Red Team Operations in Dubai · BFSI & Gov

Dubai red-team buyers split across four distinct demand segments and each demands a different scenario library. DIFC-regulated BFSI (banks, payment institutions, broker-dealers, asset managers) wants intelligence-led adversary simulation against money-movement, settlement, FX and DIFC-regulated customer-data systems, mapped to UAE IAS (NESA), DFSA Technology Risk and the TIBER-style frameworks the parent group runs in London / Frankfurt / Singapore. Smart Dubai semi-government and Dubai-government entities want scenarios against citizen-services, DigitalDubai / UAE PASS integrations and the OT / smart-infrastructure boundary, mapped to DESC ISR v2 with pre-agreed rules-of-engagement filed with the Dubai Electronic Security Centre directly. The airline and airport estates (Emirates Group at Dubai International Airport DXB, dnata, Dubai Airports operating DXB and DWC) want scenarios against passenger systems, cargo / freight, ground operations and the airport-OT boundary, with the operational-safety constraints of an Annex 17 ICAO regulated environment. Regional HQs of multinationals running MEA business from JLT / Internet City / Business Bay want red-team exercises against MEA-mandate fraud and supply-chain compromise patterns, with the parent group's TIBER / CBEST / iCAST framework alignment carried through.

For DIFC BFSI we run intelligence-led adversary simulations: open-source recon of DIFC Gate Village exec teams, their vendor ecosystem, public-disclosure leakage (DIFC Authority filings, DFSA approved-persons register, LinkedIn drift); spear-phishing pretexts tuned for regional norms (Eid timing, Ramadan working hours, the regional-board-meeting cadence, the DSF / GITEX / Future Investment Initiative event-window pretext); initial-access via the embedded-finance / partner-API surface or a third-party IT-services vendor compromise; lateral via Azure AD / Okta / PingFederate IdP-token theft and ADCS misuse (the LAPSUS$ pattern that hit two Dubai banks in 2024-25); exploitation chains targeting payment / settlement / FX, DIFC-regulated client-data, MT103 / MT202 SWIFT BIC traffic on the treasury-attached endpoints, and the family-office beneficial-owner-information stores. Scenarios are explicitly mapped to NESA UAE-IAS, DFSA Technology Risk and the parent group's TIBER / CBEST / iCAST control catalogue so the same engagement produces the regulator artefact, the parent-group artefact and the actionable detection-engineering backlog.

For Smart Dubai and semi-government clients we model adversary access to citizen-services platforms (Dubai Now app and the upstream DigitalDubai service mesh), the UAE PASS digital-identity integration and the OT / smart-infrastructure boundary touching traffic (RTA), utilities (DEWA), smart-building (Emaar / Damac / Majid Al Futtaim portfolios), and the Dubai Police / Smart-Police digital-services adjacency. Rules-of-engagement are pre-agreed with DESC directly, with the white-cell composition disclosed and the audit-trail-of-every-adversary-action retention period set at five years in tamper-evident storage. This is not optional in Dubai — it is the difference between an authorised exercise and a regulatory incident, and DESC's enforcement disposition has hardened materially since the 2023 review of the ISR v2 framework.

For airline and airport estates we run scenarios that respect the operational-safety constraints of an Annex 17 regulated environment. The Emirates Group estate includes passenger-services (booking, check-in, lounge access, the boarding-pass / e-ticket trust chain), cargo (Emirates SkyCargo, Cargo IS), crew systems, and the ground-handling adjacency with dnata. The Dubai Airports estate includes passenger-flow (PSCRM systems, e-gate biometrics, the EmaratechGo integration), baggage handling, ramp operations, and the airport-OT boundary including ground-radar, ramp-power-distribution and HVAC. Red-team scope inside these environments is strictly out-of-band on customer-impacting flows and pre-cleared with the airline / airport safety-and-security committee — adversary-action retention is in tamper-evident storage with the same disposition DESC expects, and CERT-In incident-reporting overlap is pre-wired where the airline group has Indian operations.

Engagements run 6-10 weeks for a DIFC BFSI scenario, 8-12 weeks for a Smart Dubai semi-government scenario including the OT / smart-infrastructure boundary, and 10-14 weeks for an airline / airport scenario with the safety-and-security committee oversight. Onsite kickoff is in DIFC, Business Bay, Internet City or the airline / airport operations HQ depending on the client. We keep a UAE-resident lead consultant onsite throughout the operation, with senior support flying in from Mumbai BKC for the major reviews — the operational-planning review, the mid-operation pulse with the white cell, and the after-action review with the client board.

Physical pretexting is rehearsed against actual Dubai building conventions, not US / European templates. Visitor passes at DIFC Gate Village run through the Gate Village Reception with tenant pre-clearance and Emirates ID scan; contractor escort policy varies across DIFC Gate Village 1-11, ICD Brookfield and Index Tower with different default service-tier expectations; out-of-hours access workflows in Business Bay towers vary by building manager (Bay Square versus U-Bora versus Bay Avenue have visibly different practices); JLT cluster reception varies across JBC clusters and HDS Tower. The pretext rehearsal explicitly covers regional norms — the working-week is Monday-Friday (Sunday is a workday only in some Dubai-government entities), the prayer-time pattern affects building-foot-traffic windows, the Eid and National Day calendar affects courier-and-vendor traffic, and the Arabic-English language defaults across reception staff vary across DIFC versus Business Bay versus Internet City.

Reports are dual-language where required (English primary, Arabic for Dubai-government and federal handover) and dual-format for the regulator + parent-group consumers. DESC ISR v2 attestation, NESA UAE-IAS Tier-3 evidence, DFSA Technology Risk supervisor-template detail and the parent group's TIBER / CBEST / iCAST artefact — same operation, same evidence, four-way artefact. The detection-engineering backlog handed to the client SOC at engagement close is the actionable output the SOC team uses to close the detection gaps the operation surfaced — typically 20-40 SIEM rule additions, 5-10 EDR detection-tuning items and a small number of architecture-level guardrails the bank's enterprise architecture team adopts in the next quarter's release.

Commercial nuance is local. Engagements are letter-of-authorisation-led — the client board issues a formal letter authorising the operation with the explicit scope, white-cell composition, rules-of-engagement and indemnity scope; we counter-sign and the letter is filed with the client's legal counsel for the operation's duration plus the five-year retention period DESC expects. Billing is in AED with the 5% UAE VAT line, invoiced from our regional billing entity. For Dubai-government-adjacent operations the engagement letter additionally references the DESC pre-notification record so any DESC-side inquiry during the operation is met with the pre-agreed white-cell escalation chain.