VAPT Services in Dubai · DIFC & Fintech

Dubai's cyber regulatory map sits across multiple bodies, and every VAPT scope has to clear them in a single engagement. At the federal level there is the UAE Cybersecurity Council and the Telecommunications and Digital Government Regulatory Authority (TDRA) operating the UAE Information Assurance Standards (UAE IAS, the framework historically branded NESA) plus the Federal Personal Data Protection Law (PDPL 2021) under the UAE Data Office. Inside the Dubai International Financial Centre (DIFC) there is the Dubai Financial Services Authority (DFSA) Technology Risk module (GEN 5 / GEN 6) plus the DIFC Data Protection Law 2020 under the DIFC Commissioner of Data Protection. Inside Abu Dhabi Global Market (ADGM) — where many Dubai-related family offices and asset managers also licence — there is the Financial Services Regulatory Authority (FSRA) cyber expectations. For any Dubai-government or semi-government entity there is the Dubai Electronic Security Centre (DESC) Information Security Regulation (ISR) v2, with the registered-auditor pre-qualification and the prescribed audit cycle. A long shadow falls from the parent groups in London (PRA / FCA), Singapore (MAS TRM) and Mumbai (RBI / SEBI) for the BFSI subsidiaries we test in DIFC. The deliverable has to clear all of these on first read.

We test Dubai BFSI estates — DIFC-regulated banks, payment institutions, broker-dealers and family offices in JLT (Jumeirah Lakes Towers), Business Bay and DIFC Gate Village — with scopes mapped to UAE IAS (NESA) Tier-1 / Tier-3 control profiles, DFSA Technology Risk GEN 5 / GEN 6, DESC ISR v2 (where the entity is Dubai-government-adjacent), DIFC Data Protection Law and UAE Federal PDPL where customer-data flows touch the federal layer. Reports include the CERT-In empanelment for groups with India-side parent regulatory reporting (SBI / HDFC / ICICI / Kotak / Axis Dubai branches, Indian fintech-group DIFC entities), alongside the UAE-side evidence. The control crosswalk is per-finding, not at the cover page — a finding on an unprotected admin endpoint cites GEN 6.1, UAE IAS T3.6, DESC ISR v2 §7.* and CWE-306 all on the same row.

Common Dubai scope patterns we have delivered against: DIFC-regulated entity core banking + customer portal with the FAB / Emirates NBD / Mashreq / RAKBANK regional-bank integrations; payment-institution APIs (settlement, payout, FX, remittance corridors into India / Pakistan / Egypt / Philippines) under the Central Bank of UAE Retail Payment Services and Card Schemes Regulation; broker-dealer trading systems connecting to Nasdaq Dubai / DFM / ADX / international venues; family-office portal and document-vault platforms (typically Asset Vantage / Eton Solutions / FundCount style); the corporate IT estate at DIFC Gate Village, JLT cluster and Business Bay towers; and the embedded-finance / partner-API flows where DIFC Innovation Hub fintechs sit between a licensed bank and a customer-facing SaaS. For the family-office segment we additionally test the bilingual Arabic / English document-vault search authz and the cross-jurisdiction beneficial-owner data path.

Senior consultants travel from Mumbai BKC — Emirates / IndiGo / Air India Express direct flights from BOM make next-day onsite kickoff routine in DIFC, JLT, Business Bay or Bur Dubai. For longer engagements we keep a UAE-resident lead consultant onsite throughout the testing window, holding a UAE work permit / freelance visa and an Emirates ID — the same person on kickoff, mid-engagement and final sign-off. Onsite testing days at the client's DIFC Gate Village, JLT cluster or Business Bay tower office are arranged with the building's tenant-services team in advance because most Dubai BFSI towers require pre-cleared visitor passes and contractor escort even for inside-tenant work. We have the working knowledge of the building-conventions across DIFC Gate Village 1-11, ICD Brookfield, Index Tower, Almas Tower, HDS Tower, JBC clusters in JLT and the Business Bay Bay Square / Bay Avenue / U-Bora towers.

Engagement contracts and data-handling agreements are drafted under UAE law where the client operates as a DIFC / ADGM entity (with the DIFC Courts / ADGM Courts jurisdiction clause), with mirror clauses for India-side parent groups where applicable. Test data, evidence, working artefacts and report drafts stay inside UAE jurisdiction for the duration of the engagement — encrypted on consultant endpoints under UAE PDPL Article 22 cross-border transfer constraints, with the sign-off retention aligned to DFSA / FSRA / DESC record-keeping requirements (typically seven years for DFSA, five for DESC ISR). The data-processor / data-controller designation under DIFC DP-Law and UAE PDPL is explicit in the engagement letter, and the breach-notification chain (72 hours to DIFC Commissioner / UAE Data Office) is pre-wired.

Adversary modelling for Dubai BFSI is regionally grounded. We test against the actual TTPs hitting Gulf-region financial-sector entities in the 2023-26 cycle — FIN8-style financial-actor footholds on payment-institution treasury endpoints, MuddyWater / APT34 phishing pretexts tuned for UAE business norms, LAPSUS$-style IdP-compromise scenarios on Azure AD / Okta / PingFederate tenants (the pattern that hit two Dubai banks in 2024-25), ALPHV / RansomHub affiliate footholds on third-party IT-services vendors with DIFC access, and the family-office-specific business-email-compromise and beneficial-owner-information-exfiltration patterns the regional CISO group has flagged repeatedly at the FS-ISAC MEA chapter. Each finding is mapped to the TTP, the threat actor most likely to weaponise it and the detection rule the bank's SOC should add — handed off as part of the engagement.

Reporting is in the format each regulator reads. DFSA Technology Risk evidence is in the table layout the supervisor's risk-based-supervision template asks for; DESC ISR v2 evidence is in the audit-pack format the registered-auditor list expects (Macksofy is on the DESC registered-auditor route via our regional partner with name-listed senior consultants); UAE IAS evidence is in the UAE IAS Tier-3 control-profile pack; UAE Federal PDPL evidence is in the data-fiduciary register format the UAE Data Office reads; CERT-In evidence is in the empanelled-auditor letter for India-side parent reporting. One engagement, one evidence base, five regulator-readable artefacts. Re-testing of all critical and high findings is included in the base SoW with a 30-day window aligned to the strictest regulator's remediation SLA.

Commercial nuance is local. Engagement billing is in AED with a 5% UAE VAT line, invoiced from our regional billing entity to keep the client's books clean against the FTA Tax Procedures Law. Payment terms align with the DIFC / ADGM tenant-services norm (net-30 from invoice, with the standard UAE late-payment escalation through the DIFC Courts small-claims pathway only as a last resort — which has not been needed). We coordinate with the client's UAE-resident company secretary or legal counsel on the engagement-letter execution to keep the DIFC Authority filing record consistent.