAMA strongly recommends using qualified external testers with relevant certifications (OSCP, CREST, CEH) to ensure objectivity. Internal red teams may supplement but not replace external assessments. (5) Remediation Tracking — findings must be risk-rated, remediated within defined SLAs (critical within 30 days is common practice), and re-tested to validate fixes. (6) Executive Reporting — results must be reported to senior management and the board risk committee, per SAMA's governance expectations. Fintechs should also consider API-specific penetration testing given their heavy reliance on open banking interfaces, ensuring OAuth flows, token management, and data exposure points are thoroughly assessed.
Was this helpful?
A Vulnerability Assessment (VA) identifies and classifies security weaknesses in systems without actively exploiting them — it tells you what vulnerabilities exist. A Penetration Test (PT) goes further by actively attempting to exploit discovered vulnerabilities to determine the real-world impact — it tells you what an attacker could actually achieve. For regulatory compliance, both are often required.
Was this helpful?
For SAMA-regulated institutions, at minimum annually for all critical systems. For NCA ECC entities, at least annually. Best practice recommends: external PT annually, internal PT annually, web application PT for every major release, red team exercises every 1–2 years, and continuous vulnerability scanning.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability Management), Saudi banks and financial institutions are required to conduct penetration testing as part of a broader vulnerability management program. At a minimum, external penetration tests must be performed annually, while internal tests and application-level assessments are recommended at least once per year or after any significant infrastructure or application change.
Key requirements include:
**Scope:** Testing must cover external-facing systems, internal networks, critical applications (including mobile banking and APIs), and any newly deployed cloud infrastructure.
**Methodology:** Tests should follow recognized methodologies such as OWASP for web/API testing, PTES, or NIST SP 800-115 guidelines. Red team exercises simulating advanced persistent threats (APTs) are strongly recommended for Tier-1 banks.
**Qualified Testers:** Engagements must be conducted by qualified, independent professionals — either internal teams with proper segregation or NCA-licensed third-party providers.
**Reporting & Remediation:** A formal remediation plan must be produced post-assessment, with critical and high findings remediated within defined SLAs (typically 30 days for critical findings). Evidence of remediation must be documented for regulatory review.
**NCA Alignment:** NCA ECC Article 2-7 also mandates technical assessments including penetration testing for entities under its scope, requiring findings to be tracked through a formal risk register.
Best practice recommendation: Integrate penetration testing results into your GRC platform to automatically update risk ratings, trigger remediation workflows, and generate audit-ready reports ahead of SAMA and NCA regulatory examinations.
Was this helpful?
Under SAMA CSF Control 3.3.6 (Vulnerability Management), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. The framework mandates at minimum an annual external and internal penetration test, with additional tests triggered by significant infrastructure changes, new system deployments, or post-incident reviews.
Key requirements include:
**Scope:** Tests must cover external-facing assets, internal network segments, web applications, APIs, and critical banking systems such as core banking platforms and payment gateways.
**Methodology:** Engagements should follow recognized methodologies such as PTES, OWASP Testing Guide, or NIST SP 800-115 to ensure consistency and thoroughness.
**Qualified Testers:** SAMA expects tests to be performed by qualified, independent parties — either certified internal teams (OSCP, CEH, CREST) or approved external vendors. Independence is critical; the testing team must not have been involved in building or maintaining the tested systems.
**Reporting & Remediation:** Findings must be formally documented with risk ratings (Critical, High, Medium, Low), root cause analysis, and actionable remediation guidance. SAMA CSF requires that critical and high findings be remediated within defined SLAs — typically 30 days for critical vulnerabilities.
**Evidence for Audits:** All penetration test reports, remediation evidence, and retesting results must be retained and made available to SAMA examiners upon request.
Practical tip: Align your penetration testing calendar with your annual SAMA CSF self-assessment cycle so that test results can directly inform your compliance posture and risk register updates.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their ongoing cybersecurity assurance program. Key requirements include:
**Frequency:** External penetration tests must be performed at least annually, while critical systems and internet-facing applications should be tested after any significant change or major release. Internal network penetration testing is also required on a periodic basis.
**Scope:** Tests must cover external perimeter, internal network segments, web applications (including mobile banking apps), and APIs. Social engineering assessments may also be included.
**Methodology:** SAMA expects tests to follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Findings must be risk-rated and tracked to remediation.
**Third-Party Testers:** SAMA recommends engaging qualified, independent external parties for penetration testing to ensure objectivity. Internal red team exercises can supplement but should not replace external assessments.
**Remediation & Reporting:** Critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities. Results must be documented and reported to senior management and the board's audit or risk committee.
**NCA ECC Alignment:** NCA ECC Article 2-7 also mandates vulnerability assessments and penetration testing for critical national infrastructure operators, including banks classified under CNI.
Practical tip: Build a penetration testing calendar aligned to your change management cycle, ensuring post-deployment tests are triggered automatically for high-risk system changes.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cybersecurity Assessment), Saudi banks and financial institutions are required to conduct regular penetration testing as part of their broader vulnerability management and assurance program. Key requirements include: **Frequency**: External penetration tests must be performed at least annually, while critical internet-facing systems and core banking platforms should be tested more frequently — ideally semi-annually or after any significant infrastructure change. **Scope**: Tests must cover network infrastructure, web applications, mobile banking apps, internal systems, and social engineering vectors. SAMA expects tests to simulate realistic threat actor behavior relevant to the financial sector. **Methodology**: Tests should follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115. Both black-box and gray-box approaches are acceptable, but gray-box is generally preferred for depth. **Qualified Testers**: Engagements must be conducted by qualified third parties or an internal red team with demonstrable competency. Certifications such as OSCP, CREST, or CEH are commonly referenced. **Remediation Tracking**: All critical and high findings must be remediated within defined SLAs (typically 30–60 days for critical), with evidence documented for SAMA examination. **Reporting to Board**: Per SAMA CSF Control 3.1, significant security findings from penetration tests must be escalated to senior management or the board's risk committee. Complement your penetration testing program with NCA ECC Article 2-4 controls around vulnerability assessments to ensure dual-framework alignment and avoid gaps during regulatory inspections.
Was this helpful?
Saudi financial institutions are required to conduct regular penetration testing as part of their cybersecurity assurance activities. Under SAMA CSF Control 3.3.7, member organizations must perform threat-led penetration testing at least annually, covering both internal and external attack surfaces, including web applications, APIs, network infrastructure, and critical business systems. NCA ECC-1:2018 Article 3-5 further mandates vulnerability assessments and penetration tests as part of a continuous cybersecurity evaluation cycle.
Practically, your penetration testing program should include:
• **Scope definition**: Cover internet-facing assets, internal networks, SWIFT environments, mobile banking apps, and OT/IoT where applicable.
• **Methodology**: Align with recognized standards such as PTES, OWASP, or TIBER-EU (increasingly referenced by SAMA for threat intelligence-led testing).
• **Qualified testers**: Use certified professionals (OSCP, CREST, or equivalent) — ideally from an approved third-party firm independent of your IT team.
• **Remediation tracking**: All critical and high findings must have documented remediation plans with defined SLAs, typically 30 days for critical issues per SAMA expectations.
• **Reporting to governance**: Results and remediation status should be reported to the CISO and Board Risk Committee as part of cybersecurity KPI reporting.
Financial institutions undergoing SAMA CSF maturity assessments will be evaluated on the frequency, depth, and follow-up quality of their penetration testing activities. Failing to demonstrate a mature testing program is one of the most common gaps identified during SAMA examinations. Integrating your pentest findings into your risk register and vulnerability management workflow ensures continuous improvement and audit readiness.
Was this helpful?
Under SAMA CSF Control 3.3.6 (Vulnerability Management) and Control 3.4.3 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their ongoing cybersecurity assurance program.
**Minimum Requirements:**
- **Frequency:** Full-scope penetration tests must be conducted at least annually, with targeted assessments triggered by major infrastructure changes, new application deployments, or post-incident reviews.
- **Scope:** Tests must cover external perimeter, internal network, web and mobile banking applications, APIs, and critical payment systems (including SWIFT environments).
- **Methodology:** Tests should follow recognized methodologies such as PTES, OWASP Testing Guide, or TIBER-EU (increasingly adopted by SAMA for systemic banks).
- **Testers:** Engagements must be conducted by qualified third-party specialists or a sufficiently independent internal red team. SAMA expects clear independence — internal IT staff conducting their own tests is not considered sufficient.
- **Remediation Tracking:** All identified findings must be risk-rated, assigned to owners, and remediated within defined SLAs — critical findings typically within 30 days.
- **Reporting to Board:** Summary results and remediation status should be reported to the Cybersecurity Committee and Board Risk Committee at least annually per SAMA CSF governance requirements.
**Practical Tip:** Align your penetration testing calendar with your SAMA CSF self-assessment cycle so that test results feed directly into your maturity scoring. NCA ECC Article 2-9 also independently mandates periodic technical assessments, so a single well-scoped engagement can satisfy both frameworks simultaneously.
Was this helpful?
Under SAMA CSF Control 3.3.6 (Vulnerability Management) and Control 3.3.7 (Penetration Testing), Saudi banks and financial institutions are required to conduct comprehensive penetration testing as part of a formal, risk-based cybersecurity program. SAMA mandates that penetration tests be performed at least annually, and additionally whenever significant changes occur to critical systems, infrastructure, or applications.
The scope of testing must cover external-facing assets, internal networks, web and mobile banking applications, APIs, and critical backend systems. Tests should be conducted by qualified third-party providers with recognized certifications such as OSCP, CREST, or equivalent. Banks are also expected to maintain clear rules of engagement, scoping documents, and formal remediation tracking.
Following each test, institutions must produce a detailed findings report and implement a remediation plan with defined timelines — typically critical findings within 15 days, high findings within 30 days, per SAMA's supervisory expectations. Retesting to verify remediation is strongly recommended.
Beyond annual testing, SAMA CSF encourages adopting a continuous threat-led penetration testing (TLPT) approach, aligned with frameworks like TIBER-EU adapted for the Saudi context. The NCA ECC Article 2-14 also reinforces vulnerability assessment and penetration testing obligations for entities under its jurisdiction.
Practically, CISOs should ensure penetration testing is integrated into the annual security calendar, budgeted appropriately, and findings are escalated to the Board-level Risk Committee as required under SAMA's governance expectations. Maintaining a remediation register and sharing anonymized threat intelligence with SAMA and FINCYBER further demonstrates a mature security posture.
Was this helpful?
Saudi financial institutions are required to conduct regular penetration testing as part of their cybersecurity posture management. Under SAMA CSF Control 3.3.4, member organizations must perform technical vulnerability assessments and penetration tests at least annually, and after any significant change to critical systems or infrastructure. NCA ECC Article 2-14 reinforces this by mandating ethical hacking exercises for entities classified under national critical infrastructure.
Key requirements include:
**Scope Definition:** Tests must cover external-facing assets, internal network segments, web and mobile banking applications, APIs, and SWIFT-connected systems. Social engineering and phishing simulations should also be included.
**Methodology:** Use recognized frameworks such as OWASP, PTES, or TIBER-EU adapted for Saudi context. Tests must simulate real-world threat actors relevant to the financial sector.
**Provider Qualification:** Penetration testing providers should be qualified and, where possible, certified under recognized bodies (CREST, OSCP, CEH). SAMA expects firms to use independent third parties rather than internal teams for objective assessments.
**Remediation Tracking:** Findings must be risk-rated, remediated within defined SLAs (critical findings within 30 days per SAMA guidance), and retested to confirm closure.
**Reporting to Governance:** Results must be reported to the CISO and Board-level risk committee, with trends tracked over time.
Fintechs operating under SAMA's regulatory sandbox should align with the same controls, even in early stages, to avoid compliance gaps upon full licensing. Maintaining a penetration testing register and integrating findings into your risk register are practical steps toward demonstrating continuous compliance.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cyber Security Operations), financial institutions are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. SAMA mandates that penetration tests be performed at least annually, with additional tests triggered by significant infrastructure changes, new application deployments, or post-incident assessments.
Key requirements include:
**Scope:** Tests must cover external-facing systems, internal networks, web and mobile banking applications, and API endpoints. Social engineering assessments are strongly recommended.
**Qualified Testers:** Engagements must be conducted by qualified professionals holding recognized certifications such as OSCP, CEH, or CREST. External testers must be vetted and bound by strict NDAs.
**Methodology:** Tests should align with industry frameworks such as OWASP (for applications) and PTES or NIST SP 800-115 for infrastructure. NCA ECC Article 2-14 further requires that findings be classified by severity and remediated within defined SLAs.
**Reporting and Remediation:** All critical and high findings must be remediated within 30 days, with documented evidence presented to the Board Risk Committee. SAMA expects that remediation status is tracked in a formal register.
**Red Team Exercises:** Mature institutions are encouraged to move beyond standard pen testing toward threat-led red team operations aligned with TIBER-SA or CBEST frameworks.
Failure to meet penetration testing obligations can result in SAMA supervisory action, including mandatory remediation orders or increased regulatory scrutiny during annual assessments. Our platform helps you schedule, track, and document all penetration testing activities within a unified GRC dashboard.
Was this helpful?
Under SAMA CSF Control 3.3.7 (Vulnerability Management) and Control 3.3.8 (Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. Key requirements include:
**Frequency:** External penetration tests must be performed at least annually, while internal tests should align with significant infrastructure changes, major application releases, or post-incident reviews. High-risk systems such as internet banking platforms, payment gateways, and core banking infrastructure warrant more frequent testing.
**Scope:** Tests must cover network infrastructure, web and mobile applications, API endpoints, and internal systems. Social engineering and phishing simulation exercises are also encouraged under the broader security assurance program.
**Methodology:** SAMA expects tests to follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Both black-box and gray-box approaches may be applicable depending on the target system.
**Qualified Testers:** Testing must be conducted by qualified professionals — either internal red teams with verifiable credentials or third-party firms approved and vetted through the bank's vendor risk process. NCA also recommends testers hold certifications such as OSCP, CEH, or equivalent.
**Reporting and Remediation:** Findings must be documented in a formal report with risk-rated vulnerabilities. Critical and high findings should follow a remediation SLA — typically 30 days for critical issues per SAMA's risk appetite guidelines. Evidence of remediation must be retained for audit purposes.
Non-compliance with SAMA CSF penetration testing requirements can result in regulatory findings during SAMA examinations, so maintaining a test register with clear scheduling, scope, and remediation tracking is essential.
Was this helpful?
Saudi banks must conduct penetration testing as a core component of their cybersecurity assurance program. Under SAMA CSF Control 3.3.6, member organizations are required to perform regular penetration tests covering both internal and external attack surfaces, including network infrastructure, web applications, and APIs. NCA ECC Article 2-14 further mandates that critical national infrastructure entities — which includes Tier-1 banks — conduct penetration testing at least annually, and after any significant system change.
Practically speaking, your penetration testing program should:
1. **Scope comprehensively**: Cover internet-facing applications, internal network segments, privileged access systems, and SWIFT infrastructure if applicable.
2. **Use qualified testers**: Engage certified professionals (OSCP, CEH, CREST-certified) or approved third-party firms. SAMA expects evidence of tester qualifications.
3. **Follow a methodology**: Align with PTES, OWASP Testing Guide, or NIST SP 800-115 to ensure structured and repeatable results.
4. **Test frequency**: At minimum annually for full-scope tests; quarterly vulnerability assessments are considered best practice for high-risk systems.
5. **Remediate and re-test**: SAMA CSF requires documented remediation plans with defined timelines. Critical findings (CVSS ≥ 9.0) should be remediated within 30 days.
6. **Report to governance**: Summarized findings must be presented to the CISO and Board Risk Committee as part of the cybersecurity oversight cycle.
Importantly, red team exercises (adversary simulation) are increasingly expected by SAMA examiners as a maturity indicator beyond standard penetration testing. Maintaining a register of all testing activities, findings, and remediation evidence is essential for regulatory examination readiness.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cyber Security Operations), Saudi banks and financial institutions are required to conduct regular penetration testing as part of a robust vulnerability management program. Specifically, SAMA CSF mandates that penetration tests be performed at least annually, and additionally after any significant infrastructure changes, major application releases, or material changes to the network architecture. Tests must cover external-facing assets, internal network segments, web and mobile banking applications, and critical back-office systems.
The scope should align with TIBER-SA (Threat Intelligence-Based Ethical Red Teaming) guidelines for systemically important institutions, simulating advanced persistent threat (APT) actor techniques. Findings must be risk-rated, documented, and remediated within defined SLAs — critical findings typically within 30 days per SAMA expectations.
Practically, your penetration testing program should:
1. Engage CREST-accredited or equivalent qualified testers.
2. Produce a formal report submitted to senior management and the Board Risk Committee.
3. Track remediation through your GRC platform with evidence of closure.
4. Feed results back into your risk register and threat intelligence cycle.
NCA ECC-1:2018 Article 2-13 also reinforces the need for periodic technical assessments. Non-compliance can trigger SAMA supervisory actions, so maintaining documented evidence of test cycles and remediation is critical for regulatory examinations.
Was this helpful?
Under SAMA CSF Control 3.3.7 (Vulnerability Assessment and Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their ongoing cybersecurity assurance program. Key requirements include: **Frequency**: External penetration tests must be performed at least annually, while internal assessments should align with major infrastructure changes or new system deployments. **Scope**: Tests must cover external-facing systems, internal networks, web applications, APIs, and mobile banking channels. Social engineering assessments are also strongly recommended. **Methodology**: Tests should follow recognized frameworks such as PTES, OWASP, or NIST SP 800-115. Red team exercises are increasingly expected for Tier 1 banks. **Independence**: SAMA expects engagements to be conducted by qualified, independent third-party providers — not solely internal teams. Providers should hold certifications such as OSCP, CREST, or equivalent. **Reporting & Remediation**: Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and presented to senior management. Remediation timelines for Critical and High findings typically should not exceed 30 and 90 days respectively. **Regulatory Notification**: Critical vulnerabilities discovered during testing that indicate active exploitation risk may trigger SAMA's incident notification obligations. Banks should also cross-reference NCA ECC Article 2-14 on technical vulnerability management, which reinforces the requirement for periodic testing across government-affiliated financial entities. Maintaining a penetration testing register and tracking remediation progress is essential for demonstrating compliance during SAMA assessments.
Was this helpful?
Saudi financial institutions are required to conduct structured penetration testing programs under both SAMA CSF (Control 3.3.3) and NCA ECC (Domain 2-7). Here is what your organization must implement:
**Frequency and Scope:**
- External and internal penetration tests must be performed at least annually, and after any significant infrastructure change.
- Scope should cover internet-facing assets, internal networks, core banking systems, mobile/web applications, and APIs used for open banking or fintech integrations.
**Methodology:**
Tests must follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115. Red team exercises simulating advanced persistent threats (APTs) are strongly recommended for Tier-1 banks.
**Provider Requirements:**
- Testers must be qualified (OSCP, CEH, CREST-certified preferred) and independent from the internal IT team.
- SAMA expects that external providers are vetted through your third-party risk management process.
**Reporting and Remediation:**
- All findings must be documented with risk ratings (Critical/High/Medium/Low).
- Critical and High findings must be remediated within 30 and 90 days respectively, with evidence provided to your CISO and compliance function.
- Retesting must confirm remediation closure before sign-off.
**Documentation for Regulators:**
Maintain penetration test reports, remediation logs, and closure evidence for a minimum of five years, as SAMA examiners routinely request this during assessments.
A mature program also integrates penetration test findings into your risk register and feeds lessons learned back into your security awareness and architecture review processes.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability Management) and Control 3.4 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration tests at defined intervals and upon significant changes to their IT environment.
**Minimum Frequency Requirements:**
- External penetration testing: At least annually
- Internal network penetration testing: At least annually
- Application-layer testing (web, mobile, API): After every major release or significant code change
- Red team exercises: Recommended every 18–24 months for Tier-1 institutions
**Scope Considerations:**
Tests must cover all critical systems including core banking platforms, internet banking portals, mobile applications, SWIFT interfaces, and payment gateways. NCA ECC Article 2-4-1 further reinforces this by requiring vulnerability assessments and ethical hacking exercises as part of an organization's ongoing cyber hygiene.
**Practical Guidance:**
1. Engage CREST-accredited or equivalent qualified testing firms
2. Ensure test scope is formally approved by the CISO before engagement begins
3. Document all findings in a remediation register with risk-rated priorities
4. Critical and high findings should be remediated within 30 and 90 days respectively, per SAMA expectations
5. Retain all penetration test reports for at least 5 years for audit purposes
**Retesting:**
SAMA expects evidence of remediation verification — simply closing tickets is insufficient. Formal retesting or compensating control documentation is required.
Financial institutions should integrate penetration testing results into their risk register and report significant findings to the board-level risk committee, ensuring governance visibility into technical vulnerabilities.
Was this helpful?
Under SAMA CSF Control 3.3.7, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management program. The framework mandates at minimum an annual external and internal penetration test, with additional testing triggered by significant infrastructure changes, new application deployments, or post-incident reviews.
Practically, most mature financial institutions conduct:
- **External network penetration tests**: At least annually, targeting internet-facing assets, APIs, and open banking interfaces.
- **Internal network tests**: Annually or after major network topology changes.
- **Web and mobile application testing**: Per SAMA CSF 3.3.6, critical applications such as core banking systems and mobile banking apps should be tested at least annually or before major releases.
- **Red team exercises**: Recommended biennially for Tier 1 banks to simulate advanced persistent threats.
Tests must be performed by qualified, independent third parties — ideally CREST-accredited or holding equivalent certifications recognized by SAMA. Findings must be formally documented, risk-rated, and remediated within defined timelines: critical vulnerabilities typically within 15–30 days per internal SLA benchmarks.
Remediation evidence must be retained and made available during SAMA regulatory examinations. Additionally, NCA ECC Article 2-7 aligns with these requirements, mandating periodic technical assessments to identify exploitable weaknesses.
A key gap often found during audits is the absence of re-testing after remediation — ensure your program includes a formal verification cycle. Integrating penetration test findings into your risk register and board reporting cycle demonstrates governance maturity that both SAMA examiners and NCA auditors look for.
Was this helpful?
Saudi financial institutions are required to conduct penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.5, member organizations must perform regular penetration testing across all critical systems, applications, and network infrastructure to identify exploitable vulnerabilities before adversaries do. Testing must be risk-based, covering external and internal threat scenarios.
NCA ECC Article 2-13 reinforces this by mandating periodic technical assessments including red team exercises and vulnerability assessments for entities classified under national critical infrastructure.
Practical requirements include:
- **Annual minimum frequency** for full-scope penetration tests, with additional testing after significant system changes or new deployments.
- **Scope coverage**: web applications, APIs, internal networks, Active Directory environments, and SWIFT interfaces where applicable.
- **Qualified testers**: Engagements should be conducted by certified professionals (OSCP, CREST, CEH) or accredited third-party firms approved by the institution's risk committee.
- **Remediation tracking**: All critical and high findings must have documented remediation plans with defined SLAs — typically 30 days for critical, 90 days for high severity.
- **Retest validation**: Remediated vulnerabilities must be retested to confirm closure before sign-off.
- **Reporting to board**: SAMA CSF requires that penetration testing results and remediation status be reported to senior management and the board risk committee.
Financial institutions should also consider including social engineering and phishing simulations to test human-layer defenses. Maintaining a pentest register and evidence trail is essential during SAMA regulatory examinations.
Was this helpful?
Saudi financial institutions must conduct penetration testing as a core component of their cybersecurity assurance programs. Under SAMA CSF Control 3.3.9, member organizations are required to perform regular penetration tests covering internal networks, external-facing systems, web applications, and critical infrastructure. Tests must be conducted at least annually, and additionally after any significant infrastructure or application change.
NCA ECC-1:2018 Article 3.3 reinforces this by mandating vulnerability assessments and penetration tests for national critical systems, with findings tracked to closure. For financial institutions classified as critical national infrastructure, the frequency expectation is higher — often semi-annual.
Practical guidance for compliance teams:
1. **Scope broadly**: Include core banking systems, payment gateways, APIs, mobile banking apps, and cloud environments.
2. **Use qualified providers**: Engage testers certified under OSCP, CREST, or equivalent, and verify the firm is approved by NCA or holds recognized accreditations.
3. **Define rules of engagement**: Document scope, testing windows, emergency contacts, and out-of-scope systems before testing begins.
4. **Track remediation**: SAMA CSF requires evidence that identified vulnerabilities are remediated within defined SLAs — critical findings typically within 30 days.
5. **Report to governance**: Share summarized findings with the Board Risk Committee or CISO as part of your cybersecurity assurance reporting.
Red team exercises simulating advanced persistent threats (APT) are increasingly expected for Tier 1 banks. Ensure your penetration testing program feeds directly into your vulnerability management lifecycle to demonstrate continuous improvement to regulators.
Was this helpful?
Penetration testing is a mandatory cybersecurity control under both SAMA CSF and NCA ECC, and Saudi financial institutions must meet specific requirements across scope, frequency, and reporting.
**SAMA CSF Requirements (Control 3.3.5 – Vulnerability Management)**
SAMA expects Member Organizations to conduct external and internal penetration tests at least annually, and additionally after significant infrastructure changes. Tests must cover network infrastructure, web applications, mobile banking apps, APIs, and critical internal systems.
**NCA ECC Requirements (ECC-1: 2-5 Vulnerability Assessment)**
NCA ECC mandates regular vulnerability assessments and penetration testing as part of the organization's security assurance program. Government-affiliated financial entities may also be subject to the National Penetration Testing Framework (NPTF) guidelines.
**Scope Recommendations for Banks & Fintechs:**
- External network penetration testing (internet-facing assets)
- Internal network segmentation testing
- Web and mobile application testing (OWASP Top 10)
- API security testing for open banking interfaces
- Social engineering and phishing simulations
- ATM and POS security assessments (for retail banks)
**Testing Frequency Best Practice:**
- Full penetration test: Annually at minimum
- Critical application testing: After every major release
- Vulnerability scans: Monthly or quarterly
- Red team exercises: Every 18–24 months for Tier-1 institutions
**Reporting & Remediation:**
All penetration test reports must be retained and made available during SAMA or NCA audits. Critical and high-severity findings must be remediated within 30 and 90 days respectively, with documented evidence of closure.
**Practical Tip:** Ensure your penetration testing provider is qualified (CREST-accredited or equivalent) and that your Rules of Engagement (RoE) document is signed before testing begins to protect both parties legally.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cybersecurity Operations), Saudi banks are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. Specifically, SAMA CSF mandates the following:
**Frequency Requirements:**
- External penetration testing: at minimum annually, and after any significant infrastructure change
- Internal penetration testing: at minimum annually
- Critical systems (e.g., core banking, payment gateways): recommended semi-annually
- Web application penetration testing: before any major release and annually thereafter
**Scope Expectations:**
Tests must cover network infrastructure, web and mobile applications, APIs, and social engineering vectors. Red team exercises are strongly encouraged for Tier-1 institutions.
**Testing Standards:**
SAMA expects tests to follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Testers should hold relevant certifications (OSCP, CREST, CEH).
**Remediation Obligations:**
Critical and high findings must be remediated within defined SLAs — typically 15 days for critical vulnerabilities. All findings must be tracked, with evidence provided to internal audit and SAMA examiners upon request.
**Reporting:**
A formal penetration test report must be reviewed by senior management and the CISO. Residual risk acceptance must be documented and approved.
NCA ECC Article 2-7 similarly mandates vulnerability assessments and ethical hacking exercises for government-affiliated entities. Aligning both frameworks in a unified testing calendar reduces duplication and ensures comprehensive coverage across all regulatory obligations.
Was this helpful?
Under SAMA CSF Control 3.3.8, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management program. Here are the critical requirements:
**Frequency & Scope:**
- External and internal penetration tests must be performed at least annually
- Tests should also be triggered after significant infrastructure changes, major application releases, or following a security incident
- Scope must cover internet-facing systems, internal networks, core banking applications, and mobile/web channels
**Methodology & Standards:**
- Tests should follow recognized methodologies such as OWASP, PTES, or OSSTMM
- Red team exercises are encouraged for mature security programs to simulate advanced persistent threats (APTs)
- NCA ECC Control 2-5-3 further reinforces the need for periodic technical assessments
**Provider Requirements:**
- SAMA expects penetration testing to be conducted by qualified, independent parties — internal teams alone are generally insufficient for compliance evidence
- Testers should hold relevant certifications (OSCP, CREST, CEH) and ideally be approved by a recognized body
**Remediation & Reporting:**
- Critical and high findings must be remediated within defined SLAs — typically 30 days for critical vulnerabilities
- A formal remediation tracking process must be documented and evidence retained for SAMA examination
- Retest validation is mandatory to confirm fixes are effective
**Practical Tip:** Integrate penetration testing results into your risk register and present them to the board-level risk committee to demonstrate governance alignment per SAMA CSF Domain 3.
Was this helpful?
Under SAMA CSF Control 3.3.4 (Vulnerability Management) and Control 3.3.5 (Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a formal, risk-based security assessment program. SAMA mandates at minimum an annual external and internal penetration test, with additional testing triggered after significant infrastructure changes, new product launches, or major system upgrades.
Key requirements include:
**Scope:** Tests must cover network infrastructure, web applications, mobile banking platforms, APIs, and critical internal systems. SWIFT environments require dedicated testing per SWIFT CSCF controls.
**Methodology:** Tests should follow recognized frameworks such as PTES, OWASP, or OSSTMM, ensuring both black-box and grey-box scenarios are covered.
**Qualified Testers:** SAMA expects tests to be conducted by qualified, independent third parties or an internal red team with verifiable certifications (e.g., OSCP, CEH, CREST). Testers must be separate from the teams that built or manage the tested systems.
**Reporting & Remediation:** Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and remediated within defined SLAs — typically 30 days for Critical findings and 90 days for High. Evidence of remediation must be retained for audit purposes.
**Board Visibility:** Per SAMA CSF governance requirements, penetration testing results and remediation status should be reported to senior management or the Board Risk Committee at least annually.
Financial institutions should also align their penetration testing program with NCA ECC Article 2-11 (Security Assessment and Testing), which reinforces similar expectations for all critical national infrastructure entities. A mature program treats pen testing not as a checkbox exercise but as a continuous intelligence-gathering mechanism to validate defensive controls.
Was this helpful?
Under SAMA CSF Control 3.3.7, Saudi banks and financial institutions are required to conduct regular penetration testing as part of their vulnerability management and cyber resilience programs. At minimum, banks must perform: (1) Annual full-scope penetration tests covering external perimeter, internal network, web applications, and APIs; (2) Targeted tests following any significant infrastructure change, application release, or major incident; (3) Red team exercises at least once every two years for Tier-1 institutions. Tests must be conducted by qualified third-party providers or a certified internal team — testers must hold recognized certifications such as OSCP, CREST, or equivalent. Methodology should align with industry standards like OWASP Testing Guide and PTES. Critical findings (Critical/High severity) must be remediated within 30–90 days depending on risk rating, and evidence of remediation must be documented and retained. Results must be reported to the CISO and Board Risk Committee. Additionally, NCA ECC Article 2-14 reinforces the requirement for periodic technical assessments. Our platform supports this by automating finding tracking, generating SAMA-aligned remediation reports, and maintaining a full audit trail for regulatory review.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability Management), Saudi banks and financial institutions are required to conduct regular penetration testing as part of a comprehensive vulnerability management program. The framework mandates at minimum an annual external and internal penetration test, with additional tests triggered by significant infrastructure changes, new application deployments, or post-incident reviews.
Key requirements include:
**Scope & Coverage:** Tests must cover external-facing systems, internal networks, critical banking applications (core banking, payment gateways, mobile apps), and OT/SWIFT environments where applicable.
**Methodology:** SAMA expects testing aligned with recognized methodologies such as OWASP for web applications and PTES or OSSTMM for infrastructure assessments. NCA ECC Article 2-14 further reinforces the need for structured technical assessments.
**Qualified Testers:** Tests should be conducted by qualified internal teams or CREST/CHECK-accredited third-party providers. Independence from the development and operations team is essential.
**Reporting & Remediation:** Findings must be formally documented, risk-rated, and tracked through a remediation plan. Critical and high-risk vulnerabilities should be remediated within 30 days, with evidence submitted to relevant governance committees.
**Red Team Exercises:** For larger institutions, SAMA increasingly expects adversary simulation (red team) exercises aligned with frameworks like TIBER-SA to test detection and response capabilities beyond standard pentest scope.
Practical Tip: Maintain a penetration testing register that logs test dates, scope, findings, remediation status, and retesting results. This register is commonly requested during SAMA regulatory examinations.
Was this helpful?
Penetration testing in Saudi financial institutions must satisfy both SAMA CSF (Control 3.3.7 – Vulnerability Management) and NCA ECC (Article 2-8, Technical Vulnerability Management). Here is a practical framework: **Frequency:** Conduct external penetration tests at least annually and after any major system change. Internal network and application-layer tests should also follow an annual cycle, with critical internet-facing assets tested more frequently. **Scope Definition:** Define scope to cover internet-facing applications, internal networks, ATM/POS infrastructure, APIs, and mobile banking apps. SAMA examiners expect evidence that scope covers crown-jewel systems. **Methodology:** Use recognized methodologies such as PTES, OWASP (for web/mobile), and NIST SP 800-115. Red team engagements simulating APT scenarios are increasingly expected by SAMA for Tier-1 banks. **Vendor Qualification:** Engage only qualified providers — ideally holding CREST accreditation or equivalent. NCA additionally requires that vendors operating on government-linked infrastructure be assessed for supply chain risk. **Remediation Tracking:** All critical and high findings must have a documented remediation plan with ownership and deadlines. SAMA expects critical findings to be remediated within 30 days. Retest all critical and high vulnerabilities before closing findings. **Reporting and Retention:** Maintain penetration test reports, remediation evidence, and retesting records for a minimum of five years per SAMA data retention guidelines. Share executive summaries with the board's Risk or Audit Committee annually.
Was this helpful?
Under SAMA CSF Control 3.3.6, Saudi banks and financial institutions are required to conduct regular penetration testing as a core component of their vulnerability management program. The framework mandates at minimum an annual external penetration test, while internal network testing should align with significant infrastructure changes or at least annually. Institutions with internet-facing applications — particularly mobile banking and open banking APIs — should conduct application-layer penetration tests (including OWASP Top 10 coverage) before major releases and at least semi-annually in production. Tests must be performed by qualified, independent parties — either accredited third-party firms or a sufficiently independent internal red team. Key requirements include: (1) scoping that covers all critical assets identified in your asset register per SAMA CSF Control 3.2.1; (2) a formal remediation plan with SLA-tracked closure of critical and high findings within 30 and 90 days respectively; (3) executive and board-level reporting of results; and (4) retesting to validate remediation. NCA ECC Article 2-5 similarly requires periodic technical assessments including penetration testing for entities under its scope. Findings must feed directly into your risk register and be tracked through your GRC platform. Avoid treating penetration testing as a checkbox — integrate results into your threat intelligence cycle and use them to validate your security controls against real-world attack scenarios relevant to the Saudi financial sector.
Was this helpful?
Under SAMA CSF Control 3.3.4 (Vulnerability Management) and Control 3.3.5 (Penetration Testing), Saudi banks and financial institutions are required to conduct penetration testing as part of a structured vulnerability management program. Key requirements include:
**Frequency:** External penetration tests must be conducted at least annually, while critical systems and internet-facing applications should be tested more frequently — ideally after any major infrastructure or application change.
**Scope:** Tests must cover network infrastructure, web and mobile banking applications, internal systems, and social engineering vectors. API security testing is increasingly important for fintechs.
**Methodology:** Tests should follow recognized methodologies such as OWASP Testing Guide, PTES, or NIST SP 800-115. Both black-box and grey-box approaches are acceptable, but SAMA expects realistic threat simulation.
**Qualified Testers:** Engagements must be conducted by qualified professionals holding certifications such as OSCP, CEH, or CREST, and preferably by a third-party firm independent from your internal security team.
**Remediation Tracking:** Findings must be risk-rated, remediated within defined SLAs (critical findings typically within 15–30 days), and tracked to closure. Evidence of remediation must be retained for audit purposes.
**Reporting to Board:** Material findings should be escalated to the CISO and risk committee. SAMA examiners will review pen test reports during regulatory assessments.
Aligning your penetration testing program with NCA ECC Article 2-14 additionally ensures broader compliance coverage for institutions subject to both frameworks.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cybersecurity Resilience), Saudi banks and financial institutions are required to conduct regular penetration testing as part of their cybersecurity assurance program. Specifically, SAMA CSF mandates annual penetration tests for all critical systems and applications, with additional testing required following significant infrastructure changes, new product launches, or post-incident remediation.
The testing scope must cover external and internal network infrastructure, web and mobile banking applications, APIs, and any third-party integrated systems. Assessments should follow recognized methodologies such as PTES (Penetration Testing Execution Standard) or OWASP for application-layer testing.
Key requirements include:
- **Testing by qualified, independent parties**: Internal teams may conduct routine assessments, but annual tests must be performed by certified third-party firms (CREST or equivalent).
- **Remediation timelines**: Critical findings (CVSS ≥ 9.0) must be remediated within 30 days; high findings within 90 days per SAMA CSF guidance.
- **Retesting validation**: Remediated vulnerabilities must be re-verified before closure.
- **Reporting to board/senior management**: Penetration test results and remediation status must be reported to the CISO and relevant governance committees.
NCA ECC Article 3-5 also reinforces these obligations for entities operating critical national infrastructure. Aligning your penetration testing program with both SAMA CSF and NCA ECC ensures dual compliance and reduces regulatory risk. Maintain all test reports, remediation evidence, and retesting records for a minimum of five years to satisfy audit and regulatory review requirements.
Was this helpful?
Penetration testing is explicitly required under SAMA CSF Control 4.4.2 and NCA ECC-2: 1-7, making it a non-negotiable compliance activity for Saudi banks, fintechs, and financial institutions. Here is how to build a compliant and effective penetration testing program:
**Frequency Requirements:**
- SAMA CSF mandates at least annual penetration testing for critical systems
- Tests must also be triggered after significant infrastructure changes, major application releases, or post-incident remediation
- NCA ECC recommends Red Team exercises for Tier-1 critical national infrastructure entities
**Scope Definition:** Define scope to cover external-facing assets (internet-exposed applications, APIs, portals), internal network segments, core banking platforms, and payment systems. SAMA expects coverage of all critical business services.
**Vendor Requirements:** Engage only qualified, certified penetration testing providers. Preferred certifications include OSCP, CREST, CHECK, or equivalent. For Saudi financial institutions, vendors should be familiar with SAMA's regulatory environment and possess a valid CITC/NCA approved provider status where applicable.
**Methodology:** Follow recognized standards — PTES (Penetration Testing Execution Standard), OWASP Testing Guide for web applications, and TIBER-EU/TIBER-SA (threat intelligence-based) for advanced red team exercises.
**Reporting & Remediation:** All critical and high findings must be remediated within defined SLAs (typically 30 days for critical). Maintain a formal remediation tracking register and conduct retesting to verify fixes.
**Audit Evidence:** SAMA examiners will request pentest reports, remediation logs, and sign-off evidence. Ensure reports are stored securely and accessible through your GRC platform with appropriate access controls to protect sensitive vulnerability information.
Was this helpful?
Penetration testing is a mandatory control under SAMA CSF Domain 3.2 (Cybersecurity Risk Management) and Control 3.2.5, requiring Saudi banks to conduct structured and periodic offensive security assessments.
**Regulatory Baseline Requirements**
- External and internal penetration tests must be conducted **at least annually**, or following significant infrastructure changes.
- Tests must be performed by qualified, independent parties — internal teams may conduct supplemental tests but cannot satisfy the independence requirement alone.
- Results, remediation plans, and retesting evidence must be documented and retained for regulatory review.
**Recommended Scoping Approach**
Scope should align with your asset criticality register. At minimum, include: internet-facing applications and APIs, core banking system interfaces, SWIFT/payment infrastructure, Active Directory and identity systems, and OT/network perimeter where applicable.
**Methodology Standards**
Adopt recognized frameworks such as PTES (Penetration Testing Execution Standard), OWASP Testing Guide for web applications, and MITRE ATT&CK for adversary simulation. For financial sector relevance, TIBER-EU and CBEST-aligned threat-led testing is increasingly expected by SAMA examiners.
**Red Team vs. Pen Test**
For Tier 1 banks, SAMA increasingly expects Red Team exercises simulating sophisticated, persistent adversaries — not just point-in-time vulnerability exploitation. Red Team engagements should target detection and response capability, not just technical controls.
**Reporting & Remediation**
All Critical and High findings must have remediation timelines defined within the report. SAMA expects evidence of tracked remediation in your GRC system, with Board or Risk Committee visibility on unresolved critical findings.
Ensure your pentest vendor provides CVSS-scored findings mapped to SAMA CSF controls for direct GRC platform integration.
Was this helpful?
Penetration testing is a mandatory control under both SAMA CSF (Control 3.3.7 – Vulnerability Management) and NCA ECC (Article 2-13 – Technical Vulnerability Management), requiring Saudi financial institutions to conduct regular, structured adversarial testing of their environments.
**Mandatory Frequency:**
- **External penetration testing:** At minimum annually, and after any major infrastructure change.
- **Internal penetration testing:** Annually.
- **Application-layer testing (web/mobile/API):** After every major release or annually, whichever is more frequent.
- **Red Team exercises:** SAMA CSF recommends advanced threat simulation for Tier 1 institutions at least every two years.
**Scoping Best Practices:**
1. **Define scope clearly:** Include internet-facing assets, core banking APIs, mobile banking apps, SWIFT interfaces, and internal network segments handling cardholder or customer PII data.
2. **Rules of Engagement (RoE):** Establish explicit RoE documenting permitted attack techniques, out-of-scope systems (e.g., live production ATMs), escalation procedures, and emergency contacts.
3. **Methodology alignment:** Tests should follow recognized methodologies — PTES, OWASP Testing Guide for web apps, OWASP Mobile Security Testing Guide for mobile apps, and NIST SP 800-115.
4. **Third-party vs. internal:** SAMA CSF expects external, independent testers for critical systems. Internal teams may conduct supplementary testing but should not be the sole testers.
**Remediation & Reporting:**
All critical and high-severity findings must be remediated within 30 days. A formal remediation report should be submitted to the CISO and Board-level Risk Committee. NCA ECC requires findings to feed into the organization's vulnerability register and risk treatment plan.
**Practical Tip:** Engage CREST-accredited or Saudi CITC-approved testing firms to ensure regulatory acceptance of results.
Was this helpful?
Saudi banks must establish a structured, risk-based penetration testing program that satisfies both SAMA CSF Control 3.3.7 (Vulnerability Management) and NCA ECC-1:2018 Article 3-3 (Technical Vulnerability Management). At minimum, your program should include the following elements:
**Frequency & Scope:** Conduct full-scope external and internal penetration tests at least annually, and after any significant infrastructure or application change. SAMA CSF requires continuous vulnerability assessments, while NCA ECC mandates periodic technical evaluations of critical national infrastructure components.
**Methodology:** Use internationally recognized methodologies such as OWASP Testing Guide for web applications, PTES (Penetration Testing Execution Standard) for network and infrastructure, and TIBER-EU or CBEST frameworks for advanced threat intelligence-led red team exercises — which SAMA increasingly expects from Tier-1 banks.
**Scoping:** Ensure scope covers internet-facing assets, internal network segments, SWIFT infrastructure (per SWIFT CSCF), mobile banking applications, ATM networks, and third-party-connected systems. Do not exclude legacy systems — regulators pay close attention here.
**Qualified Testers:** SAMA CSF and NCA ECC both require tests to be conducted by qualified, independent parties. Testers should hold recognized credentials (OSCP, CREST, CEH) and should not have been involved in building or administering the tested systems.
**Remediation & Reporting:** Critical and high findings must be remediated within defined SLAs — typically 15 days for critical, 30 days for high. Maintain a formal remediation tracking register and evidence of retesting. SAMA may request this documentation during examinations.
**Executive Reporting:** Produce both technical reports (for security teams) and executive summaries (for the Board and Risk Committee) to fulfill SAMA CSF governance reporting obligations.
Was this helpful?
The NCA Essential Cybersecurity Controls (ECC) mandate a structured approach to vulnerability assessment and penetration testing (VAPT) for all entities under its scope, including government bodies, semi-government entities, and operators of critical national infrastructure (CNI). These requirements are anchored primarily in ECC Domain 2 (Cybersecurity Defense) and related annexes.
**Core NCA ECC Penetration Testing Requirements:**
**1. Scope and Frequency (ECC 2-13):** Organizations must conduct penetration tests at least annually and after any significant change to the IT/OT environment — including major system upgrades, infrastructure changes, or post-incident recovery. Ad-hoc tests must be risk-justified and documented.
**2. Qualified Testers:** NCA strongly recommends using licensed penetration testing firms, ideally those holding NCA-recognized certifications or CREST accreditation. Internal red team capabilities are acceptable if independence and skill can be demonstrated.
**3. Scope Coverage:** Tests must cover external perimeter, internal network, web applications, APIs, and — for CNI operators — OT/ICS environments where applicable. Social engineering components (phishing simulations) should be included per ECC 2-14.
**4. Methodology Alignment:** Align testing methodology with recognized standards such as PTES (Penetration Testing Execution Standard), OWASP WSTG for web applications, and IEC 62443 for ICS/OT environments.
**5. Remediation Tracking:** ECC requires that all critical and high findings be remediated within defined SLAs and that a formal remediation report be submitted. Open vulnerabilities must be tracked in your vulnerability management system.
**6. Reporting to NCSC:** For CNI operators, significant findings — especially those exploiting production systems — may require disclosure to the NCA National Cybersecurity Operations Center (NCOC).
**Practical Tip:** Maintain a penetration testing charter document that defines scope, rules of engagement, and approval authority. This satisfies both NCA ECC audit requirements and demonstrates governance maturity during SAMA CSF assessments.
Was this helpful?
Under SAMA CSF Domain 4 (Cybersecurity Operations), Saudi banks and financial institutions must conduct penetration testing as a core component of their vulnerability management and threat assessment program. Specifically, SAMA CSF Control 4.3 mandates that member organizations perform penetration testing at least annually, and additionally after any significant infrastructure change, major application release, or following a material cybersecurity incident.
Tests must cover all critical assets including internet-facing systems, core banking platforms, internal networks, and mobile/web applications. SAMA expects engagements to follow a recognized methodology such as OWASP, PTES, or TIBER-EU for advanced threat simulation. Testers must be qualified — either certified internal red team professionals (OSCP, GPEN, CEH) or approved third-party firms.
Key practical requirements include:
- **Scoping**: Cover external, internal, and application layers.
- **Reporting**: Findings must be risk-rated, remediation timelines assigned, and results presented to senior management and the Board Risk Committee.
- **Remediation Tracking**: Critical and high findings must be remediated within 30–90 days depending on severity, with evidence documented.
- **Retesting**: Mandatory retesting after remediation to confirm closure.
- **NCA ECC Alignment**: NCA ECC Article 2-7 further requires that penetration test reports and remediation plans be maintained as audit evidence available to regulators upon request.
For fintechs under SAMA's regulatory sandbox, similar obligations apply with proportional scoping based on risk profile. Our platform automates pentest scheduling, finding intake, remediation workflows, and audit-ready reporting to keep your institution continuously compliant.
Was this helpful?
Penetration testing is a mandatory control under both SAMA CSF and NCA ECC, and Saudi banks must approach it as a structured, risk-driven program — not a checkbox exercise.
**SAMA CSF Requirements (Control 3.3.6 – Vulnerability Management):**
- External penetration testing: **annually at minimum**, plus after significant infrastructure changes
- Internal network penetration testing: annually
- Application-level testing (OWASP-based) for all customer-facing banking applications: before major releases and annually
- Red team exercises for Tier-1 banks: recommended biannually to simulate advanced persistent threats (APTs)
**NCA ECC Requirements (Article 2-7 – Cybersecurity Assessment):**
- NCA mandates periodic security assessments including penetration tests for entities classified as Critical National Infrastructure (CNI). Most major Saudi banks fall under CNI classification.
- Tests must cover network, application, and physical security layers.
- Testers must hold recognized certifications such as OSCP, CREST, or equivalent.
**Scope Considerations for Banks:**
- Core banking systems (CBS), mobile banking apps, APIs, SWIFT infrastructure, and ATM networks must all be in scope
- Social engineering tests (phishing simulations) should complement technical testing
- Cloud-hosted environments require separate cloud penetration testing scope
**Findings Management:**
SAMA CSF requires a formal remediation process:
- **Critical/High findings:** Remediate within **30 days**
- **Medium findings:** Remediate within **90 days**
- **Low findings:** Track in risk register with defined timelines
All pentest reports, remediation evidence, and exception approvals must be retained for **at least 5 years** and be available for SAMA regulatory inspection.
Our platform provides pentest program templates, finding trackers integrated with your risk register, and pre-mapped control evidence for SAMA and NCA audit cycles.
Was this helpful?
The NCA Essential Cybersecurity Controls (ECC) mandate penetration testing as a core technical assurance activity under Control Domain 2-5 (Cybersecurity Resilience — Penetration Testing). Here is a comprehensive guide for Saudi organizations:
**NCA ECC Requirements:**
Control 2-5-1 requires organizations to conduct penetration tests on all critical systems, applications, and network infrastructure. Tests must be performed by qualified, independent testers — internal or accredited third-party specialists. The NCA expects evidence of findings, remediation actions, and retesting validation.
**Mandatory Frequency:**
NCA ECC stipulates penetration tests must be conducted at least annually. However, additional tests are required following significant changes such as major system upgrades, new application deployments, network architecture changes, or after a confirmed security incident.
**Scoping Your Engagement:**
Effective scoping should cover: External perimeter testing (internet-facing assets, APIs, web applications), Internal network testing (lateral movement, privilege escalation), Application-layer testing (OWASP Top 10 for web and mobile apps), Social engineering assessments (phishing simulations), and Wireless network security assessments. For financial institutions, also include SWIFT environment testing and payment system interfaces.
**Methodology Standards:**
Adopt recognized methodologies such as PTES (Penetration Testing Execution Standard), OWASP Testing Guide, or NIST SP 800-115. These align with NCA expectations for structured, repeatable, and evidence-based testing.
**Reporting & Remediation:**
Pentest reports must include a risk-rated finding register (Critical/High/Medium/Low), root cause analysis, and actionable remediation guidance. Organizations should track remediation through a formal vulnerability management process and complete retest validation before closing high-severity findings.
Always ensure your pentest provider signs a formal Rules of Engagement (RoE) document and obtains written authorization before testing begins.
Was this helpful?
Penetration testing is a critical control activity mandated across both SAMA CSF and NCA ECC for Saudi financial institutions. Understanding the specific requirements — and how to operationalize results — is essential for compliance and genuine risk reduction.
**SAMA CSF Requirements:**
Under Control Domain 3 (Cybersecurity Operations), SAMA requires financial institutions to conduct penetration tests on all critical systems and internet-facing applications at least annually, and following any significant infrastructure change. The scope must include external network testing, internal network testing, and application-layer testing (web and mobile). Results must be formally reported to senior management.
**NCA ECC Requirements:**
NCA ECC Article 3-9 mandates that organizations conduct technical vulnerability assessments and penetration tests as part of their continuous risk management cycle. For entities classified under critical national infrastructure, testing frequency expectations may increase to semi-annual.
**Scope and Methodology Guidance:**
- Engage only CREST-certified or equivalent qualified firms with verifiable Saudi financial sector experience.
- Define scope to include APIs, mobile banking apps, core banking interfaces, ATM networks, and SWIFT connectivity where applicable.
- Red team exercises simulating advanced persistent threats (APT) should supplement standard penetration tests annually.
- Ensure Rules of Engagement (RoE) are legally documented before testing begins.
**Results Management:**
- Classify findings by CVSS score and business risk impact — do not rely on severity alone.
- Critical and High findings must have remediation plans within 30 days per SAMA expectations.
- Track all findings in your GRC platform with owner assignment, due dates, and evidence of closure.
- Re-test remediated vulnerabilities formally — verbal confirmation is insufficient for audit purposes.
- Retain penetration test reports for a minimum of 5 years to support regulatory examination requests.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability and Penetration Testing), Saudi financial institutions are required to conduct penetration testing at least annually, and after any significant system changes or new infrastructure deployments. The scope must cover all critical systems including core banking platforms, internet-facing applications, internal networks, and APIs.
Key requirements include:
**Scoping:** Tests must encompass external perimeter, internal network, web applications, and mobile banking apps. Social engineering and phishing simulations are also recommended under the same control domain.
**Methodology:** Engagements should follow recognized methodologies such as PTES, OWASP Testing Guide, or NIST SP 800-115. Tests must be conducted by qualified, independent parties — internal red teams or certified external providers (CREST, OSCP-certified testers).
**Reporting:** Findings must be classified by severity (Critical, High, Medium, Low), mapped to CVSS scores, and remediation timelines defined. Critical and High findings typically require remediation within 30–90 days per SAMA expectations.
**Remediation Validation:** SAMA CSF expects re-testing after remediation to confirm vulnerabilities are resolved — not just marked closed.
**Documentation:** All test results, remediation actions, and sign-offs must be retained and made available to internal audit and SAMA examiners upon request.
NCA ECC Article 2-7 further reinforces penetration testing obligations for entities within the national critical infrastructure scope, which overlaps with Tier-1 and Tier-2 banks.
Best practice is to run quarterly automated vulnerability scans between annual pen tests to maintain continuous assurance and satisfy both SAMA CSF and NCA ECC expectations.
Was this helpful?
SAMA CSF Control 3.4 (Cybersecurity Assessment) mandates that Saudi banks conduct regular penetration testing as part of a broader vulnerability management program. Here is what a fully compliant penetration testing program looks like: **Frequency Requirements** — External-facing systems and internet banking applications must be tested at minimum annually, with additional testing required after significant infrastructure changes, new product launches, or post-incident remediation. Critical systems may warrant bi-annual testing. **Scope and Methodology** — Tests must cover external perimeters, web applications, internal networks, and where applicable, mobile banking apps and APIs. Methodology should align with recognized standards such as PTES (Penetration Testing Execution Standard), OWASP Testing Guide for applications, and OSSTMM for network layers. Social engineering and phishing simulations should be included to assess human-layer controls per SAMA CSF Control 3.3.5. **Tester Qualifications** — SAMA expects tests to be conducted by qualified independent parties. Relevant certifications include OSCP, CREST, CEH, or GPEN. Internal red team exercises can supplement but typically do not replace third-party assessments for regulatory purposes. **Compliant Report Structure** — A SAMA-ready pentest report must include: executive summary with risk ratings, detailed technical findings mapped to CVE/CVSS scores, proof-of-concept evidence, business impact assessment per finding, and a prioritized remediation roadmap with defined timelines. Findings should be mapped to SAMA CSF controls and NCA ECC domains where applicable. **Remediation Tracking** — Critical and high findings must be remediated within 30–90 days, with evidence of closure verified through retesting. Maintain an audit trail of all findings and remediations for SAMA inspection readiness.
Was this helpful?
Both SAMA CSF and NCA ECC mandate regular penetration testing as a core component of a mature cybersecurity program. Here is how Saudi banks should structure their annual program:
**Regulatory Requirements:**
- **SAMA CSF Control 3.3.4** requires member organizations to conduct regular penetration tests on critical systems, networks, and applications, with findings tracked to remediation.
- **NCA ECC-1: 2-4** mandates periodic penetration testing covering infrastructure, applications, and network perimeters, with results reported to senior management.
**Program Design Essentials:**
1. **Scope Definition:** Cover internet-facing applications, internal network segments, core banking systems, ATM infrastructure, mobile banking apps, and APIs. Prioritize assets classified as critical under your asset management framework.
2. **Frequency:** Conduct external penetration tests at minimum annually; internal tests semi-annually. Trigger additional tests after significant infrastructure changes, major releases, or post-incident.
3. **Methodology:** Require testers to follow recognized methodologies such as PTES, OWASP Testing Guide for web apps, and MITRE ATT&CK for adversary simulation scenarios relevant to the financial sector.
4. **Tester Qualification:** Engage OSCP, CREST, or CEH certified professionals. For critical systems, use independent third-party firms rather than internal teams to ensure objectivity.
5. **Remediation Tracking:** All critical and high findings must have documented remediation plans with owners and deadlines. Conduct verification retests within 30–60 days.
6. **Reporting to Board:** Summarize findings and remediation status in quarterly risk committee reports, as expected under SAMA CSF governance requirements.
A well-structured pen test program not only satisfies regulators but directly reduces your exploitable attack surface.
Was this helpful?
Penetration testing is a mandatory control under both SAMA CSF and NCA ECC, yet many Saudi financial institutions either conduct tests infrequently or fail to meet the scope and methodology standards expected by regulators.
**SAMA CSF Requirements (Control 3.3 – Vulnerability Management):**
- External penetration tests must be conducted at least annually by an independent, qualified third party. SAMA expects testers to hold recognized certifications such as OSCP, CEH, or CREST.
- Internal penetration tests should be performed at least once per year, and after any significant infrastructure changes.
- Results must be formally documented, risk-rated, and remediated within defined SLAs — critical findings within 30 days, high findings within 90 days.
**NCA ECC Requirements (ECC-1-4-2 – Penetration Testing):**
- NCA mandates that penetration testing cover all external-facing systems, internal network segments, and web/mobile applications.
- Red team exercises simulating advanced persistent threats (APT) are expected for entities classified as critical national infrastructure.
- Test reports must be retained for a minimum of 5 years and be available for NCA inspection.
**Recommended Testing Scope for Banks:**
- External perimeter (internet-facing assets, APIs, web portals)
- Core banking application layers
- Mobile banking applications (iOS and Android)
- Internal network segmentation and lateral movement paths
- Social engineering and phishing simulations
- SWIFT and payment infrastructure (where applicable)
**Key Pitfall to Avoid:**
Do not reuse the same penetration testing firm year after year without rotation. SAMA examiners look for evidence of independent, objective assessments. Establish a vendor rotation policy every 2–3 years to maintain test integrity.
Was this helpful?
Under SAMA CSF Control 3.3.8 (Vulnerability Management), Saudi banks and financial institutions are required to conduct penetration testing as a core component of their cybersecurity assurance program. The framework mandates at minimum an annual external and internal penetration test, with additional tests triggered by significant infrastructure changes, new product launches, or post-incident recovery. Tests must cover all critical assets including internet-facing systems, core banking platforms, APIs, and mobile banking applications.
Practically, your penetration testing program should follow a structured methodology such as PTES or OWASP, and must be performed by qualified third-party testers — ideally certified with OSCP, CEH, or equivalent credentials. Findings must be formally documented, risk-rated, and remediated within defined SLAs based on severity: Critical findings typically within 15 days, High within 30 days, and Medium within 90 days.
NCA ECC-1:2018 Article 3-4-1 further reinforces this by requiring periodic technical assessments of systems and networks. Results and remediation plans must be reviewed by senior management and reported to the board-level cybersecurity committee. For fintechs regulated under SAMA's Fintech regulations, the same cadence applies but scope is calibrated to your specific service footprint.
Our platform helps you track pentest findings, assign remediation owners, monitor SLA compliance, and generate audit-ready reports that satisfy both SAMA and NCA examiners during regulatory assessments.
Was this helpful?
Penetration testing (pentesting) is a mandatory control under SAMA CSF and is referenced in NCA ECC-1:2018 as part of the Protect and Detect domains. Here is how Saudi financial institutions should approach it:
**Frequency Requirements:** SAMA CSF Control 3.3.12 requires external penetration testing at least annually and after any major infrastructure change. Internal network testing and application-layer assessments should align with the same cadence.
**Scope Definition:** Scope must cover internet-facing assets (web portals, APIs, mobile banking apps), internal network segments, core banking interfaces, and SWIFT connectivity infrastructure. Excluding any critical system without documented justification creates compliance gaps.
**Provider Qualification:** Engage testers who hold recognized certifications (OSCP, CREST, CEH) and are ideally accredited by NCA's national cybersecurity ecosystem. Contracts must include confidentiality clauses, data handling obligations aligned with PDPL, and clear rules of engagement.
**Methodology Alignment:** Testing should follow established methodologies such as PTES, OWASP Top 10 (for applications), and NIST SP 800-115. Red team exercises simulating APT-style attacks add maturity beyond standard compliance-driven pentests.
**Reporting & Remediation:** Findings must be risk-rated (Critical/High/Medium/Low), assigned to system owners, and tracked to closure within defined SLAs — typically 15 days for critical findings. Remediation evidence must be retained for audits.
**Regulatory Evidence:** Pentest reports, remediation trackers, and re-test confirmations serve as primary audit artifacts for both SAMA inspections and NCA ECC assessments. Store them securely for a minimum of three years.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Cybersecurity Operations), Saudi banks are required to conduct regular penetration testing as part of their vulnerability management and threat assessment obligations. Specifically, SAMA CSF mandates that financial institutions perform external and internal penetration tests at least annually, and additionally after any significant infrastructure change, major application release, or following a security incident.
Key requirements include:
**Scope & Coverage:** Tests must cover network perimeter, internal systems, web and mobile banking applications, APIs, and critical payment infrastructure. SWIFT-connected environments require dedicated testing per SWIFT CSCF obligations.
**Methodology:** Tests should follow recognized methodologies such as OWASP Testing Guide for applications and PTES or NIST SP 800-115 for infrastructure. Red team exercises are increasingly expected for Tier-1 banks.
**Qualified Testers:** SAMA expects testing to be conducted by qualified, independent parties — either certified internal teams or accredited third-party firms. NCA ECC Article 2-14 further reinforces independence requirements.
**Reporting & Remediation:** Findings must be formally documented, risk-rated (Critical/High/Medium/Low), and tracked through a remediation plan with defined timelines. Critical findings typically require remediation within 15–30 days.
**Board Visibility:** Material findings should be escalated to the CISO and reported to the Board Risk Committee as part of the cybersecurity posture update.
Practically, banks should maintain a rolling penetration testing calendar, integrate findings into their risk register, and use results to validate security control effectiveness — feeding back into SAMA CSF maturity assessments.
Was this helpful?
Saudi banks and fintechs must conduct penetration testing as a core compliance obligation under both SAMA CSF and NCA ECC. Under SAMA CSF Control 3.3.5, organizations are required to perform regular penetration tests on all critical systems, applications, and network infrastructure — at minimum annually, and following any significant system change. NCA ECC Article 3-2-6 reinforces this by mandating that penetration testing be performed by qualified, independent parties using recognized methodologies such as PTES or OWASP. Practically, your program should include: (1) External and internal network penetration tests targeting perimeter defenses and lateral movement paths; (2) Web and mobile application testing covering OWASP Top 10 vulnerabilities, especially for customer-facing banking apps; (3) Social engineering and phishing simulations to test human controls; (4) Red team exercises for mature organizations to simulate advanced persistent threat (APT) scenarios. All findings must be tracked in a formal remediation plan with defined SLAs — critical findings typically require remediation within 30 days per SAMA guidance. Reports should be reviewed by the CISO and presented to the board risk committee. Retain testing evidence and reports for a minimum of five years to support regulatory examination requests from SAMA or NCA. Engaging a CREST-accredited or SAMA-recognized testing provider strengthens your compliance posture and ensures findings are defensible during audits.
Was this helpful?
Under SAMA CSF Control 3.3.5 (Vulnerability Management) and Control 3.3.6 (Penetration Testing), Saudi banks and financial institutions are required to conduct structured penetration testing as part of their cybersecurity assurance program. The key requirements include: (1) **Frequency**: External penetration tests must be conducted at least annually, while critical systems or those undergoing significant changes require testing before go-live and after major updates. (2) **Scope**: Tests must cover external-facing infrastructure, internal networks, web and mobile banking applications, APIs, and SWIFT-connected systems. (3) **Methodology**: Testing must follow recognized methodologies such as OWASP, PTES, or NIST SP 800-115, and must be performed by qualified, independent testers — either certified internal staff (OSCP, CREST) or accredited third-party firms. (4) **Reporting**: A formal report with risk-rated findings, remediation timelines, and evidence of retesting must be maintained and made available to SAMA upon request. (5) **Red Team Exercises**: Mature organizations are encouraged to supplement annual pen tests with threat-led red team assessments aligned with TIBER-SA principles. Remediation of critical and high findings must follow defined SLAs — typically 30 days for critical vulnerabilities. All penetration testing activities, findings, and closure evidence must be documented within your GRC platform for audit readiness and regulatory examination cycles.
Was this helpful?
Penetration testing is a mandatory compliance obligation for Saudi financial institutions and critical infrastructure entities under both SAMA CSF and NCA ECC. Here is a structured approach to ensure your testing program meets regulatory expectations:
**Regulatory Basis:**
- SAMA CSF Control 3.3.5 mandates regular vulnerability assessments and penetration testing for member organizations.
- NCA ECC-1:2018 Article 3.3 requires periodic technical security assessments, including penetration testing of external and internal systems.
**Scope and Frequency:**
- External penetration testing must be conducted at minimum annually, and after any major infrastructure change.
- Internal network penetration testing, web application testing, and API security assessments should be included in scope for banks and fintechs.
- Red Team exercises are recommended for Tier 1 banks to simulate advanced persistent threats (APTs).
**Methodology Requirements:**
- Testing must follow a recognized methodology such as PTES, OWASP Testing Guide, or TIBER-EU (adapted for Saudi context).
- Testers must be qualified — ideally holding OSCP, CEH, or equivalent certifications — and the engagement must be governed by a formal Rules of Engagement (RoE) document.
**Reporting and Remediation:**
- Findings must be risk-rated (Critical, High, Medium, Low) and mapped to relevant SAMA/NCA controls.
- A remediation plan with defined timelines is required. Critical findings typically demand remediation within 30 days per SAMA expectations.
- Retest validation reports must be retained for regulatory audits.
**Key Tip:** Engage a SAMA-recognized or NCA-approved cybersecurity service provider to conduct assessments, as regulators may request evidence of provider qualifications during examinations.
Was this helpful?
The NCA Essential Cybersecurity Controls (ECC-1:2018) mandate penetration testing as a core security assurance activity under Domain 3 (Cybersecurity Resilience), specifically Sub-control 3-2-1, which requires organizations to conduct vulnerability assessments and penetration tests to evaluate the effectiveness of implemented cybersecurity controls.
**NCA ECC Penetration Testing Requirements:**
**Frequency:** NCA ECC requires pen testing to be conducted at a minimum annually, and additionally following any significant infrastructure change, major application release, or post-incident remediation — a requirement that mirrors SAMA CSF Domain 4 operational testing obligations.
**Scope Definition:** Your pen test scope must cover all critical assets as defined in your asset inventory (ECC Sub-control 1-1-1). For financial institutions, this typically includes: internet-facing applications and APIs, internal network segments, Active Directory/IAM infrastructure, core banking system interfaces, mobile banking applications, and cloud environments.
**Methodology Standards:** NCA does not prescribe a specific methodology, but best-practice alignment with OWASP Testing Guide (for web/API), PTES (Penetration Testing Execution Standard), and TIBER-EU (for financial sector threat-intelligence-based testing) is widely accepted by Saudi regulators. SAMA additionally encourages Threat-Led Penetration Testing (TLPT) for systemically important banks.
**Tester Independence:** Both NCA ECC and SAMA CSF require that penetration testing be conducted by qualified professionals independent from the teams responsible for the systems under test. External testers must hold recognized certifications such as OSCP, CEH, or CREST.
**Reporting and Remediation:** Post-test, a formal report must classify findings by severity (Critical, High, Medium, Low) with a documented remediation plan. Critical and High findings must be remediated within defined SLAs — typically 30 and 90 days respectively for regulated entities. Remediation evidence must be retained for audit purposes.
**Retesting:** NCA ECC implicitly requires verification that critical vulnerabilities have been remediated. Schedule retests within 30 days of critical finding remediation.
A mature pen test program integrates findings into your risk register, tracks remediation through your GRC platform, and feeds lessons learned back into your security architecture reviews.
Was this helpful?
Penetration testing is a mandatory technical control under both SAMA CSF and NCA ECC, and financial institutions must conduct it systematically to remain compliant and genuinely secure. Here's how to structure a compliant penetration testing program:
**Regulatory Requirements:**
- **SAMA CSF Control 3.3.7**: Requires vulnerability assessments and penetration testing to be conducted on critical systems at least annually, and after significant changes to infrastructure or applications.
- **NCA ECC Art. 2-7-3**: Mandates regular penetration testing covering networks, applications, and supporting infrastructure with results formally documented and remediated.
**Testing Scope and Methodology:**
1. **Scoping**: Include internet-facing assets (web portals, APIs, mobile apps), internal networks, core banking applications, SWIFT infrastructure, and cloud environments.
2. **Methodology**: Align with recognized standards such as PTES (Penetration Testing Execution Standard), OWASP for web/API testing, and OSSTMM for network testing.
3. **Testing Types**: Conduct external and internal network pentests, web application pentests, API security testing, social engineering assessments, and — for mature programs — red team exercises simulating advanced persistent threats (APTs).
4. **Qualified Testers**: Use NCA-approved or CREST/OSCP-certified testers. SAMA expects testers to be independent from the teams responsible for the systems being tested.
**Post-Testing Obligations:**
- Produce a formal report with CVSS-scored findings, proof-of-concept evidence, and remediation recommendations.
- Remediate critical and high-severity findings within 30 days; medium-severity within 90 days.
- Conduct re-testing to validate remediation effectiveness.
- Retain pentest reports for regulatory review — SAMA examiners routinely request these during assessments.
**Advanced Practice:** Integrate pentest findings into your risk register and track them through your GRC platform for continuous compliance visibility.
Was this helpful?
SAMA CSF Domain 4 (Cybersecurity Operations), specifically Controls 4.2 and 4.3, mandates a structured vulnerability assessment and penetration testing (VAPT) program for all licensed Saudi financial institutions. Here is what compliance requires in practice:
**Frequency Requirements:**
- External penetration testing: At minimum annually, and after any significant infrastructure change
- Internal penetration testing: At minimum annually
- Red Team exercises: Recommended biennially for Tier-1 banks with complex environments
- Application security testing (DAST/SAST): For every major application release or significant update
**Scope:**
SAMA expects testing to cover external perimeter (internet-facing assets), internal network segments, critical applications (core banking, mobile banking, SWIFT infrastructure), and cloud environments. NCA ECC Article 3-4 further requires government-affiliated entities to include OT/SCADA systems where applicable.
**Methodology:**
Engagements must follow recognized methodologies such as PTES (Penetration Testing Execution Standard), OWASP Testing Guide, or TIBER-EU (increasingly referenced for Saudi systemically important banks). Testers must hold recognized certifications (OSCP, CREST, CEH) and must operate under a formally signed Rules of Engagement (RoE) document.
**Finding Remediation & Tracking:**
SAMA CSF Control 4.2.5 requires that all critical and high findings be remediated within 30 days, medium findings within 90 days, and low findings within 180 days. A formal Vulnerability Management register must track finding status, ownership, and closure evidence. Unmitigated critical findings must be reported to the CISO and Board Risk Committee with documented risk acceptance rationale.
Our platform provides an integrated VAPT tracking module with SAMA-aligned SLA dashboards, automated remediation workflows, and audit-ready closure reports — ensuring your penetration testing program satisfies regulatory scrutiny end-to-end.
Was this helpful?
No matching questions found.
Didn't find what you're looking for?
✉️ Contact Us