Reconix LogoReconix
Bank of Thailand

Navigate BOT Penetration Testing & iPentest with Confidence

Annual penetration testing and intelligence-led iPentest are non-negotiable under BOT regulations. We deliver the assessments, the board-ready reports, and the remediation guidance your institution needs to stay compliant and audit-proof.

Annual
Testing Frequency
D-SIBs
Priority Institutions
NIST CSF
Framework Alignment
Board-Ready
Reporting Level
Get BOT-Compliant Assessment
Section 2.6.7

The Foundation: BOT IT Risk Management Guidelines

Refreshed in November 2023 to keep pace with rapid digital transformation and increasingly sophisticated cyber threats, these guidelines establish the security baseline for every BOT-regulated entity — commercial banks, non-banks, and payment service providers alike.

  • Institutions must establish processes and tools for regular vulnerability assessments (VA) and penetration testing (Section 2.6.7)
  • Testing scope must cover all critical infrastructure: mobile banking apps, web applications, APIs, network systems, and cloud environments
  • A dedicated vulnerability management team must log findings, prioritize by severity, assign owners, and remediate within defined timeframes
  • IT risk self-assessments and audit findings must be reported to the BOT within strict windows — 30 to 45 days depending on the report type
Red Teaming Framework

iPentest: Beyond Scanning, Into Red Teaming

Standard vulnerability scans are not enough for Thai banking regulators. Working with TB-CERT (Thailand Banking Sector Cyber Security Coordination Center), the BOT developed the iPentest Guideline — an intelligence-led Red Teaming framework that tests your defenses the way real attackers would.

  • Simulates real-world, sophisticated cyberattacks informed by current Threat Intelligence
  • Tests people (social engineering, phishing), processes (incident response, blue team effectiveness), and technology — not just systems
  • Requires collaboration between the Red Team, Blue Team, system developers, and business owners throughout the engagement
  • Drives effective remediation by ensuring every stakeholder understands the vulnerabilities and owns the fix
NIST-Aligned Framework

BOT Cyber Resilience Assessment Framework

Penetration testing is one piece of a larger puzzle. The BOT's Cyber Resilience Framework aligns with the NIST Cybersecurity Framework and extends it into six domains that every institution must address.

1

Governance

Board-level oversight and cybersecurity governance structures

2

Identification

Asset management, risk assessment, and threat identification

3

Protection

Access controls, data security, and protective technology

4

Detection

Security monitoring, penetration testing, and vulnerability assessment

Penetration Testing Domain
5

Response

Incident response planning, communications, and mitigation

6

Third-Party Risk Management

Security assessments of third-party IT vendors and service providers

Who Is Required to Comply?

Every financial institution under Bank of Thailand oversight must conduct penetration testing and iPentest — D-SIBs face the highest scrutiny.

Licensed Commercial Banks

Especially D-SIBs (Domestically Systemically Important Banks) subject to heightened regulatory expectations.

Finance Companies

Licensed finance and credit foncier companies supervised by the BOT.

Electronic Payment Providers

Operators of electronic fund transfers, digital wallets, and payment gateways.

Mobile Banking Operators

Any institution offering a mobile banking application under BOT oversight.

Credit Card Companies

Card issuers and acquirers operating credit card and payment card networks.

Digital Lending Platforms

Online lending and peer-to-peer platforms regulated by the BOT.

Requirements

What the BOT Expects

The BOT prescribes specific security assessment activities that every regulated institution must complete — here are the key obligations.

1

Regular VA & Penetration Testing (Section 2.6.7)

Institutions must have documented processes and tools for ongoing vulnerability assessments and penetration testing across all critical infrastructure.

2

Annual iPentest by an Independent Third Party

Every licensed institution must engage a qualified, conflict-free external assessor to conduct intelligence-led penetration testing at least once per year.

3

Dedicated Vulnerability Management Team

A standing team must log, triage by severity, assign owners, and track remediation of every finding within defined timeframes.

4

Full-Scope Coverage

Testing must span mobile banking apps, web applications, APIs, network infrastructure, and cloud environments — no asset class is exempt.

5

Board-Level Reporting

Results must be distilled into board-ready summaries that communicate risk exposure, remediation priorities, and compliance posture to directors and senior management.

6

Timely Submission to the BOT

IT risk self-assessments and audit findings must reach the BOT within 30 to 45 days, depending on the report type — missing the window invites enforcement action.

Required Testing Scope

Penetration testing and iPentest must cover the full digital footprint of the institution — from customer-facing apps to backend clearing systems.

  • Mobile Banking Applications (iOS & Android)
  • Web Applications & Internet Banking Portals
  • API Interfaces & Core Banking Systems
  • Network Infrastructure & Segmentation
  • Cloud Environments
  • Payment Gateway Infrastructure
  • SWIFT & Local Clearing Systems
  • Third-Party Vendor Integrations
Methodologies

Technical Standards the BOT Expects You to Follow

The BOT sets the regulatory mandate; institutions are expected to execute testing using globally recognized methodologies.

OWASP WSTG / MSTG

Web and Mobile Security Testing Guides — the industry benchmarks for auditing banking portals and mobile applications.

NIST SP 800-115

Technical Guide for Information Security Testing and Assessment — the standard framework for structured security evaluation.

Secure Code Review

Penetration testing must be complemented by secure code reviews integrated into the application development lifecycle.

Non-Compliance Risks

What Non-Compliance Costs You

Falling short of BOT cybersecurity requirements carries consequences that go well beyond a warning letter.

Service Restrictions or Suspension

The BOT can restrict or shut down specific banking services — mobile banking, internet banking, or new product launches — until compliance gaps are closed.

Escalating Regulatory Sanctions

Formal warnings, increased supervisory oversight, and progressively stricter enforcement actions from the Bank of Thailand.

Mandatory Immediate Remediation

Institutions may be ordered to implement corrective actions on tight deadlines, with mandatory progress reporting to regulators at every step.

License Review

Severe or repeated failures can trigger a review of the institution's operating license, potentially restricting core business activities.

Legal Framework

The Legal Backbone

BOT's technical guidelines do not exist in a vacuum — they are backed by Thai law, and three statutes in particular give them teeth.

Cybersecurity Act B.E. 2562 (2019)

Classifies financial institutions as Critical Information Infrastructure (CII). CII operators must maintain robust cybersecurity frameworks, conduct annual risk assessments, and report significant cyber threats immediately to the National Cyber Security Agency (NCSA).

Personal Data Protection Act (PDPA) B.E. 2562 (2019)

Penetration testing directly supports PDPA compliance by validating the technical safeguards protecting personal data. An unpatched vulnerability that leads to a breach can trigger severe PDPA penalties — making regular testing a legal necessity.

Payment Systems Act B.E. 2560 (2017)

Grants the BOT statutory authority over e-payment providers. Operators of highly important payment systems must undergo at least annual IT security audits — including penetration testing — and submit findings to the BOT board.

Requirement Mapping

How Our Assessments Map to BOT Mandates

Every assessment we deliver is mapped directly to a specific BOT requirement, so there are no gaps when the examiner arrives.

AssessmentBOT RequirementCoverage
Mobile App Security TestingIT Risk Management (Section 2.6.7)Biometrics, session management, anti-fraud, secure storage (OWASP MSTG)
API Security AssessmentCore Banking Interface ProtectionAuthentication, authorization, data validation, rate limiting
Network Penetration TestingInfrastructure Segmentation ValidationFirewall rules, VLAN segmentation, lateral movement testing
Red Team Simulation (iPentest)Intelligence-Led Threat SimulationReal-world attack scenarios, TTP emulation, social engineering, detection testing
Web Application TestingInternet Banking SecurityOWASP WSTG, business logic, authentication flows
Third-Party Risk AssessmentThird-Party Risk Management (TPRM)Vendor API security, integration points, data flow analysis
Readiness Checklist

BOT Compliance Readiness Checklist

Verify your institution's readiness against every key BOT requirement before the next examination cycle.

  • Annual penetration testing and VA schedule documented and board-approved
  • Independent third-party assessor engaged with no conflicts of interest
  • iPentest (Red Team) assessment completed in alignment with TB-CERT framework
  • Mobile banking application security validated per OWASP MSTG
  • Vulnerability management team established with defined remediation SLAs
  • Board-level executive summary prepared and presented
  • All critical and high findings remediated with retest evidence
  • IT risk self-assessment reported to BOT within required timeframe (30–45 days)
  • Network segmentation and infrastructure controls validated
  • Third-party vendor risk assessments completed
  • Cloud environment security assessed
  • Secure code review integrated into the development lifecycle
Deliverables

What You Receive: BOT-Ready Deliverables

Every engagement produces the documentation your team needs for the next BOT examination.

iPentest Completion Certificate

Formal certification of annual iPentest completion, ready for regulatory submission.

Executive Board-Level Summary

A non-technical risk overview designed for board of directors presentation.

Technical Findings with CVSS Scoring

Detailed vulnerability report with industry-standard severity ratings.

Prioritized Remediation Roadmap

An actionable fix plan ordered by risk severity and business impact.

Verification Retesting Evidence

Documented proof that each identified vulnerability has been successfully remediated.

BOT-Compliant Assessment Report

The full assessment report, structured to satisfy BOT IT Examination requirements.

Official References

Consult the original regulatory documents for full requirements.

BOT IT Risk Management Guidelines (Nov 2023, TH PDF)BOT iPentest Guideline (TH PDF)BOT IT Security Policy (EN PDF)Cybersecurity Act B.E. 2562 — NCSAPayment Systems Act B.E. 2560 — BOT

Related Services

Comprehensive security services to support your BOT compliance journey.

Penetration Testing

Full-scope penetration testing for enterprise infrastructure and applications.

Learn More

Mobile App Penetration Testing

Specialized security testing for iOS and Android banking applications.

Learn More

Network Penetration Testing

Infrastructure and network segmentation validation for financial systems.

Learn More
Back to Compliance

BOT Penetration Testing FAQs

Answers to the most common questions about BOT penetration testing, iPentest, and compliance timelines.

Stay Ahead of Your Next BOT Examination

Get expert penetration testing and iPentest assessments that satisfy every BOT mandate — complete with board-ready reports and a clear remediation roadmap.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.