Cybersecurity Insights & Expertise

Most financial institutions in Saudi Arabia know they need to comply with SAMA. Fewer understand what compliance actually requires, how maturity is measured, how long it takes, and critically how it differs from other frameworks like ISO 27001 or NESA. This guide answers those questions directly. It covers what the SAMA Cybersecurity Framework is, which entities it applies to, what the six maturity levels mean in practice, how a gap assessment works, and what reaching Level 3 actually looks lik

The question comes up constantly when a CISO has done several rounds of penetration testing and starts wondering whether they're getting diminishing returns. The answer is that penetration testing and red teaming are not competing services they measure different things, serve different purposes, and the data on when each is appropriate is fairly clear. In late 2024, CISA published findings from a red team assessment of a US critical infrastructure organisation with a mature security posture. Th

As NESA assessments and regulatory reviews approach, organizations often realize that compliance gaps are rarely technical alone. More often, challenges stem from unclear governance, incomplete evidence, or misaligned risk management practices. This NESA compliance checklist is designed as a readiness guide for CISOs, compliance managers, and risk leaders who are preparing for assessment, audit, or regulatory review under the UAE Information Assurance framework. For organizations still buildin

Two things are happening simultaneously in 2026v organisations are deploying AI features faster than their governance can keep up, and regulators are finalising enforcement frameworks that carry penalties measured in millions of euros. The EU AI Act became fully enforceable for most operators on 2 August 2026. Finland activated the first national enforcement authority on 1 January 2026. Other EU member states are following rapidly through Q1 2026. If you're a SaaS company with AI features, a te

Network penetration testing is the oldest category in offensive security and the one most frequently misscoped, mislabelled, or substituted with something cheaper that doesn't actually satisfy what an auditor or security programme needs. If you're preparing for a SOC 2 or ISO 27001 audit, evaluating whether your internal controls hold up, or simply trying to understand what "network pentest" means when a provider quotes for it this guide covers what the assessment actually involves, where the i

Most organisations that have pentested their web application haven't pentested their cloud environment. The two share an attack surface at the edges SSRF, exposed storage, misconfigured APIs but cloud infrastructure has vulnerabilities that a web app pentest scope doesn't touch: IAM privilege escalation, metadata service exploitation, inter-service trust abuse, storage bucket exposure, and lateral movement across cloud-native services. If your infrastructure runs on AWS, Azure, or GCP, this gui

ISO 27001 doesn't spell out "conduct a penetration test." What it does require is a structured programme of security evaluation that, in practice, auditors universally expect a pentest to satisfy. If your certification audit is approaching and you're uncertain whether a vulnerability scan is sufficient or what scope, frequency, and evidence an auditor actually needs this guide answers all of it. 1. Does ISO 27001 Require Penetration Testing? 2. Which Annex A Controls Does a Pentest Satisfy?

Most security teams assume their mobile app was covered in the web app pentest. It wasn't. The API calls, yes. The backend logic, partially. But the binary sitting on your users' devices the local storage, the hardcoded secrets, the certificate pinning that a tester bypasses in 60 seconds, the exported Android components, the iOS keychain misuse none of that is in a web app pentest scope. It's a different platform, a different attack surface, and a completely different testing methodology. Thi

The Netherlands, a hub of innovative SaaS startups, is experiencing a rapid rise in digital threats. According to the Dutch Data Protection Authority, there were 37,839 data breach notifications in 2024, with cybercrime-related incidents climbing sharply. Across Europe, more than 130,000 breaches were reported, and the Netherlands alone saw a 65% year-over-year increase in reported incidents. (Cybernews). A deeper dive into these breaches reveals that human error and misconfigurations are the l

APIs are where modern applications actually live and where most of the significant security vulnerabilities are found. A web application pentest that doesn't explicitly include your API surface isn't testing the majority of your attack surface. It's testing the interface in front of it. This guide is written for the people making the security buying decision. If you've been using our JWT Analyzer or API Key Checker and discovered issues you want properly assessed, or if you're preparing for a S

Most organisations securing AI applications are doing it wrong not because they're careless, but because they're applying web application security thinking to a fundamentally different attack surface. A standard pentest doesn't test prompt injection. It doesn't test whether your RAG system leaks data across users. It doesn't test whether your chatbot's system prompt can be extracted, or whether your AI copilot can be manipulated into calling functions it shouldn't. Those vulnerabilities don't e

If you're evaluating vendors for an AI agentic security assessment, you're likely asking: * What does OWASP Top 10 2026 mean for AI agents? * How is agentic AI security different from traditional web app security? * What should an AI agentic pen test actually include? * How do I know if a vendor truly understands autonomous AI risk? 1. What Is Agentic AI and Why It Changes Security Risk Agentic AI systems are autonomous or semi-autonomous software agents that: * Plan tasks * Call APIs