Riyadh is where Saudi cybersecurity policy is written and where the Kingdom's largest banks, ministries and Vision 2030 programmes are run. CyberFortify runs manual web, network, cloud and API penetration tests for organisations in the capital, aligned to NCA ECC, the SAMA CSF, PCI DSS and the Saudi PDPL. Delivered remotely in Riyadh's time zone with on-site engagements across the Kingdom. Fixed price, audit-ready reporting, free remediation retest.
// 01 Why Riyadh businesses need penetration testing
Riyadh concentrates the assets an adversary most wants to reach in Saudi Arabia: ministries and their digital services, the head offices of the national banks, the fintechs graduating out of the SAMA regulatory sandbox, and the programme offices running trillion-riyal giga-projects. A single exposed contractor portal, an over-permissioned cloud role in a ministry's e-service, or a flat internal network inside a bank's Riyadh data centre can put national data and licensed operations at risk in one move.
The threat is not theoretical. State-aligned and financially motivated groups have long treated Saudi government and energy-adjacent targets as priorities, and the capital's rapid move to cloud and to citizen-facing digital services widens the attack surface every quarter. Automated scanners cannot model this. They enumerate known CVEs; they do not chain a leaked credential into a domain takeover, abuse a trust relationship between a giga-project and its subcontractor, or prove that a bank's cardholder environment is really segmented from its corporate LAN. Closing that gap is why Riyadh's security committees commission a real penetration test rather than accept a scan report.
// 02 Compliance and regulatory drivers in Riyadh
Riyadh is the regulatory capital as well as the commercial one - the NCA and SAMA are both headquartered here, and their mandates increasingly make independent penetration testing a condition of operating, not a nice-to-have. These are the obligations CyberFortify most often maps evidence against for organisations in the city.
NCA Essential Cybersecurity Controls (ECC)
The National Cybersecurity Authority's ECC applies to government bodies and critical-sector operators. Domain 2 (Cybersecurity Defence) requires periodic vulnerability assessment and penetration testing of internet-facing and internal systems. Our reports are structured to close those sub-controls directly.
SAMA Cyber Security Framework
Banks, financing and insurance companies and payment firms licensed by the Saudi Central Bank must run penetration testing under SAMA CSF control 3.3.14, with results reported to management. We deliver the exploit-level evidence a self-assessment cannot.
NCA Cloud Cybersecurity Controls (CCC)
Riyadh's fast migration to cloud brings the NCA's cloud controls into scope for both providers and tenants. We run configuration-aware testing that evidences the technical assurance those controls expect.
Saudi PDPL
The Personal Data Protection Law obliges controllers to apply appropriate technical measures to protect personal data. Penetration testing demonstrates that "appropriate" security has been validated against a real attacker, not merely documented.
PCI DSS v4.0 - Req 11.4
Riyadh's banks, acquirers and payment processors handling card data must penetration-test the cardholder-data environment and prove segmentation under Requirement 11.4.5 each year.
// 03 Penetration testing services for Riyadh
Riyadh organisations engage us across the full offensive-security surface. Which service leads depends on your sector - ministries and giga-projects prioritise web and cloud, banks lead with network and API, and enterprises pursuing an NCA or ISO baseline bundle several ahead of an audit.
Web application pen testing
Manual testing of e-government services, banking portals and giga-project platforms against the OWASP Top 10 and business-logic abuse.
Network pen testing
External perimeter, internal Active Directory and segmentation testing for head offices and data centres across the capital.
Cloud pen testing
Configuration-aware AWS, Azure, Oracle and Google Cloud testing for Riyadh workloads, aligned to the NCA cloud controls.
API pen testing
Open-banking, government-integration and fintech API testing - broken object-level authorisation, token abuse and trust-boundary flaws.
Mobile app pen testing
iOS and Android testing for the banking, wallet and citizen-service apps that dominate the Riyadh market.
Red teaming
Goal-based adversary simulation testing whether a Riyadh institution's blue team detects and responds to a real intrusion.
// 04 How we deliver to Riyadh
Riyadh runs on the same clock as our Gulf base - Arabia Standard Time, UTC+3 - so there is no offshore lag between a finding and the conversation about fixing it. Most testing is delivered remotely from our secure environment; where being on the ground adds value, our team flies in on an agreed schedule.
What runs remotely
External perimeter, web, cloud and API testing delivered from our secure environment, in real time during Riyadh business hours, with Arabic- or English-language read-outs and same-day communication on critical findings.
What we do on-site
Internal network, Active Directory, wireless and assumed-breach testing performed in your Riyadh premises where physical presence matters, plus in-person executive and board briefings when a programme or regulator requires them.
Every engagement opens with a free 30-minute scoping call and a fixed-price quote returned within the hour. No hourly meters, no scope creep, and a free remediation retest once your team ships the fixes. Data-handling and residency requirements are agreed up front.
// 05 Industries we secure in Riyadh
Riyadh's economy is government- and finance-led, with a fast-growing technology layer built on Vision 2030. CyberFortify tests across the sectors that define the capital's risk profile:
// 06 Our methodology
Every Riyadh engagement follows the same disciplined, audit-defensible process CyberFortify runs worldwide, tuned to the controls a Saudi assessor will look for. Testing is grounded in the Penetration Testing Execution Standard (PTES) and NIST SP 800-115, with exploitation mapped to the relevant MITRE ATT&CK tactics and application testing driven by the OWASP methodology. As a CREST Accreditation Pathway firm, we lead with manual, human-driven testing - automation supports the tester, it never replaces one.
Scoping & rules of engagement
Targets, in-scope ranges, test windows, data-handling and escalation paths agreed in writing before any testing begins.
Fixed quote in 1hReconnaissance & threat modelling
Attack surface mapped and prioritised against the adversary objectives most relevant to a Riyadh government or financial target.
ATT&CK alignedManual exploitation
Confirmed weaknesses are exploited and chained under controlled conditions, with false positives eliminated by hand.
Controlled exploitReporting & free retest
Executive summary, CVSS-scored technical report and NCA/SAMA control mapping - followed by a free retest once fixes ship.
Audit-ready// 07 Why CyberFortify for Riyadh
A scan-and-report vendor
Automated tool output rebadged as a pen test, delivered on an offshore clock, with generic findings your NCA or SAMA assessor sends back for lacking real exploitation evidence and control mapping.
CyberFortify in the Gulf
A Gulf-based, CREST-pathway team in Riyadh's own time zone. Real manual exploitation, findings mapped to NCA ECC, SAMA CSF, PCI DSS and PDPL, Arabic or English read-outs, fixed pricing and a free remediation retest.
Riyadh engagements are frequently paired with a follow-on API assessment or a full red team simulation, depending on the threat model and the question your regulator or board is asking.
// 08 Frequently asked questions
Is penetration testing mandatory for companies in Riyadh?
For most regulated organisations, yes. Government bodies and their suppliers fall under the National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1), which require regular vulnerability assessment and penetration testing. Banks, financing companies and fintechs licensed by the Saudi Central Bank must test under the SAMA Cyber Security Framework. Card processors add PCI DSS 4.0. CyberFortify's reports are formatted to serve directly as that evidence.
Do you provide penetration testing on-site in Riyadh?
Yes. External, web, cloud and API testing is delivered remotely from our secure environment in the same time zone as Riyadh (AST/UTC+3). For internal network, Active Directory, wireless and assumed-breach work that benefits from being on the ground, our team travels to your Riyadh premises - a short flight from our Gulf base - on an agreed schedule.
Can your reports be used for NCA and SAMA compliance?
Yes. Every engagement maps findings to the specific controls your assessor expects - NCA ECC domain 2 (Cybersecurity Defence) and its vulnerability and penetration-testing sub-controls, SAMA CSF 3.3.14, PCI DSS 4.0 Requirement 11.4, and the security-of-processing obligations of the Saudi Personal Data Protection Law.
Do you test Vision 2030 and giga-project systems in Riyadh?
Yes. We test the web platforms, contractor portals, cloud environments and integrations that giga-projects and their technology partners run out of Riyadh, and we structure findings so a programme's security office can hold its supply chain to the same NCA baseline it is held to.
Do you deliver reports and briefings in Arabic?
Our technical reports are issued in English, and we brief executives, security committees and boards in Arabic or English during read-out sessions. Data residency and any Kingdom-specific handling requirements are agreed during scoping.