Red Team Operations in Abu Dhabi · Energy, ADGM & Gov

Abu Dhabi’s red-team demand is shaped by what the capital protects hardest, and it does not look like Dubai’s. Four segments dominate. The ADNOC energy ecosystem — upstream, refining, ADNOC Gas, ADNOC Distribution and the OT-heavy process estate across Ruwais, Das Island and the offshore fields — wants scenarios that respect a safety-critical environment and the NESA Critical Information Infrastructure Protection posture. Sovereign-investment entities (ADIA, Mubadala, ADQ and their portfolio operating companies) want adversary simulation against deal-flow, treasury and beneficial-ownership data with extreme discretion. The ADGM financial free zone on Al Maryah Island — FSRA-supervised banks, asset managers and the fast-growing fintech cluster — wants intelligence-led operations mapped to FSRA cyber expectations and the parent group’s TIBER / CBEST / iCAST catalogue. And federal and Abu Dhabi government entities want scenarios against citizen-services, UAE PASS integrations and the ADDA-governed estate.

Abu Dhabi is governed federally for red-team purposes — there is no Abu Dhabi equivalent of Dubai’s DESC ISR pre-notification regime, so the discipline runs through NESA / UAE Information Assurance Standards, the UAE Cybersecurity Council’s expectations, ADDA standards for government entities, and aeCERT/TDRA deconfliction. We treat that as a feature, not a gap: the rules of engagement, white-cell composition and adversary-action audit trail are agreed and retained to the standard the entity’s own governance and the federal regulator expect, with tamper-evident storage and a multi-year retention disposition fixed in the engagement letter. For sovereign-investment and energy scope the letter of authorisation is board-issued, counter-signed and filed with the entity’s legal counsel for the operation plus the agreed retention window.

For ADGM-supervised BFSI and fintech we run intelligence-led adversary simulation: open-source recon of the entity, its vendor ecosystem and public-disclosure leakage (ADGM Registration Authority filings, FSRA registers, LinkedIn drift); spear-phishing pretexts tuned to regional norms (Ramadan working hours, the regional-board cadence, the ADIPEC / Abu Dhabi Finance Week / IDEX event-window pretext); initial access via the partner-API or third-party IT-services surface; lateral movement via Azure AD / Okta / PingFederate IdP-token theft and ADCS misuse; and exploitation chains targeting settlement, customer-data and beneficial-ownership stores. The single operation produces the NESA / UAE IAS evidence, the FSRA-supervisor detail and the parent-group TIBER / CBEST / iCAST artefact, plus a detection-engineering backlog the SOC actually uses.

For the ADNOC ecosystem and utilities the operation is OT-aware by design and safety-first throughout. We model the IT-to-OT attack path — the corporate-to-process-network boundary, the engineering-workstation and historian exposure, the jump-host and vendor remote-access route into the Purdue lower levels — but we stop at the demonstrated-and-documented boundary rather than acting inside a live process zone. No scenario is permitted that could trip a process, degrade a safety-instrumented system or risk plant uptime; the IEC 62443 zone-and-conduit model frames where the simulated adversary is allowed to operate, and an onsite client safety representative is part of the white cell for any process-adjacent objective. This is the difference between an energy red-team an ADNOC-ecosystem operator will authorise and one they will not.

For sovereign-investment and government entities discretion is the operating constraint. Recon and pretexting are calibrated to Abu Dhabi building and access conventions — Al Maryah Island (ADGM Square, the financial towers), the Corniche and Capital Gate district, Masdar City, KIZAD and the government precincts — not US or European templates, with the prayer-time and Eid / National Day calendar driving the foot-traffic and courier windows. Physical pretexting, where in scope, is rehearsed against the actual reception, escort and out-of-hours conventions of those buildings. Reports are produced dual-language where the federal regulator or government recipient requires Arabic alongside the English primary.

Engagements run 6–10 weeks for an ADGM BFSI / fintech scenario, 8–12 weeks for a government scenario including the citizen-services and UAE PASS boundary, and 10–14 weeks for an energy / OT-adjacent scenario with the safety-representative oversight. We keep a UAE-resident lead consultant onsite for the operation, with senior support flying Mumbai BKC → AUH (~3.5 hours) for the operational-planning review, the mid-operation white-cell pulse and the board after-action review. The detection-engineering backlog handed to the client SOC at close is the actionable output — typically 20–40 SIEM rule additions, 5–10 EDR detection-tuning items and a small set of architecture-level guardrails the enterprise-architecture team adopts in the next release.

Commercial nuance is local. Billing is in AED with the 5% UAE VAT line, invoiced from our regional billing entity; the engagement is letter-of-authorisation-led with explicit scope, white-cell composition, rules of engagement and indemnity; and for government-adjacent and energy operations the letter additionally records the aeCERT/TDRA deconfliction channel so any regulator-side inquiry during the operation meets a pre-agreed escalation chain rather than a scramble.