Penetration Testing Services in Saudi Arabia
Saudi Arabia operates one of the most structured national cybersecurity stacks in the Gulf. The National Cybersecurity Authority (NCA) owns the Essential Cybersecurity Controls (ECC), Cloud Cybersecurity Controls (CCC), Operational Technology Cybersecurity Controls (OTCC) and the Critical Systems framework — every government ministry, critical-national-infrastructure operator and Vision 2030 giga-project programme office maps to these controls. SAMA Cyber Security Framework (CSF) governs banks, insurance, fintech and payment institutions; SDAIA administers the Saudi PDPL; CITC licenses telecoms, ISP and cloud-service providers. Vision 2030 has pulled NEOM, The Line, Qiddiya, AlUla, Red Sea Global, ROSHN and KAEC into a cybersecurity scope that did not exist five years ago. AxVeil delivers vulnerability assessment, penetration testing and red team services across KSA for commercial buyers — operator-led, named-operator engagements with fixed-fee USD proposals.
Engagements are served from our Bengaluru-headquartered team across Riyadh (King Abdullah Financial District, Olaya), Jeddah, Dammam, Al Khobar and the Eastern Province energy corridor. Arabia Standard Time (UTC+3) is two-and-a-half hours behind India Standard Time, which gives a fully overlapping working day across the KSA Sunday-Thursday business week. Whether you are a SAMA-supervised commercial bank running annual independent penetration testing under CSF, a Series-B fintech preparing for SAMA Sandbox graduation, an oil-and-gas vendor scoping an OT pentest under NCA OTCC, a Vision 2030 commercial-tier supplier closing a Saudi PDPL gap before a giga-project onboarding, or a foreign-HQ company with KSA engineering ops consolidating ISO 27001:2022 and SOC 2 evidence, our methodology compresses 4-week manual audits into 10-14 day engagements without sacrificing depth.
AxVeil is not currently licensed by the National Cybersecurity Authority (NCA) and is not on a Saudi government cybersecurity panel. CITC accreditation for cloud /telecom testing is similarly out of scope. For NCA-licensed scope — Saudi government tenders, ministerial and CNI engagements, most Vision 2030 giga-project programme-office tenders and any NCA ECC / CCC / OTCC scope where licensing is the procurement floor — AxVeil partners with an NCA-licensed provider that signs the regulator-facing report. AxVeil's commercial focus is direct delivery to SAMA-supervised commercial banking, fintech, oil-and-gas vendors, e-commerce and foreign-HQ companies with KSA operations. The contracting path is stated in the proposal up front.
Industries we serve in Saudi Arabia
The KSA commercial market is unusually concentrated by sector. Banking is the anchor: Al Rajhi, NCB / SNB, Riyad Bank, Banque Saudi Fransi, Arab National Bank and the broader SAMA-supervised cohort all operate under SAMA CSF and expect independent penetration testing and maturity-model self-assessment. Saudi fintech — STC Pay, Tabby, Tamara KSA, urpay, HALA and the SAMA Sandbox cohort — sits one layer below, with KYC, payment-rails and consumer-credit exposure that maps to SAMA CSF, OWASP API Top 10 and Saudi PDPL.
Oil and gas runs through the Eastern Province energy corridor — Saudi Aramco supply chain, SABIC, Ma'aden and the broader CNI estate operating under NCA OTCC and IEC 62443. Vision 2030 giga-projects — NEOM, The Line, Qiddiya, AlUla, Red Sea Global, ROSHN, KAEC — operate their own cybersecurity programme offices on top of NCA ECC / CCC / OTCC. E-commerce and digital giants (Noon KSA, Jahez, Mrsool) and foreign-HQ engineering ops at King Abdullah Financial District round out the AxVeil ICP. Government and NCA-licensed scope routes through a partnered NCA-licensed provider.
KSA regulators and frameworks we map every report to
NCA — National Cybersecurity Authority
nca.gov.sa/enNCA owns Essential Cybersecurity Controls (ECC), Cloud Cybersecurity Controls (CCC), Operational Technology Cybersecurity Controls (OTCC), the Critical Systems framework (CSCC) and the Saudi Cybersecurity Workforce Framework (SCyWF). NCA authorisation is the regulatory floor for cybersecurity providers selling into the KSA government and CNI surface. AxVeil is not currently NCA-licensed; for NCA-licensed scope we partner with a licensed provider.
SAMA — Saudi Central Bank Cyber Security Framework (CSF)
www.sama.gov.saSAMA CSF applies to all member organisations — banks, insurance, fintech, payment institutions — and sets cyber leadership, risk management, third-party risk and operational expectations including independent penetration testing and a maturity-model self-assessment. AxVeil scopes SAMA CSF-aligned VAPT directly for commercial banking and fintech buyers.
Saudi PDPL — Personal Data Protection Law
sdaia.gov.sa/en/SDAIA/about/Pages/PersonalDataProtection.aspxSaudi PDPL (administered by SDAIA) mandates lawful basis, data-subject rights, cross-border-transfer controls, breach notification to SDAIA and DPO designation for in-scope controllers. Penalties scale from administrative fines through criminal liability for sensitive-data violations.
CITC — Communications, Space & Technology Commission
www.citc.gov.sa/enCITC licenses telecommunications, ISP, cloud service providers (CSPs) and data-centre operators in KSA. Cloud services in KSA government / regulated scope must meet CITC's Cloud Computing Regulatory Framework and align to NCA CCC. AxVeil is not on the CITC accredited-tester list.
Vision 2030 / NEOM / KAEC giga-projects
www.vision2030.gov.sa/enVision 2030 giga-projects — NEOM, The Line, Qiddiya, AlUla, Red Sea Global, ROSHN, KAEC — operate under NCA ECC / CCC / OTCC plus project-specific cyber overlays. AxVeil scopes Vision 2030-relevant VAPT directly for commercial-tier work; for project-specific NCA-licensed scope we partner with a licensed provider.
ISO 27001:2022 + SWIFT CSP
www.iso.orgISMS certification baseline expected by KSA enterprise procurement, banks and giga-project vendors. SWIFT CSP attestation alignment is supported on request for KSA banks and exchange houses with SWIFT BIC.
Gulf threat landscape we test against
KSA attack surface spans SAMA-supervised banks and fintech, the NCA OTCC energy CNI estate, the Vision 2030 supply-chain onboarding gauntlet and high-volume delivery platforms. We scope and threat-model against that specific mix, not a generic checklist.
SAMA-bank & fintech payment fraud
Al Rajhi, SNB, Riyad Bank and the SAMA cohort — plus STC Pay, Tabby and the SAMA Sandbox fintech — run the densest payment surface in the Gulf. We test SWIFT CSP (read-only), payment-approval integrity and the customer-channel abuse that payment-fraud and BEC crews target.
Energy & CNI IT-OT bridge (NCA OTCC)
Aramco supply chain, SABIC and Ma'aden run ICS / SCADA, DCS and safety-instrumented systems under NCA OTCC and IEC 62443. We verify IT-OT segmentation conservatively — production PLCs and SIS are never directly tested; passive enumeration on production, active testing on staging mirrors only.
Vision 2030 supply-chain & cloud onboarding
Giga-project programme offices push NCA ECC / CCC onto every commercial supplier. The recurring critical is cloud-IAM and residency debt at onboarding — over-permissive roles, KSA-region pinning gaps, exposed CI/CD secrets — mapped to CCC and the buyer's Saudi PDPL data-flow.
E-commerce & delivery-platform logic abuse
Noon KSA, Jahez and Mrsool-class platforms expose listing, payment and rider/merchant APIs at scale. We test the OWASP API Top 10 plus platform-specific logic: voucher abuse, price tampering, IDOR across tenants and KYC-bypass on onboarding.
Data residency & Saudi PDPL handling
Saudi PDPL under SDAIA — overlaid with NCA CCC and CITC's cloud framework — carries real cross-border-transfer and in-country residency obligations for sensitive workloads. We resolve data-flow and handling before the test starts so the engagement never becomes a compliance exposure of its own.
Saudi PDPL & SDAIA expectations
Saudi PDPL (administered by SDAIA) mandates lawful basis, cross-border-transfer controls and breach notification to SDAIA. We inventory every personal-data store in scope and document the transfer mechanism — including KSA data-residency expectations for sensitive workloads — before any test data is touched.
Engagement data handling
Evidence and sampled data stay in an encrypted, access-controlled vault. We never exfiltrate production PII; PoCs use minimal redacted samples. Retention and secure-destruction timelines are written into the DPA and aligned to NCA ECC control expectations.
NCA CCC cloud residency
Where NCA CCC, CITC's Cloud Computing Regulatory Framework or a giga-project programme office drive in-country residency, we document KSA-region pinning, log-pipeline residency and key-management posture so your ECC / CCC evidence answers the residency question directly.
Engaging from the Gulf — language, calendar, on-site
A clean KSA engagement is as much about operating cadence as methodology. Here is exactly how we run language, the regional calendar and on-site logistics.
Language & contracting
English is the contracting and reporting language and the working language of SAMA-bank, fintech and giga-project CISOs. Arabic executive summaries are supported on request via a translation partner for board, SAMA and programme-office audiences.
Working week & calendar
We cover the KSA Sunday-Thursday week fully within our IST window and plan around Ramadan reduced hours, Hajj-season constraints and Saudi public holidays so readouts and OT maintenance windows never collide with low-availability periods.
On-site logistics
Remote-first delivery covers the full scope. On-site kick-offs in Riyadh (KAFD, Olaya), Jeddah, Dammam, Al Khobar or the Eastern Province corridor for sensitive internal-AD, banking-core or oil-and-gas OT scopes are arranged per engagement, with visas, NDAs and site-access vetting handled ahead of travel. We do not claim a KSA office.
Engagement timeline (typical 14-day Professional VAPT)
Scoping call in AST (UTC+3). NDA + MSA exchanged. Scope, RoE, asset list and contracting path confirmed — direct (banking / fintech, commercial enterprise, ISO 27001 / SOC 2) or partner-led (NCA-licensed scope, CITC-regulated cloud, ministerial / Vision 2030 giga-project where NCA licensing is the floor). Saudi PDPL data-flow noted up front.
Recon + threat-modelling against KSA-relevant actors and regulators (NCA ECC / CCC / OTCC, SAMA CSF where applicable, Saudi PDPL, ISO 27001, OWASP ASVS L2).
Active testing — web, API, mobile, internal AD, cloud IAM, integration surfaces. OT scopes tested under explicit safety-preserving rules of engagement. Daily Slack / Teams digest of critical findings in AST.
Draft report: NCA ECC / SAMA CSF / Saudi PDPL / ISO 27001 cross-references with reproducible PoCs and developer-friendly remediation guidance. Arabic-language executive summary supported on request.
Readout call with engineering + CISO in AST. Free retest of remediated criticals within 30 days. Final signed PDF for board, SAMA / NCA-facing audiences and giga-project programme office.
Sample KSA engagements (indicative)
Riyadh SAMA-supervised bank — CSF-aligned full-stack VAPT
Indicative engagement: a Riyadh SAMA-supervised commercial bank commissions an annual independent VAPT under SAMA CSF expectations. Scope: internet banking web / mobile, customer-facing APIs, internal AD, core-banking integration surfaces, SWIFT CSP environment (read-only), card-management system. Deliverable: SAMA CSF-cross-mapped findings, maturity-model self-assessment input, SWIFT CSP attestation alignment notes, board-pack and CSF-facing evidence files. Pattern available on request under NDA.
Saudi fintech — SAMA Sandbox graduation pre-readiness
Indicative engagement: a SAMA Sandbox cohort fintech commissions a pre-graduation readiness pentest spanning KYC, payment-rails, consumer-credit decisioning and data-flow controls. Scope: mobile app, customer APIs, partner integrations (acquirer / scheme), back-office admin, AWS / Azure IAM. Deliverable: SAMA CSF-aligned findings, Saudi PDPL gap pack, OWASP API Top 10 cross-mapping, CAIQ-style partner-questionnaire pack. Pattern available on request under NDA.
Vision 2030 commercial-tier supplier — NCA ECC + CCC readiness
Indicative engagement: a foreign-HQ technology supplier to a Vision 2030 giga-project programme office commissions NCA ECC + CCC readiness ahead of a programme-office onboarding review. Scope: public web estate, vendor-portal integration, cloud workloads on KSA-regions, IAM, log-pipeline residency, Saudi PDPL gap. Deliverable: NCA ECC + CCC gap pack, Saudi PDPL data-flow map, evidence-pack design for the programme-office submission. Pattern available on request under NDA.
Saudi Arabia FAQ
›Is AxVeil NCA-licensed or on a Saudi government cybersecurity panel?
No. AxVeil is not currently licensed by the National Cybersecurity Authority (NCA) and is not on a Saudi government cybersecurity panel. For NCA-licensed scope — Saudi government tenders, ministerial and CNI engagements, NCA ECC / CCC / OTCC scope where licensing is the procurement floor, and most Vision 2030 giga-project programme-office tenders — AxVeil partners with an NCA-licensed provider that signs the regulator-facing report. For commercial buyers — Saudi banks (SAMA-supervised commercial layer), fintech, e-commerce, oil and gas vendors and foreign-HQ companies with KSA engineering ops — AxVeil contracts directly. The contracting path is stated in the proposal up front. Reference: https://nca.gov.sa/en.
›Can you deliver SAMA CSF-aligned penetration testing for Saudi banks?
Yes — for commercial layers and follow-on retest. SAMA Cyber Security Framework (CSF) applies to all SAMA member organisations including banks, insurance, fintech and payment institutions, and sets expectations including independent penetration testing, maturity-model self-assessment and third-party risk. AxVeil scopes SAMA CSF-aligned VAPT directly to the bank's information-security or risk function under MSA. Where a specific SAMA-supervised institution requires a tester from a pre-approved internal panel or an NCA-licensed provider for regulator submission, AxVeil partners with that panelled / licensed provider. Reference: https://www.sama.gov.sa/.
›How does Saudi PDPL apply and do you deliver readiness?
Yes. Saudi PDPL (administered by SDAIA) mandates lawful basis, purpose limitation, data-subject rights, cross-border-transfer controls, breach notification to SDAIA and DPO designation for in-scope controllers. Every KSA engagement includes a Saudi PDPL gap pack covering data-flow inventory, consent architecture, cross-border-transfer mechanisms (including KSA data-residency expectations for sensitive workloads), retention timelines and breach-notification runbook. Reference: https://sdaia.gov.sa/.
›Do you cover NCA OTCC for KSA oil and gas and Vision 2030 OT scopes?
Yes — for commercial scope. NCA OTCC (Operational Technology Cybersecurity Controls) sets the baseline for ICS / SCADA, DCS and safety-instrumented systems across KSA energy and CNI. AxVeil scopes OTCC-aware OT VAPT directly for commercial energy vendors and Vision 2030 commercial-tier work, with explicit safety-preserving rules of engagement — production PLCs and safety-instrumented systems are never directly tested, only network-passive enumeration on production and active testing against staging or read-only mirrors. For NCA-licensed CNI scope, AxVeil partners with an NCA-licensed provider.
›Where is AxVeil based and how do you deliver across Riyadh, Jeddah and Eastern Province?
Engagements are served from our Bengaluru-headquartered team across the Kingdom — Riyadh (KAFD, Olaya), Jeddah, Dammam, Al Khobar and the Eastern Province energy corridor. Arabia Standard Time is two-and-a-half hours behind India Standard Time, so the entire KSA Sunday-Thursday business week is fully covered by our IST working window. Daily Slack / Teams triage, draft-report walkthroughs and readout calls run in this window. Onsite kick-offs in Riyadh, Jeddah or Eastern Province for sensitive internal-AD, banking-core or oil-and-gas OT scopes are arranged on a per-engagement basis. We do not claim a KSA office. Arabic-language executive summaries are supported on request via a translation partner.
Cross-links
See /services/vapt for the SAMA CSF-aligned VAPT methodology, /services/red-team for OTCC-aware IT / OT adversary emulation and /services/compliance for NCA ECC / CCC / OTCC + Saudi PDPL evidence-pack design. Sibling MENA / Gulf locations: /locations/uae, /locations/qatar and /locations/oman. Relevant industry verticals: /industries/bfsi and /industries/energy-utilities.
Need penetration testing in Saudi Arabia? Talk to a tester.
Free 30-minute scoping call in AST. We map your attack surface against NCA / SAMA / SDAIA expectations and quote in USD. NCA-licensed scope routed through a partnered licensed provider; commercial scope delivered direct.
Book KSA Scoping Call →