VAPT Services in Abu Dhabi · ADHICS, ADGM & NESA

Abu Dhabi’s VAPT buyers are not the same as Dubai’s. The capital concentrates the things the federation protects hardest — the ADNOC energy ecosystem and its OT-heavy estate, sovereign-investment entities (ADIA, Mubadala, ADQ), federal and Abu Dhabi government, DoH-licensed healthcare, and a fast-growing ADGM fintech and asset-management cluster on Al Maryah Island. Macksofy scopes each to the regulator that actually governs it: NESA / UAE Information Assurance Standards at the federal level, ADHICS for healthcare, FSRA cyber expectations and ADGM data-protection for the financial free zone, and ADDA standards for Abu Dhabi government entities.

Scoping is regulator-first, not tool-first. For an ADGM fintech the engagement targets the customer-facing apps, the partner-integration APIs and the FSRA cyber-resilience control set; for a DoH healthcare provider it covers the patient-portal and tele-health apps, the HL7/FHIR integration surface and the ADHICS control mapping; for an energy or utilities operator it deliberately separates IT VAPT from OT, applying passive-first techniques inside production OT zones and IEC 62443-aligned methodology rather than running an IT scanner at a PLC. Every senior consultant on the engagement is OSCP- or OSWE-credentialed and writes the executive summary the client’s audit committee or DoH-aligned reviewer will read — we do not subcontract.

The manual abuse-case work is where the value sits. We model the business logic end to end — authorisation matrices, multi-tenant isolation, payment or settlement flows for ADGM fintechs, claims and eligibility paths for insurers, and patient-record access controls for healthcare — and test for the flaws scanners miss: broken object-level authorisation (BOLA/IDOR) on APIs, tenant-boundary bypass, privilege escalation through role confusion, and OTP/2FA weaknesses on customer journeys. Burp Suite Pro is the workhorse, supported by Nuclei templates, custom Python harnesses and mobile reversing (Frida, MobSF, Objection) on the latest store builds.

For energy and critical-infrastructure scope the methodology shifts deliberately. The IT-side VAPT runs normally; the OT-side review is segmentation- and visibility-led — mapping the IT/OT boundary, validating north-south controls and the jump-host/remote-access path into the process network, and assessing the engineering-workstation and historian exposure with onsite-only handling where the operator requires it. Findings are framed to NESA and ADDA expectations and to the operator’s safety-and-uptime constraints, never with techniques that risk a production process trip.

The deliverable is a regulator-grade binder, not a scanner export. Every high or critical carries a manually-validated proof-of-exploit, a CVSS v3.1 score, a Macksofy business-impact score calibrated to the asset’s data class and the regulator, and a remediation playbook the engineering team can act on without translation. The executive summary maps findings explicitly to the relevant control set — NESA / UAE IAS, ADHICS, FSRA or ADDA — and assembles the submission pack in the format the Abu Dhabi reviewer reads.

Re-testing is built into the SoW, not sold as a follow-on. Every critical and high is re-validated post-fix at no extra cost inside the remediation window. For mature clients we also embed a detection-engineering analyst alongside the SOC in the closing week so each exploitable finding ships with a paired Sigma rule the monitoring team can deploy immediately — which matters in Abu Dhabi, where energy and government SOCs are well-resourced and want detections, not just defects.

Delivery is geared to Abu Dhabi geography and procurement. Senior consultants fly Mumbai BKC → AUH (~3.5 hours) for kickoff, key reviews and the exit briefing — reaching Al Maryah Island (ADGM), the Corniche/Capital Gate district, Masdar City or KIZAD in 30-45 minutes from the airport — while the bulk of testing runs remotely against scoped staging where rules of engagement permit. Government, energy and sovereign-investment procurement is evidence- and data-residency-conscious; we agree onsite-only-handling and log-residency constraints before kickoff and attach the ISMS/vendor-security pack to every proposal so legal and infosec don’t hold up the engagement.

For ADGM-supervised and government clients the engagement also produces the board and regulator exhibits expected at the next review: a top-risks slide mapped to the existing risk register, a trend-line against the previous VAPT cycle, a control-coverage delta, and a one-page summary the entity’s secretariat can drop into the governance pack without rewrite.