April 19, 2026 · 6 min read · Updated April 22, 2026

CBUAE Penetration Testing - A Guide for Banks and Payment Firms

CBUAE (Central Bank of UAE) penetration testing requirements for licensed banks, payment institutions, and stored-value facilities. Information Security standards, testing frequency, scope expectations, and common audit findings.

CBUAE Penetration Testing - A Guide for Banks and Payment Firms

CBUAE penetration testing sits at the intersection of the Central Bank of the UAE’s Information Security standards, Consumer Protection Regulation cyber requirements, and institution-specific licensing obligations. For banks, payment institutions, and stored-value facilities licensed by the CBUAE, penetration testing is not a peripheral activity - it is a load-bearing control that the supervisor examines directly.

This guide outlines what CBUAE expects, where the most common gaps are in UAE banking penetration testing programmes, and how to structure an engagement that will hold up to examination.

Who Is Subject to CBUAE Penetration Testing Expectations

Directly:

  • Licensed banks (commercial, investment, Islamic, foreign branches)
  • Finance companies and consumer lending companies
  • Payment service providers licensed under the Retail Payment Services and Card Schemes Regulation
  • Stored-value facility issuers
  • Money exchange businesses and remittance providers

Indirectly, CBUAE expectations flow through to:

  • Material third-party service providers to licensed institutions - testing of these providers is typically the licensed entity’s responsibility
  • Group entities whose activities are material to the UAE licensed operation

The CBUAE Regulatory Framework

CBUAE information security and cyber-risk expectations are expressed across several instruments:

  • Central Bank Regulations and Standards for Information Security - foundational framework covering the full lifecycle of information security controls including testing obligations
  • Consumer Protection Regulation - articulates cybersecurity as a consumer protection obligation with specific control expectations
  • Retail Payment Services and Card Schemes Regulation - sector-specific cyber and technology risk expectations for payment institutions
  • Outsourcing Regulation - cyber and technology risk controls required for material outsourced services
  • Circulars and Guidelines - periodic supervisory communications that extend and clarify expectations

Penetration testing obligations cross-cut these instruments. The core expectations:

  • Annual comprehensive penetration testing at minimum
  • Independent testing entity - external, independent of IT vendors and audit firm
  • Scope covering full technology estate material to the licensed activity
  • Remediation evidence for findings, with clear owner and timeline
  • Testing of significant changes - new product launches, cloud migrations, M&A integrations
  • Third-party and outsourcing testing where the institution uses material external services

Scope Expectations Specific to Banks and Payment Firms

Customer-facing digital channels

Online banking portals, mobile apps, chatbot or assistant interfaces, and API-based open banking endpoints. Comprehensive coverage including authentication, authorization, session management, transaction integrity, and business logic.

Core banking and transaction processing

Core banking application testing is typically more constrained than customer-facing testing (availability and integrity sensitivities are real). Scope is often designed around specific application layers, integration points, and change-triggered testing windows rather than continuous testing.

Payment processing

Card payment processing infrastructure falls under a combination of CBUAE expectations and PCI-DSS requirements - typically requiring both PCI-DSS scope penetration testing and broader CBUAE-scope testing. The two frameworks overlap but are not identical.

SWIFT and inter-bank infrastructure

SWIFT Customer Security Programme (CSP) has specific penetration testing and red teaming expectations that CBUAE examinations will cross-reference. Our engagements map findings to both CBUAE and CSP controls where applicable.

Internet banking platforms

Full-stack testing including web, mobile, API, and infrastructure layers. Typically annual comprehensive engagement plus quarterly targeted testing of customer-facing applications.

ATM and self-service networks

ATM network penetration testing has specific considerations - hardware-layer, firmware-layer, and network-layer attack surfaces. Often run as a specialist engagement separate from general IT pentesting.

Open banking and API ecosystems

As CBUAE open banking framework evolves, API security testing is becoming a distinct and priority area. REST and OAuth 2.0 flow testing, third-party application provider (TPP) impersonation testing, and account information service (AIS) / payment initiation service (PIS) attack surface coverage.

Cloud environments

Many UAE banks operate hybrid or cloud-hosted components. Cloud testing is a distinct scope - AWS, Azure, GCP control plane, IAM, workload isolation - and is frequently under-scoped in bank testing programmes.

Common Gaps We See in UAE Bank Pentesting Programmes

From engagement patterns across UAE-licensed banks:

  • Core banking excluded from scope entirely. Understandable operationally but creates a visible gap in testing coverage that supervisors flag.
  • Cloud infrastructure under-scoped. Testing still focused on on-premise core banking and internet banking while significant workloads have moved to cloud.
  • Third-party and outsourced service testing missing. The institution tests its own code but not its material outsourcing providers’ security posture.
  • Mobile app testing treated as an afterthought. Modern banking customers primarily use mobile; attack surface deserves primary testing focus, not secondary coverage.
  • API and open banking coverage thin. As the CBUAE open banking framework matures, this will become a primary examination focus.
  • SWIFT CSP testing separated from CBUAE-scope testing without coordination. Two engagements, two firms, two reports - gap where they should overlap.
  • Retest cycle missing. Critical findings marked “remediated” without independent validation.
  • Red teaming or adversary simulation absent. For larger institutions, CBUAE supervisors are increasingly expecting intelligence-led adversary simulation in addition to penetration testing.

Examination Patterns

In CBUAE examinations, examiners typically focus on:

  1. Penetration testing programme documentation - policies, procedures, scope design, annual planning
  2. Engagement statements of work - demonstrating adequate scope coverage and tester independence
  3. Findings reports and severity scoring - risk-based prioritization, CVSS scoring, business impact articulation
  4. Remediation tracking - finding-to-remediation traceability with timeline and ownership
  5. Retest evidence for critical and high findings
  6. Risk acceptance documentation for unremediated findings with appropriate executive authority
  7. Third-party testing coverage for material outsourced services
  8. Incident response testing integration - evidence that testing informs and is informed by incident response capability
  9. Programme maturity evolution - evidence the programme has evolved in response to industry threats and internal findings

Structuring a CBUAE-Ready Pentest Programme

A mature CBUAE-aligned penetration testing programme typically includes:

Annual comprehensive engagement:

  • Internet banking web and API
  • Mobile banking iOS and Android
  • Core banking integration layer (within availability constraints)
  • Payment processing infrastructure
  • Cloud infrastructure (AWS, Azure, GCP as applicable)
  • Internal network and Active Directory
  • External perimeter
  • Wireless (on-site at material facilities)

Quarterly targeted testing:

  • Customer-facing web and mobile applications
  • Material API endpoints
  • Change-triggered scope

Specialist engagements:

  • SWIFT CSP testing (annual, dedicated scope)
  • PCI-DSS penetration testing (where card processing in scope)
  • ATM network testing (every 2-3 years or per CBUAE circular)
  • Red team / adversary simulation (annual for larger institutions)
  • Third-party and outsourcing testing (selected material providers annually)

Bug bounty (optional):

  • Supplements structured testing
  • Does not replace annual comprehensive engagement
  • CBUAE-friendly as an additional layer of assurance

How pentest.ae Supports CBUAE-Regulated Institutions

We run CBUAE-aligned penetration testing for UAE-licensed banks, payment institutions, and stored-value facilities. Our reports explicitly map findings to CBUAE Information Security standards, reference applicable Consumer Protection Regulation controls, and produce examination-ready documentation. We coordinate with SWIFT CSP testing where required, and we have experience running engagements within the availability and integrity constraints of core banking environments.

Sister services across the NomadX portfolio

Common Questions

Frequently Asked Questions

Does CBUAE require penetration testing?

Yes. CBUAE Article 13 (Technology Risk and Information Security) and Annex II (Guidance and Best Practices) require licensed financial institutions - banks, payment service providers, stored-value facilities, and retail payment schemes - to conduct regular independent security assessments including penetration testing. The Consumer Protection Regulation adds cyber requirements for customer-facing services. CBUAE supervisors routinely request evidence of the testing programme during examinations.

How often does CBUAE expect banks to test?

CBUAE expects comprehensive penetration testing at least annually for all licensed entities, with quarterly smaller assessments for material changes and pre-production testing for every new internet-facing application or significant change. Banks with continuous penetration testing (PTaaS) or breach-and-attack-simulation (BAS) programmes typically exceed this baseline. Supervisors increasingly look for evidence of testing cadence aligned with change-management cycles, not just calendar-driven annual engagements.

What scope does CBUAE expect in a penetration test?

CBUAE expects scope to reflect the institution's actual attack surface: external perimeter testing, internet-facing web applications and mobile apps, API endpoints (especially open banking and payment APIs), internal network segmentation validation, cloud environment configuration, privileged-access paths, and - where applicable - SWIFT CSP testing. For SVFs and payment firms, payment switch, core banking integration, and transaction-monitoring system testing are high-priority.

Who can conduct CBUAE-aligned penetration testing?

CBUAE does not maintain a closed list of approved testing firms, but expects testers to have demonstrable credentials (CREST, OSCP, CRTO, or equivalent), relevant experience, and independence from the systems being tested. Firms should be able to produce sample reports with appropriate redaction, methodology documentation, and references from other UAE-licensed institutions. pentest.ae meets these criteria and produces CBUAE-examination-ready reporting as standard.

What are the most common CBUAE penetration testing findings?

Most common findings across CBUAE-regulated engagements in 2026: (1) broken object-level authorization (BOLA) on APIs - particularly payment and open-banking APIs; (2) misconfigured cloud IAM with overprivileged service accounts; (3) missing or insufficient SWIFT CSP controls where applicable; (4) exposed legacy authentication mechanisms; (5) weak internal segmentation allowing lateral movement from demilitarized zone to core banking; (6) insufficient logging and monitoring coverage for detection and response.

How does CBUAE penetration testing relate to the new AI Guidance?

The February 2026 CBUAE AI Guidance invokes Article 13 for technology risk and introduces AI-specific considerations. Banks deploying AI or ML - for credit decisioning, fraud detection, customer service chatbots, or document processing - should extend their penetration testing programme to cover AI-specific attack surfaces: prompt injection, tool poisoning, memory manipulation, adversarial robustness, and API-level attacks against LLM and ML endpoints. pentest.ae's AI Security Assessment covers these categories and integrates with annual CBUAE testing scope.

What does pentest.ae deliver for CBUAE-licensed banks?

pentest.ae delivers CBUAE-aligned penetration testing for licensed banks, payment institutions, and SVFs. Engagements produce: CBUAE-examination-ready reports explicitly mapped to Article 13 and Annex II controls, Consumer Protection Regulation alignment, CVSS scoring with business-context severity, reproduction steps for every finding, post-remediation verification, and coordination with SWIFT CSP where required. Engagements are delivered within the availability and integrity constraints of core banking environments.

Find It Before They Do

Book a free 30-minute security discovery call with our AI Security experts in Dubai, UAE. We identify your highest-risk AI attack vectors - actionable findings in days.

Talk to an Expert