Reconix LogoReconix
Bank of Thailand

BOT Penetration Testing & iPentest Requirements

The Bank of Thailand mandates rigorous security testing through its IT Risk Management Guidelines and iPentest framework. Ensure your financial institution meets all BOT cybersecurity requirements with expert assessments and board-ready reporting.

Annual
Testing Frequency
D-SIBs
Priority Institutions
NIST CSF
Framework Alignment
Board-Ready
Reporting Level
Get BOT-Compliant Assessment
Section 2.6.7

Core Mandate: BOT IT Risk Management Guidelines

Updated in November 2023 to address rapid digital transformation and sophisticated cyber threats, these guidelines set the baseline for all BOT-regulated entities including commercial banks, non-banks, and payment service providers.

  • Financial institutions must establish processes and utilize tools for regular vulnerability assessments (VA) and penetration testing (Section 2.6.7)
  • Tests must cover all critical infrastructure: mobile banking applications, web applications, APIs, network infrastructure, and cloud environments
  • A dedicated vulnerability management team must log, prioritize based on severity, and assign owners to remediate risks within defined timeframes
  • IT risk self-assessments and audit findings must be reported to the BOT within strict windows (30 to 45 days depending on the compliance report)
Red Teaming Framework

iPentest: Intelligence-Led Penetration Testing

To elevate the standard of testing beyond simple automated scans, the BOT, in collaboration with the Thailand Banking Sector – Cyber Security Coordination Center (TB-CERT), introduced the iPentest Guideline — an advanced Red Teaming framework.

  • Red Teaming approach that simulates real-world, sophisticated cyberattacks using current Threat Intelligence
  • Holistic assessment that tests people (social engineering, phishing), processes (incident response, blue team effectiveness), and technology
  • Mandatory collaboration between testers (Red Team), defenders (Blue Team), system developers, and business owners
  • Ensures vulnerabilities are understood and patched effectively through collaborative remediation
NIST-Aligned Framework

BOT Cyber Resilience Assessment Framework

Penetration testing is a critical component of the BOT's broader Cyber Resilience Framework, which aligns with the international NIST Cybersecurity Framework and expands it into six critical domains.

1

Governance

Board-level oversight and cybersecurity governance structures

2

Identification

Asset management, risk assessment, and threat identification

3

Protection

Access controls, data security, and protective technology

4

Detection

Security monitoring, penetration testing, and vulnerability assessment

Penetration Testing Domain
5

Response

Incident response planning, communications, and mitigation

6

Third-Party Risk Management

Security assessments of third-party IT vendors and service providers

Who Must Comply?

All financial institutions operating under Bank of Thailand oversight are subject to penetration testing and iPentest requirements.

Licensed Commercial Banks

Especially D-SIBs (Domestically Systemically Important Banks) with heightened scrutiny.

Finance Companies

Licensed finance and credit foncier companies under BOT supervision.

Electronic Payment Providers

Payment service providers offering electronic fund transfers and digital wallets.

Mobile Banking Operators

Institutions providing mobile banking applications under BOT oversight.

Credit Card Companies

Issuers and acquirers operating credit card and payment card systems.

Digital Lending Platforms

Digital lending and peer-to-peer platforms under BOT regulatory oversight.

Requirements

Key Requirements

The BOT mandates specific security assessment activities that financial institutions must fulfill to maintain compliance.

1

Regular VA & Penetration Testing (Section 2.6.7)

Financial institutions must establish processes and tools for regular vulnerability assessments and penetration testing across all critical infrastructure.

2

Annual iPentest by Independent Third-Party

All licensed institutions must engage an independent, qualified third-party to conduct intelligence-led penetration testing. The assessor must demonstrate expertise and have no conflicts of interest.

3

Dedicated Vulnerability Management Team

Banks must maintain a vulnerability management team to log, prioritize based on severity, and assign owners to remediate identified risks within defined timeframes.

4

Comprehensive Scope Coverage

Tests must cover all critical infrastructure including mobile banking applications, web applications, APIs, network infrastructure, and cloud environments.

5

Board-Level Executive Reporting

Results must be summarized in board-ready reports that communicate risk exposure, remediation priorities, and compliance status to the board of directors and senior management.

6

Timely Reporting to BOT

IT risk self-assessments and audit findings must be reported to the BOT within strict windows, typically 30 to 45 days depending on the specific compliance report.

BOT Testing Scope

Penetration testing and iPentest must cover the full spectrum of financial institution digital infrastructure.

  • Mobile Banking Applications (iOS & Android)
  • Web Applications & Internet Banking Portals
  • API Interfaces & Core Banking Systems
  • Network Infrastructure & Segmentation
  • Cloud Environments
  • Payment Gateway Infrastructure
  • SWIFT & Local Clearing Systems
  • Third-Party Vendor Integrations
Methodologies

Technical Testing Standards Expected by BOT

While the BOT sets the regulatory mandate, financial institutions are expected to execute tests using globally recognized methodologies.

OWASP WSTG / MSTG

Web Security Testing Guide and Mobile Security Testing Guide for auditing banking web portals and mobile applications.

NIST SP 800-115

Technical Guide for Information Security Testing and Assessment — the standard framework for security evaluation.

Secure Code Review

Penetration testing must be complemented by secure code reviews during the application development lifecycle.

Non-Compliance Risks

Consequences of Non-Compliance

Failure to meet BOT cybersecurity requirements carries significant regulatory and operational consequences.

Operational Restrictions

BOT may restrict or suspend specific banking services, including mobile banking, internet banking, or new product launches until compliance is achieved.

Regulatory Sanctions

Increased supervisory oversight, formal warnings, and escalating enforcement actions from the Bank of Thailand.

Required Immediate Remediation

Institutions may be ordered to implement immediate corrective actions with strict deadlines and mandatory progress reporting to regulators.

Potential License Review

Severe or repeated non-compliance may trigger a review of the institution's operating license, with potential restrictions on business activities.

Legal Framework

Related Acts and Regulations

The BOT's technical guidelines are legally enforced and supported by several overarching Thai laws.

Cybersecurity Act B.E. 2562 (2019)

Financial institutions are classified as Critical Information Infrastructure (CII). CII operators must maintain robust cybersecurity frameworks, conduct annual risk assessments and audits, and report significant cyber threats immediately to the National Cyber Security Agency (NCSA).

Personal Data Protection Act (PDPA) B.E. 2562 (2019)

Penetration testing directly supports PDPA compliance by ensuring appropriate technical measures to protect personal data. Unpatched vulnerabilities that lead to a data breach can result in severe PDPA penalties, making penetration testing a legal necessity for data protection.

Payment Systems Act B.E. 2560 (2017)

Gives the BOT statutory power to regulate e-payment providers. Operators of highly important payment systems must undergo at least an annual IT security audit (including penetration testing) and submit findings to the BOT board.

Requirement Mapping

How Our Assessments Address BOT Requirements

Our assessments map directly to BOT mandates, ensuring comprehensive regulatory coverage.

AssessmentBOT RequirementCoverage
Mobile App Security TestingIT Risk Management (Section 2.6.7)Biometrics, session management, anti-fraud, secure storage (OWASP MSTG)
API Security AssessmentCore Banking Interface ProtectionAuthentication, authorization, data validation, rate limiting
Network Penetration TestingInfrastructure Segmentation ValidationFirewall rules, VLAN segmentation, lateral movement testing
Red Team Simulation (iPentest)Intelligence-Led Threat SimulationReal-world attack scenarios, TTP emulation, social engineering, detection testing
Web Application TestingInternet Banking SecurityOWASP WSTG, business logic, authentication flows
Third-Party Risk AssessmentThird-Party Risk Management (TPRM)Vendor API security, integration points, data flow analysis
Readiness Checklist

BOT Compliance Checklist

Use this checklist to verify your organization's readiness for BOT compliance.

  • Annual penetration testing and VA schedule documented and approved by board
  • Independent third-party assessor engaged with no conflicts of interest
  • iPentest (Red Team) assessment completed with TB-CERT framework alignment
  • Mobile banking application security validated per OWASP MSTG
  • Vulnerability management team established with defined remediation timeframes
  • Board-level executive summary prepared and presented
  • All critical and high findings remediated with retest evidence
  • IT risk self-assessment reported to BOT within required timeframe (30–45 days)
  • Network segmentation and infrastructure controls validated
  • Third-party vendor risk assessments completed
  • Cloud environment security assessed
  • Secure code review integrated into development lifecycle
Deliverables

BOT-Ready Deliverables

Every engagement produces documentation suitable for BOT examination.

iPentest Completion Certificate

Formal certification of annual iPentest completion for regulatory submission.

Executive Board-Level Summary

Non-technical risk overview suitable for board of directors presentation.

Technical Findings with CVSS Scoring

Detailed vulnerability report with industry-standard severity scoring.

Prioritized Remediation Roadmap

Actionable fix plan ordered by risk severity and business impact.

Verification Retesting Evidence

Documented proof that identified vulnerabilities have been successfully remediated.

BOT-Compliant Assessment Report

Full assessment report structured to satisfy BOT IT Examination requirements.

Official References

Consult the original regulatory documents for full requirements.

BOT IT Risk Management Guidelines (Nov 2023, TH PDF)BOT iPentest Guideline (TH PDF)BOT IT Security Policy (EN PDF)Cybersecurity Act B.E. 2562 — NCSAPayment Systems Act B.E. 2560 — BOT

Related Services

Comprehensive security services to support your BOT compliance journey.

Penetration Testing

Full-scope penetration testing for enterprise infrastructure and applications.

Learn More

Mobile App Penetration Testing

Specialized security testing for iOS and Android banking applications.

Learn More

Network Penetration Testing

Infrastructure and network segmentation validation for financial systems.

Learn More
Back to Compliance

BOT Penetration Testing FAQs

Common questions about Bank of Thailand penetration testing and iPentest requirements.

Achieve BOT Compliance

Protect your banking license and customer trust with expert penetration testing and iPentest assessments aligned to Bank of Thailand requirements. Get board-ready reporting and remediation guidance.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.