If your organisation operates in the UAE and handles customer data, processes payments, or falls under CBUAE, NESA, or ISO 27001 jurisdiction, a Vulnerability Assessment and Penetration Test (VAPT) is not optional — it is a regulatory and business requirement. This checklist gives you a practical, step-by-step guide to scoping, running, and acting on a VAPT engagement in the UAE.
What VAPT Actually Covers
VAPT is two distinct activities delivered together. A Vulnerability Assessment (VA) is a systematic scan of your environment to identify known weaknesses — misconfigurations, unpatched software, exposed services, and policy gaps. A Penetration Test (PT) goes further: a skilled tester actively attempts to exploit those vulnerabilities to determine real-world impact.
Together, VAPT gives you:
- A ranked list of vulnerabilities with CVSS severity scores
- Proof-of-concept evidence of exploitability
- Business impact assessment for each finding
- A remediation roadmap prioritised by risk
- A compliance-ready report for your auditors or regulators
Without the penetration test component, you only know what exists — not what an attacker can actually do with it. UAE enterprises that rely on automated scanning alone consistently fail third-party audits and leave critical attack paths undiscovered.
UAE Regulatory Requirements That Mandate VAPT
Several UAE regulatory frameworks explicitly require regular penetration testing or vulnerability assessments. If your organisation is subject to any of the following, VAPT is mandatory, not best practice.
| Framework | Relevant Clause | Requirement |
|---|---|---|
| CBUAE Information Assurance Framework | Domain 4 — Vulnerability Management | Periodic vulnerability assessments and penetration tests for licensed financial institutions |
| ISO/IEC 27001:2022 | Clause 8.1 + Annex A.8.8 | Management of technical vulnerabilities; testing of security controls |
| PCI DSS v4.0 | Requirement 11.3 | External and internal penetration testing at least annually and after significant changes |
| UAE NESA Information Assurance Standards | IAS-4 Vulnerability Management | Vulnerability scanning quarterly; penetration testing annually for critical systems |
| DIFC Data Protection Law | Article 14 | Appropriate technical measures including regular security testing |
For CBUAE-licensed entities — banks, exchange houses, finance companies, insurance firms — the requirement is non-negotiable. Regulators increasingly request VAPT reports as part of annual compliance submissions.
Pre-VAPT Checklist — Before the Test Starts
A poorly scoped VAPT wastes money and delivers low-value findings. Before engaging any VAPT services UAE provider, complete this pre-engagement checklist.
Scope Definition
- List all in-scope IP ranges, domains, and subdomains
- Identify all web applications with their URLs and environments (production vs staging)
- Specify cloud accounts and regions (AWS, Azure, GCP)
- Include mobile applications (iOS and Android if applicable)
- List all APIs — internal and external
Asset Inventory
- Network diagram showing all segments and DMZ
- List of externally facing services and ports
- Application architecture documentation (even high-level is useful)
- Third-party integrations that handle your data
Rules of Engagement
- Testing window: specify permitted hours (many UAE clients require off-hours testing)
- Emergency contact: who to call if a test causes unintended disruption
- Written authorisation signed by an accountable executive
- Notification plan: does your IT team know the test is happening?
- Out-of-scope systems clearly documented to prevent accidental testing
The 7 VAPT Test Areas
A comprehensive VAPT engagement for a UAE enterprise should cover all relevant attack surfaces. Depending on your environment, the following test areas apply:
- Web Application Testing — OWASP Top 10 coverage: injection, broken authentication, IDOR, XSS, SSRF, insecure deserialisation, and business logic flaws specific to your application
- Network Infrastructure Testing — External perimeter testing of all internet-facing services; internal network segmentation review if scope includes internal access
- API Security Testing — REST and SOAP API authentication, authorisation bypass, data exposure, rate limiting, and input validation. Critical for UAE fintech and e-commerce
- Cloud Security Assessment — IAM misconfiguration, exposed storage buckets, public snapshots, overly permissive security groups, and compliance posture. Relevant for cloud security services UAE clients on AWS or Azure
- Mobile Application Testing — iOS and Android binary analysis, certificate pinning review, insecure data storage, and API communication security
- Social Engineering Assessment — Phishing simulations, vishing (voice), and pretexting exercises to measure human vulnerability
- Physical Security Testing — Tailgating, badge cloning, and access control review for UAE organisations with sensitive physical infrastructure
Not every organisation needs all seven. A UAE e-commerce company should prioritise web app, API, and cloud. A CBUAE-regulated bank needs network, web app, API, and social engineering at minimum.
Post-VAPT Checklist — After the Report Arrives
Receiving a VAPT report is not the end of the process. Most UAE organisations under-invest in post-VAPT remediation and miss the entire point of the exercise.
Report Review (Week 1)
- Confirm CVSS scores are assigned to every finding
- Verify all Critical and High findings include proof-of-concept evidence
- Challenge any findings you cannot reproduce — good testers document clearly
- Map findings to your regulatory framework (CBUAE, PCI DSS, ISO 27001)
Remediation Planning (Week 2-3)
- Create a remediation register with owner, target date, and priority
- Critical findings: remediate within 7 days or implement compensating controls
- High findings: remediate within 30 days
- Medium findings: remediate within 90 days
- Low/Informational: include in next patching cycle
Retest Scheduling
- Schedule retest for Critical and High findings after remediation
- Confirm your VAPT provider includes at least one free retest in their engagement
- Request a retest report for regulatory submission
How Often Should UAE Companies Run VAPT?
- Annually (minimum): Required by PCI DSS, NESA IAS, and most CBUAE-licensed entities
- After major changes: New application releases, cloud migrations, significant infrastructure changes — each triggers a requirement for re-assessment under PCI DSS Requirement 11.3 and ISO 27001 change management
- Quarterly: External vulnerability scanning (distinct from full VAPT) should run quarterly for internet-facing systems
- Continuous: High-risk UAE organisations (banks, healthcare) should consider continuous vulnerability management with periodic deep-dive penetration tests
Frequently Asked Questions
Is VAPT the same as a vulnerability scan?
No. A vulnerability scan is automated tool output. A VAPT includes manual exploitation by a skilled tester. Regulators and auditors increasingly distinguish between the two — a scan alone does not satisfy PCI DSS Requirement 11.3 or CBUAE penetration testing requirements.
Do I need to shut down production during a VAPT?
No. Most VAPT engagements run against production systems during agreed maintenance windows or low-traffic periods. Your tester should coordinate with your IT team and have an emergency stop contact available.
How long does a VAPT take?
Scope-dependent. A single web application typically takes 5-10 business days. A full enterprise VAPT covering network, multiple applications, cloud, and APIs can take 3-6 weeks. Rushed assessments deliver shallow results.
What should a VAPT report include for CBUAE submission?
Executive summary, methodology, findings with CVSS scores, proof-of-concept screenshots, business impact assessment, and a remediation roadmap. Some CBUAE submissions also require an Arabic executive summary — confirm this requirement with your compliance team.
