Remote vulnerability assessment and penetration testing (VAPT) is now the standard delivery model for GCC companies in UAE, Saudi Arabia, Qatar, Kuwait, Bahrain, and Oman. All major GCC cybersecurity regulators — CBUAE, SAMA, QCB, CBK, CBB, and CBO — accept remote VAPT evidence for compliance purposes. This post explains exactly what remote VAPT covers, how it is conducted securely, what cannot be done remotely, and what it costs across GCC markets.
Remote vs On-Site VAPT — What Can and Cannot Be Done Remotely
The first question GCC clients ask about remote VAPT is: does it deliver the same value as on-site testing? The answer depends on what is in scope.
| Test Type | Remote Delivery | On-Site Required | Notes |
|---|---|---|---|
| External Network VAPT | Fully remote | Not required | Tests internet-facing assets from external vantage point |
| Web Application VAPT | Fully remote | Not required | All testing via browser and proxy tools over the internet |
| Mobile Application VAPT | Fully remote | Not required | APK/IPA analysis; emulator-based dynamic testing |
| Internal Network VAPT | Via VPN/jump server | VPN access needed | Client provisions secure VPN; tester connects remotely |
| Cloud Configuration Review | Fully remote | Not required | Read-only IAM role provisioned for cloud tenant access |
| API Security Testing | Fully remote | Not required | Conducted against test/staging or production API endpoints |
| Physical Penetration Test | Not applicable | Always on-site | Physical access testing requires in-person presence |
| On-site Social Engineering | Not applicable | Always on-site | Tailgating, impersonation require physical presence |
| OT/ICS Security Assessment | Partial (passive) | Active testing on-site | OT environments typically require physical access for safe testing |
For the vast majority of GCC compliance-driven VAPT requirements — CBUAE Domain 9, SAMA CRF Protect domain, PCI DSS Req 11.3 and 11.4, NCA ECC Domain 2 — external network VAPT, web application VAPT, and internal network VAPT via VPN are fully deliverable remotely and satisfy regulatory evidence requirements.
Remote VAPT Methodology — How It Works for GCC Clients
Step 1: Scoping and Rules of Engagement
Remote VAPT begins with a structured scoping call to define the target environment: IP ranges, domain names, application URLs, API endpoints, cloud tenant references. A written Scope of Work and Rules of Engagement is agreed before testing begins. For GCC clients, the ROE explicitly defines testing windows (to avoid disruption during business hours in the client’s time zone), blackout periods, and emergency contact procedures.
Step 2: Secure Channel Setup for Internal Testing
For internal network VAPT, the client provisions a dedicated VPN connection or a jump server (a hardened VM inside the client network with remote desktop access). Common approaches used for GCC clients:
- Client-managed VPN: Client provides VPN credentials; tester connects via OpenVPN or IPSec. Client can monitor and terminate the connection at any time.
- Jump server: Client provisions a Windows or Linux VM with RDP/SSH access; tester connects to the jump server and conducts all internal testing from within the network.
- Temporary firewall rule: For very restricted environments, client opens a specific inbound port to a specific tester IP range for the duration of testing.
All approaches maintain client control over the testing connection at all times, which is important for GCC clients with strict change management procedures.
Step 3: Testing Execution
Remote VAPT follows a structured methodology aligned to industry standards (PTES, OWASP Testing Guide, NIST SP 800-115). For external network VAPT: reconnaissance → port scanning → service enumeration → vulnerability identification → exploitation (with explicit authorisation) → post-exploitation (where in scope) → evidence collection. For web applications: OWASP Top 10 and OWASP API Security Top 10 coverage, business logic testing, authentication and session management testing.
Step 4: Reporting
VAPT reports for GCC regulatory submission are structured to satisfy specific regulator requirements. A GCC-compliant VAPT report includes:
- Executive summary with risk rating and key findings in plain language
- Scope confirmation and methodology statement
- Findings categorised by CVSS severity (Critical, High, Medium, Low, Informational)
- Per-finding: description, evidence (screenshots, proof of concept), business impact, remediation recommendation, and regulatory reference (e.g., “PCI DSS Req 6.3.3”, “CBUAE CSF Domain 5”, “NCA ECC 2-14-1”)
- Remediation roadmap with prioritised action items
- Arabic executive summary available for Saudi, UAE government, and Qatari submissions
GCC Regulatory Acceptance of Remote VAPT
| Country / Regulator | VAPT Requirement | Remote Acceptance | Frequency |
|---|---|---|---|
| UAE — CBUAE CSF | Domain 5 / Domain 9 | Yes | Annual minimum |
| UAE — NESA IAS | Domain 5 (Security Testing) | Yes | Annual |
| UAE — PCI DSS | Req 11.3 (scan) + 11.4 (pentest) | Yes (ASV scan always remote) | Quarterly scan, annual pentest |
| Saudi Arabia — SAMA CRF | Protect domain — security testing | Yes | Annual minimum |
| Saudi Arabia — NCA ECC | Control 2-14 (Vulnerability Management) | Yes | Annual |
| Qatar — QCB | Electronic payment security | Yes | Annual |
| Kuwait — CBK | Cybersecurity instructions for banks | Yes | Annual |
| Bahrain — CBB | CBB cybersecurity rulebook | Yes | Annual |
| Oman — CBO | CBO cybersecurity framework | Yes | Annual |
Cost Comparison: Remote vs On-Site VAPT for GCC
| VAPT Type | Remote (AED) | On-Site (AED) | On-Site Premium |
|---|---|---|---|
| External network VAPT | AED 8,000–20,000 | Not applicable | N/A |
| Web application VAPT | AED 12,000–35,000 | Not applicable | N/A |
| Internal network VAPT (via VPN) | AED 20,000–50,000 | AED 30,000–70,000 | +30–40% (travel + logistics) |
| Full-scope VAPT (combined) | AED 30,000–80,000 | AED 45,000–110,000 | +35–45% |
| Physical penetration test (on-site only) | Not available | AED 30,000–80,000 | N/A |
For GCC clients outside the UAE, remote VAPT typically costs 30–40% less than equivalent on-site delivery due to the elimination of travel, accommodation, and logistics costs. The quality of findings is equivalent for network and application testing.
Report Formats for GCC Regulators
GCC VAPT report requirements vary by regulator. Key format considerations:
- Language: English is accepted by all GCC regulators. Arabic executive summaries are required or strongly preferred for Saudi NCA ECC submissions, some QCB submissions, and UAE government entity reporting.
- CVSS scoring: All GCC regulators accept CVSS v3.1 severity ratings. Some SAMA assessments also require a business impact rating alongside technical CVSS scores.
- Regulatory reference mapping: For CBUAE submissions, findings should reference specific CBUAE CSF domain and control numbers. For SAMA, SAMA CRF domain references. For PCI DSS, specific requirement numbers. This mapping transforms a technical VAPT report into a compliance-aligned regulatory document.
- Retest evidence: GCC regulators increasingly require evidence of remediation retesting — a clean retest report or remediation verification section within the original report.
Frequently Asked Questions
How is data security handled during remote VAPT for GCC clients?
All remote VAPT testing traffic is encrypted. No production data is extracted or retained by the testing team — VAPT involves exploitation proof-of-concept, not data collection. Screen recordings and screenshots are retained for reporting and deleted after the final report is delivered. Rules of Engagement explicitly prohibit retention of client data. Non-disclosure agreements are signed before engagement commencement.
What credentials does the testing team need for internal VAPT?
Standard internal VAPT provides a standard domain user account (no admin rights) and VPN access. This simulates an insider threat or post-initial-access scenario. Some assessments include both unauthenticated and authenticated testing to cover different threat scenarios. Privileged access is not provided to the testing team prior to testing — privilege escalation is a test objective, not a starting condition.
Can a GCC company conduct VAPT on cloud environments (AWS, Azure, GCP)?
Yes, with notification. AWS, Azure, and GCP all permit penetration testing of customer-owned resources without prior approval, subject to their acceptable use policies. Specifically: you can test your own EC2 instances, web applications, API gateways, and cloud resources without submitting a notification to the cloud provider (as of 2024 policy updates). Testing the cloud provider’s underlying infrastructure is prohibited.
How long does a remote VAPT take for a typical GCC SME?
A combined external network and web application VAPT for a GCC SME with 5–10 external-facing applications typically takes 10–15 business days: 3–5 days of active testing followed by 5–7 days for report writing and quality review. Internal network VAPT via VPN for a 50–200 endpoint network adds another 5–7 days of active testing. Total elapsed time from kickoff to final report delivery: 3–5 weeks.
