Frameworks covered
NCA · SAMA · PDPL
Managed defence, compliance, and offensive testing for the Kingdom's regulated entities and critical-infrastructure operators. Built around the NCA's ECC-2 framework, SAMA's CSF, and PDPL — with a Saudi-onshore team that can sit inside the SOC, the audit, and the boardroom in the same week.
Six pressures we hear from CISOs, NCA programme leads, and regulated-entity boards on every first call.
The Essential Cybersecurity Controls (ECC-2:2024) extend mandatory compliance to all government entities and critical-national-infrastructure operators. Compliance is no longer aspirational — gap analyses, remediation, and recurring assessments are budget line items.
The Saudi Central Bank publishes new circulars on a quarterly cadence — Open Banking, counter-fraud, ESG, AI monitoring — and expects implementation, not interpretation. CSF maturity Level 3 is the floor, not the ceiling.
The Personal Data Protection Law is fully enforceable. DPO appointments, DPIAs, cross-border transfer controls, and breach notification are now operational — and SDAIA is enforcing them, not just publishing them.
Energy, water, transport, and giga-project facilities are merging IT and operational technology faster than the security models can keep up. OTCC compliance, ICS monitoring, and air-gap-aware defences are scarce on the supply side.
ECC-2 expects cybersecurity roles to be filled by qualified Saudi nationals. The talent pipeline is real but compressed — operators need partners that can hire, train, and transfer ownership, not just bill an expat bench.
National data, classified workloads, and regulated services move into sovereign and in-Kingdom cloud. CCC compliance, zero-trust segmentation, and key-management posture have to be designed in — they cannot be bolted on after migration.
Six disciplines, sector-tuned around NCA frameworks and the operational shape of a Saudi regulated entity.
In-Kingdom 24×7 detection, threat hunting, and incident response — co-managed or fully outsourced — built around your existing SIEM/XDR, not a forklift swap.
ECC-2 gap analyses, SAMA CSF maturity assessments, PDPL readiness, CCC reviews — turning audit findings into a prioritised remediation backlog the operator can actually fund.
Pen-testing, web/API/mobile security testing, and threat-led red teaming aligned to SAMA's FEER programme. Findings written for the executive committee, not just the SOC ticket queue.
Detection engineering, alert triage, and response automation using LLMs and agentic models — purpose-built to cut analyst load, not to replace the analyst.
Zero-trust architecture, CCC-aligned landing zones, key management, and cloud workload protection across in-Kingdom sovereign cloud and regulated hyperscaler regions.
ICS/SCADA monitoring, OTCC compliance, and air-gap-capable security operations for energy, utilities, and defence-adjacent operators.
Two engagements that anchor the practice. Names redacted under MNDA — the regulator and the operator know the work.
Co-managed SOC running alongside the bank's existing SIEM, with detection-engineering tuned to SAMA CSF controls and AI-assisted triage cutting analyst load by a meaningful margin. Annual maturity uplift reported into the SAMA portal.
An OTCC-aligned assessment, monitoring fabric, and incident-response retainer for a critical-infrastructure facility. Includes the Saudi-cleared analyst bench, the IEC 62443 architecture, and a knowledge-transfer programme so the operator owns the SOC by year three.
Authorities, sovereign infrastructure, and the platforms we integrate with across the Kingdom's cyber landscape.
Yes — registration on the NCA's Haseen portal is a prerequisite for serving any government entity or CNI operator, and we maintain it as a condition of practice. We can show the registration on first call.
Saudization-first. Our cybersecurity engineering bench is built around qualified Saudi professionals, with a structured knowledge-transfer programme on every engagement so the operator's own team owns the controls by the end of the contract.
No. We co-manage and tune what is already in place — Sentinel, QRadar, Splunk, CrowdStrike, or whichever stack is already paid for — and add detection engineering, agentic triage, and 24×7 coverage on top of it.
In-Kingdom by default. SOC telemetry, logs, and case data land in sovereign or operator-owned regions, never in foreign-cloud regions. PDPL and NDMO posture is written, not implied, on every contract.
Yes. We run threat-intelligence-led red teams aligned to the SAMA FEER framework, with CREST-aligned methodology and findings written for the audit committee — not just the SOC backlog.
Multi-year managed engagements with a Saudi-onshore team, plus point advisory programmes (ECC-2 gap analysis, SAMA CSF assessment, PDPL readiness) for entities that prefer to start with a single deliverable.
Sixty-minute working session with our cyber lead and a detection-engineering principal. Bring the audit finding, the regulator letter, or the SOC backlog. We'll come back with a one-page operating-model proposal you can take into the executive committee.