How We Evaluate UAE Cybersecurity Companies
Full scoring methodology — nine criteria, how each is weighted, and what evidence we require.
This page documents the full scoring methodology behind the ranking. Transparency about methodology is a prerequisite for any ranking claiming independence. If you believe a criterion is missing or weighted incorrectly, contact us via the contact page.
The Nine Criteria
1. Technical Certifications and Team Depth — Weight: High
We look at certifications held by senior practitioners — the people who will actually work on a client engagement, not the firm's HR database.
What we verify:
- OSCP (Offensive Security Certified Professional) — the practical standard for penetration testers; requires passing a 24-hour hands-on exam
- CREST — UK-based accreditation body recognised by DESC; the institutional standard for penetration testing quality
- CISSP — widely held among senior security architects and consultants
- PCI QSA — required for firms delivering PCI DSS assessments
- CEH — considered a baseline indicator only, not a differentiator
Firms that demonstrate senior practitioners holding OSCP and CREST score highest. Firms whose team profiles show only CEH or no disclosed certifications score lower.
2. UAE Regulatory Alignment — Weight: High
UAE-specific regulatory knowledge is non-negotiable for local buyers. We assess whether a firm maps deliverables to NESA controls, holds or supports DESC accreditation, understands ADHICS requirements for healthcare clients, can produce PDPL-compliant data processing documentation, and has experience delivering PCI DSS penetration testing to Gulf banks. International firms delivering generic ISO 27001 reports without UAE-specific mapping score lower.
3. Local Presence and Data Residency — Weight: Medium-High for managed services
For penetration testing, remote delivery is acceptable and common. For managed SOC and MDR services, data residency inside the UAE is a PDPL and NESA requirement for many client types. We note whether the provider operates a UAE-sovereign SOC, whether data processing occurs onshore, and whether local support staff are available.
4. Service Depth and Specialisation — Weight: Medium
We distinguish between full-lifecycle providers (assessment → managed security → incident response → compliance) and specialists (deep expertise in one category). Neither is inherently superior. A boutique firm that does penetration testing exceptionally well is preferable to a large firm that does it as a secondary service. We score based on fit for the declared buyer profile.
5. Transparency and Report Quality — Weight: Medium-High
Evidence considered: sample report availability or documented methodology, deliverable structure (CVSS scoring, PoC evidence, remediation guidance, executive summary), post-engagement support (retesting policy, remediation tracking), and responsiveness to methodology queries.
6. Industry Experience in UAE-Relevant Sectors — Weight: Medium
Verticals considered: government, banking/fintech, oil and gas, healthcare, telecom, crypto/blockchain, e-commerce. Evidence required: case studies (even anonymised), public client references, or sector-specific accreditations.
7. Client Trust Signals — Weight: Medium
Counted: independent awards (with named awarding body and year), analyst recognition, verifiable client testimonials, DESC or other regulatory body accreditations. Not counted: self-described superlatives, undated or unverifiable testimonials.
8. Innovation and Tooling — Weight: Low-Medium
Indicators: proprietary platforms or dashboards, PTaaS capability, R&D investment, published original security research, CVE discoveries. Firms publishing original vulnerability research demonstrate active technical capability beyond service delivery.
9. SMB vs Enterprise Fit — Weight: Contextual
Each company's ideal customer profile is documented. This criterion does not lower a score — it helps buyers identify the right match for their organisation's size and security maturity. A boutique firm scoring lower on "enterprise fit" may be the correct choice for a mid-market buyer.
How Scores Become Rankings
Each criterion is scored on a 1–5 scale. Scores are weighted by the criteria above and summed. The final ranking reflects the weighted aggregate score. In cases of near-equal scores, UAE-specific regulatory knowledge is the tiebreaker — because it is the criterion most directly relevant to this market.
What We Do Not Score
We do not score marketing quality, website design, brand recognition, press release volume, or social media presence. These are vendor communication choices, not security capability indicators. A firm with a minimal web presence that publishes original CVE research scores higher on capability than a firm with a polished website and no disclosed technical credentials.
Limitations
This methodology relies on publicly available information supplemented by direct vendor engagement. We cannot verify claims we cannot independently confirm. Where information is unverifiable, we note it and apply conservative scoring. If you represent a company and believe our assessment is based on inaccurate information, submit a correction via the contact page with supporting documentation.