Manual, exploit-driven
Network Pen Tests
Most UAE clients ask "I need pen testing for compliance" without knowing scope. That's fine — scoping is our job, not yours. Our 8-stage PTES-aligned process figures out exactly what your audit, client, or threat model actually needs.
OSCP · CPTS · CEH practitioners Free retest of critical / high findings Written quote in 48 hours
Start here — pick your path
Pick the path that matches where you are. We'll walk you through scoping in a free 30-minute call.
I need it for compliance
ISO 27001, UAE IA, ADHICS, PCI DSS, SOC 2 — tell us the framework, we'll map exactly which scope your auditor expects.
I know what I want tested
Network, web app, mobile, API, phishing, cloud — pick your scope chips. Multi-select supported; bundled discounts apply.
I'm not sure where to start
Tell us a little about your environment and goals. Our practitioners will recommend the right scope, share indicative AED pricing, and send a written brief — no hard sell.
What can be in scope
In scoping, we pick together. You choose the attack surface; we apply the appropriate methodology to each.
External Network
Internet-exposed infrastructure, perimeter
Internal Network
Corporate LAN, Active Directory, lateral movement
Web Application
OWASP WSTG — authenticated, business logic
Mobile App (iOS / Android)
OWASP MASTG — static + dynamic + runtime
API
OWASP API Top 10 — REST, GraphQL, SOAP
Wireless
WiFi, rogue-AP, Evil Twin, WPA2/3 weaknesses
Phishing & Social Engineering
Email, SMS, vishing — realistic attacker simulation
Cloud Configuration
AWS, Azure, GCP — IAM, misconfig, privilege paths
VA only (budget)
Scan + prioritise. Compliance box-check, not a pen test
Bundling 2+ scopes in one engagement reduces overall cost — fewer setup hours, one report, one debrief. We'll quote bundled scope at the scoping call.
Our 8-stage penetration testing process
Based on PTES (Penetration Testing Execution Standard), OWASP methodology guides, and NIST SP 800-115. The engineering discipline most "VAPT" providers skip.
- 01
Pre-Engagement You're involved
NDA, scoping workshop, rules of engagement, timeline, deliverable lock. We educate, you choose scope.
- 02
Information Gathering
Passive + active reconnaissance. OSINT, enumeration, technology fingerprinting, attack-surface mapping.
- 03
Vulnerability Assessment
Automated + manual analysis. Known CVE sweep, configuration review, version analysis, attack-vector hypothesis.
- 04
Exploitation
Controlled execution of attack paths. Every exploit documented, every action reversible.
- 05
Post-Exploitation
Privilege escalation, impact demonstration, pillaging for sensitive data. We show what an attacker would actually get.
- 06
Lateral Movement
If in scope — pivot through the environment, chain access, demonstrate breach spread. Internal network engagements only.
- 07
Proof-of-Concept
Reproducible evidence for every finding. Screenshots, scripts, step-by-step. No unverifiable claims.
- 08
Post-Engagement You're involved
Executive summary, technical report, live walkthrough, clean-up evidence, free 30-day retest of critical/high fixes.
Pricing — Four tiers
Pick your scope, lock the fee
From single-asset SME engagements to full-scope multi-environment assurance. Every tier includes manual testing led by an OSCP holder.
Starter
AED 9,000
Ideal for: Sub-30-employee UAE companies needing first-time external security validation.
Includes
- Single web app OR small external network up to 20 IPs
- Automated + targeted manual testing
- Executive summary + technical findings report
- 60-min remediation walkthrough call
Not included
- Retest after fixes
- Internal network or AD
Designed for UAE SMEs under 30 employees. One-time engagement, no retest included.
Get a quoteEssentials
AED 12,000
Ideal for: Growing companies with one customer-facing asset to validate.
Includes
- Single web app OR external network up to 50 IPs
- Manual testing of OWASP Top 10 / authenticated flows
- Detailed PoC evidence per finding
- 30-day free retest of critical/high
- Live remediation walkthrough
Not included
- Internal lateral movement
- Cloud configuration review
Professional
AED 25,000–45,000
Ideal for: Mid-market companies needing multi-asset annual penetration testing.
Includes
- Multi-asset scope: web + external + selected internal
- Manual + automated, business-logic testing
- Active Directory enumeration if internal in scope
- Two free retests of critical/high
- Executive readout + remediation roadmap
Not included
- Red-team / adversary emulation
- Source-code review
Enterprise
AED 50,000–75,000
Ideal for: Multi-site or regulated organisations needing full-scope assurance.
Includes
- Full scope: web + network + AD + cloud configuration
- Lateral movement and privilege-escalation chains
- Custom attack scenarios mapped to your threat model
- Quarterly retest of critical/high for 12 months
- Executive board-readout + technical workshop
Not included
- Physical security testing (separate quote)
- OT/ICS environments (separate quote)
Not sure which tier fits?
Book a 20-min scoping callFlagship services — available now
Led by Nelson Durairaj (OSCP, eJPT, CEH), supervised by Manoj Prabhakaran (CPTS, CDSA). No juniors running scanners, no anonymous teams.
PTaaS — Penetration Testing as a Service
Continuous OSCP-led testing, live findings portal, on-demand re-tests, included annual deep-dive.
Network Penetration Testing
External + internal + Active Directory + lateral movement. PTES-aligned, manual, exploit-driven.
Web Application Penetration Testing
OWASP Top 10, API security, authentication flaws, business-logic testing.
Mobile Application Penetration Testing
iOS and Android — static + dynamic, Frida runtime instrumentation, MASVS-mapped.
Phishing Simulation & Social Engineering
Controlled phishing and vishing campaigns with click-rate reporting. Before/after metric for awareness training.
Vulnerability Assessment (VA only)
Scan-and-prioritise service for SMEs not ready for full pen testing. Fast, affordable, actionable.
Compliance mapping — which scope your framework needs
Tell us the framework, we'll scope to match. Our reports are audit-grade: CVSS-scored findings, control-mapped, walkthrough-delivered.
| Framework | Required | Recommended additions |
|---|---|---|
| ISO 27001 (Annex A 8.8) | VA + annual pen test | External network + primary web app |
| UAE IA V2 (T3.6.1) | External + internal pen test | + phishing simulation + wireless |
| ADHICS v2 (Healthcare UAE) | Annual pen test | + mobile app (if patient-facing) + PHI systems |
| PCI DSS 11.3 | Internal + external pen test | + segmentation testing + web app (if CDE) |
| SOC 2 (CC7.1) | Annual pen test | External network + web app + API |
Transparent pricing
We're a new UAE firm. We publish prices to earn your first case study — not to hide behind enterprise-sales opacity.
| Scope | Starting at (AED) | Typical duration |
|---|---|---|
| VA only (up to 50 IPs) | 5,000 | 3 days |
| External network pentest (small) | 20,000 | 5 – 7 days |
| Internal network pentest (AD, lateral) | 35,000 | 8 – 12 days |
| Web application (1 app, authenticated) | 15,000 | 7 – 14 days |
| Mobile app (1 platform, iOS or Android) | 18,000 | 7 – 10 days |
| Mobile app (both iOS + Android) | 30,000 | 10 – 14 days |
| API pentest (standalone) | 15,000 | 5 – 10 days |
| Phishing simulation (up to 200 users) | 8,000 | 2 weeks campaign |
| Network + Web App | 32,000 | 2 – 3 weeks |
| Full-stack: Network + Web + Mobile | 55,000 | 4 – 5 weeks |
All engagements include: scoping workshop, rules-of-engagement document, CVSS-scored findings report, executive summary, 90-min remediation walkthrough, and one free retest of critical/high findings within 30 days. VAT extra. Written quote within 48 hours of scoping call.
What you actually get
Every engagement, every scope. Audit-grade deliverables designed for UAE compliance contexts.
- 01
Executive summary
1 – 2 pages, board-consumable. Business impact, risk posture, remediation priority.
- 02
Technical findings report
CVSS-scored findings with reproduction steps, screenshots, and remediation guidance. Typically 20 – 50 pages.
- 03
PoC evidence pack
Scripts, payloads, Frida hooks — everything your dev team needs to reproduce locally.
- 04
Compliance mapping
Findings cross-referenced to ISO 27001 Annex A, UAE IA, ADHICS, PCI DSS controls as relevant.
- 05
Live walkthrough
90-minute session with your engineers — every critical and high finding demonstrated live.
- 06
Free 30-day retest
Validate your fixes on critical and high findings within 30 days of remediation. Separate retest report issued.
Year 2 — 2027 roadmap
Planned additions. Join a waitlist and we'll email you 30 days before launch.
Third-Party / Vendor Risk Assessment
Assess the cybersecurity posture of your suppliers and vendors. UAE IA V2 and ISO 27001 both require it — we deliver it via a scalable questionnaire framework.
Managed Vulnerability Management
Continuous scanning, prioritisation, and remediation tracking — delivered as a monthly retainer with your named engineer.
Year 3 — 2028 roadmap
Advanced and managed services. The roadmap is real; the certs and hires to deliver them follow in Year 2 – 3.
Red Team Exercises
Full-scope adversary simulation across people, process, and technology. Physical, digital, social engineering. Requires senior CRTO / OSEP hire.
SOC-as-a-Service / MDR
24/7 monitoring, threat detection, and response. MSSP partnership bridge in Year 2 before own build in Year 3.
Digital Forensics & Incident Response (DFIR)
Breach investigation, forensic reporting, legal-grade evidence handling. Licensed tools + GCFE / GCFA certified analysts.
Cyber Threat Intelligence (CTI)
Sector-specific threat intel, dark-web brand monitoring, quarterly executive briefings.
OT / ICS Security (IEC 62443)
Operational technology security for utilities, energy, manufacturing. Specialist hire required; anchor-client driven.
Why this matters for UAE
Scanners find patterns. Pen tests find paths.
Every UAE enterprise onboarding process — banks, tender committees, enterprise procurement — asks for penetration-test evidence before contract. Most UAE mid-market companies respond with a vulnerability scan PDF. That's not what auditors and procurement teams are asking for, and it's not what keeps you safe.
We deliver the real thing: manual, methodical, exploit-driven testing by named OSCP, CPTS, and CEH practitioners, following PTES, OWASP, and NIST methodology. Scanners and automation are part of the toolkit — but tools don't write the report or decide what to exploit next. Our testers do.
Every engagement ends with a live walkthrough of findings and a free retest of critical and high findings within 30 days of remediation.
Penetration testing in the UAE — FAQ
How much does penetration testing cost in the UAE?
Underwings publishes fixed pricing: engagements start at AED 9,000 (Starter — a single web app or external network up to 20 IPs), AED 12,000 for Essentials (manual OWASP Top 10 / authenticated testing with a 30-day free retest), and AED 25,000–45,000 for Professional multi-asset scopes. You receive a written, fixed-scope quote in AED within 48 hours of a scoping call.
What's the difference between a vulnerability assessment and a penetration test?
A vulnerability assessment scans and prioritises known weaknesses — useful as a compliance box-check and triage step. A penetration test is manual: a certified tester actively exploits and chains weaknesses the way a real attacker would, including business-logic flaws scanners can't find. Underwings delivers manual testing aligned to PTES and OWASP, not scanner PDFs.
How long does a penetration test take?
A single web application or small external network is typically 2–3 weeks end-to-end (scoping, testing, reporting, walkthrough). Larger or API-heavy scopes extend to 3–4 weeks. Expedited delivery is available.
Will your penetration test report satisfy ISO 27001, SOC 2, PCI DSS or NESA audits?
Yes. Reports include scope, methodology, dates, named tester credentials, CVSS-scored findings, reproduction steps, remediation guidance, and retest validation — usable as audit evidence for ISO 27001, SOC 2, PCI DSS, HIPAA, NESA, and ADHICS.
Who performs the testing, and what certifications do they hold?
Every engagement is delivered by named, certified practitioners — OSCP, CPTS, CDSA, CEH — with the tester named in the report. No anonymous juniors and no outsourcing.
Is a retest included after we fix the findings?
Yes. One free retest of critical and high findings within 30 days of the final report is included on Essentials and above, with a separate report confirming remediation.
Enterprise client asked for a pen test report?
Audit coming up? Mobile app shipping soon?
Book a free 30-minute scoping call. We'll scope your engagement against your actual compliance or commercial need, and send a written quote within 48 hours.