Penetration Testing for MGA Compliance: Frequency, Scope and What to Expect
The MGA requires regular penetration testing of all licensed operator systems. Traditional annual pen tests are no longer enough — with attack surfaces expanding daily through new game integrations, affiliate portals and API connections, operators need continuous testing. Here's what the MGA requires and how to exceed it.
Traditional annual pen tests miss 73% of vulnerabilities discovered during the year.
What the MGA Requires
MGA-licensed operators must conduct penetration testing as part of their ISO 27001 ISMS and RTS compliance. The key requirements are:
- Annual full penetration test of all in-scope systems as a minimum
- Testing after any significant infrastructure change (new platform, new payment provider, new game studio integration)
- Results documented and remediation tracked
- Critical and high vulnerabilities remediated within defined timeframes
- Evidence of testing available to the MGA on request
- Testing conducted by qualified security professionals (CREST/OSCP certified preferred)
What Must Be in Scope
For iGaming operators, penetration testing scope should include:
- Player-facing portals and mobile applications
- Payment processing systems and wallet integrations
- Back-office and admin panels
- API integrations with game content providers
- Affiliate management systems
- Internal network and VPN infrastructure
- Cloud infrastructure (AWS, Azure, GCP environments)
- Third-party integrations accessible from your environment
Why Annual Testing Is No Longer Enough
A typical iGaming operator adds 5–10 new third-party integrations per quarter. Each integration is a potential new entry point for attackers. A penetration test conducted in January gives you a snapshot of that moment — by June, your attack surface may look completely different. Hadrian provides continuous automated attack surface management, identifying new exposures the moment they appear rather than once a year.
Hadrian: Continuous Testing That Satisfies MGA Requirements
Hadrian is an AI-driven attack surface management platform that continuously discovers, maps and tests your external attack surface — every asset, every subdomain, every API endpoint, every cloud resource. It delivers the continuous vulnerability intelligence that regulators expect in 2026, and produces audit-ready reports that satisfy MGA documentation requirements.
Frequently Asked Questions
Does the MGA accept automated scanning instead of manual pen testing?
The MGA expects a combination. Automated scanning (which Hadrian provides continuously) should be supplemented with manual testing for critical systems annually. Hadrian's reports are accepted as evidence of continuous testing activity.
What qualifications must penetration testers have?
The MGA doesn't mandate specific certifications but expects testing to be conducted by qualified professionals. CREST, OSCP, and CHECK certifications are industry-recognised standards.
How quickly must we fix vulnerabilities found in a pen test?
Critical vulnerabilities should be remediated within 24-72 hours. High vulnerabilities within 30 days. Medium within 90 days. The MGA expects documented remediation tracking.
Do we need to test mobile apps separately?
Yes. Mobile applications should be tested separately using OWASP Mobile Application Security Testing Guide (MASTG) methodology in addition to web application testing.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan identifies known weaknesses automatically. A penetration test goes further — a skilled tester actively attempts to exploit vulnerabilities to understand real-world impact. The MGA expects both.
See how Hadrian continuously tests your attack surface
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.