A note on anonymity: All client identities in these case studies have been kept confidential at our clients' request. Industry, country, company size, and engagement details are accurate and have been shared with permission. We believe the outcomes speak for themselves without needing a name attached to them.

The Situation

A growing business. A looming deadline. And no clear path forward.

When the operations director first reached out to us, their exact words were: "We have an audit in nine weeks and we don't really know where to start." That kind of honesty is something we always appreciate. It tells us a business is serious about solving the problem rather than just looking for someone to rubber-stamp a document.

The company had grown quickly over the previous 18 months. Revenue was up, headcount was growing, and the product was genuinely good. But that growth had outpaced the business's security and compliance infrastructure. Controls were inconsistently applied. Policies existed in some areas and not at all in others. And nobody had a clear picture of the full regulatory requirement they were being measured against.

The SAMA Cybersecurity Framework is detailed and demanding, particularly for businesses operating in the payments space. Passing it is achievable — but only with a structured approach and someone who has been through the process before.

The Approach
W1
Discovery and Gap Assessment

We spent the first week running a full gap analysis against the SAMA CSF requirements and the Saudi PDPL simultaneously. Every control domain was assessed. Every policy document was reviewed. The gaps were mapped against risk severity and business impact rather than just compliance categories — because not all gaps are created equal when time is short.

W2
Prioritisation and Ownership

With a comprehensive gap map in hand, we worked with the leadership team to assign ownership for every action item. We made a deliberate decision to sequence remediation based on audit risk rather than effort — closing the issues most likely to generate critical findings first, regardless of how straightforward or complex they were.

W3
Hands-on Remediation

For six weeks, our team worked directly alongside theirs. We wrote and implemented policies, configured technical controls, worked with their cloud provider on access management, and restructured their data handling procedures. When their team had questions, we answered them the same day. Nothing was left to sit in a queue.

W9
Audit Preparation and Walkthrough

In the final week, we conducted a full mock audit internally to identify any remaining gaps before the real thing. We prepared the evidence packs, briefed the relevant team members on what to expect, and were available on audit day to support wherever needed.

The Outcomes

Zero critical findings. Full compliance. An internal team that now understands their own controls.

  • The audit passed with zero critical findings. The auditors noted the quality of the documentation and the consistency of the controls as particularly strong areas.

  • Full Saudi PDPL alignment was achieved as a secondary outcome of the engagement, giving the business compliance coverage well beyond the audit scope.

  • The internal team was genuinely upskilled. Every team member involved understood the controls they were maintaining and why those controls existed — not just how to answer auditor questions.

  • A Virtual CISO retainer followed to maintain their compliance posture on an ongoing basis. The operations director described it as "finally having a security person we can actually call."

"Nine weeks felt impossible from where we were sitting when we first called. We passed without a single critical finding. I genuinely didn't think that was achievable in the time we had, and I told them that on the first call. They disagreed, and they were right."

Operations Director

Payments Company, Riyadh, Saudi Arabia

The Situation

A business that cared deeply about patient care and had underinvested in data protection.

The clinical team at this healthcare provider was genuinely excellent. The patient outcomes data showed that clearly. But the back-of-house infrastructure that supported all of that work had not kept pace. Patient records were stored across a mix of legacy clinical management software, shared drives, and email threads. Access controls were informal. There was no documented data handling policy, no breach notification procedure, and no single person responsible for data protection.

This is actually a very common situation in healthcare SMEs across the GCC. The organisation's energy has gone into delivering care, and the regulatory and technical infrastructure has been deferred. When the UAE FDPL created real legal consequences for that deferral, leadership decided it was time to act properly rather than just patch things over.

Our initial vulnerability scan of their network and systems uncovered 23 high or critical severity findings, including several that had been present for over two years without being identified. That number got the board's attention in a way that a policy document alone would not have.

The Approach

We structured this engagement in two parallel workstreams so that the technical and regulatory work could progress simultaneously without either blocking the other.

On the technical side, we deployed continuous vulnerability monitoring across their entire environment and began a structured remediation programme. We worked with their IT provider to close the highest-risk findings first, establishing a clear weekly cadence of scanning, triage, patching, and verification. Nothing was marked as resolved until it was independently confirmed to be closed.

On the compliance side, we built a data protection programme from scratch. This included a full data mapping exercise to understand what patient data they held, where it was stored, who had access to it, and how it moved through the organisation. From that foundation we designed and implemented the policies, procedures, and technical controls required to meet UAE FDPL obligations and align with NCA ECC requirements.

We also identified and trained a member of their administrative team to serve as the internal data protection contact, ensuring the programme had an owner inside the business after our engagement concluded.

The Outcomes

A 78% reduction in critical vulnerabilities. Full regulatory alignment. A team that now owns their data protection.

  • 78% of critical and high-severity vulnerabilities were closed within 60 days. The remaining findings were either accepted with documented risk rationale or scheduled for resolution during planned maintenance windows.

  • Full UAE FDPL compliance was achieved, including documented data processing activities, privacy notices, subject rights procedures, and a breach notification protocol tested against a real-world scenario.

  • NCA ECC alignment was established across their core infrastructure, with controls mapped and evidenced for any future regulatory review.

  • Ongoing VMaaS monitoring was put in place to ensure new vulnerabilities are identified and triaged before they become critical — rather than after.

"The vulnerability scan was eye-opening in a way that was uncomfortable but necessary. We had critical issues sitting in our systems for over two years. The team worked through them methodically, explained everything clearly, and never made us feel judged for how we had been operating. We now have a programme that actually runs itself."

Chief Executive Officer

Healthcare Provider, UAE

The Situation

The attack had already happened. The real question was what came next.

When the operations manager called us, there was a calm urgency in his voice that told us the immediate panic had passed and he was now thinking clearly. The ransomware had been isolated. Backups — fortunately recent — were being assessed. Their IT partner was handling the recovery. What they needed from Code Defence was not incident response in the traditional sense. They needed a security partner who could be on-site within 24 hours, run a full forensic review of the environment, and start building a hardened foundation from the wreckage of what had happened.

The forensic review told a familiar story. The ransomware had entered through a phishing email opened on an unmanaged laptop. The lateral movement through the network had been possible because of overly permissive user access rights that had never been reviewed. Backups had been online and accessible from the same network, which meant the attackers had attempted to encrypt those too — only a timing quirk had meant the most recent backup was spared.

None of these were unusual vulnerabilities. They were textbook entry points that exist in the majority of SME networks we assess. The organisation was not careless — they simply had not had the expertise to see what was there.

The Approach

We structured the engagement in two phases. The first was immediate: a full forensic review, a clean rebuild of the affected systems with hardened configurations, a complete access rights audit, and offline backup architecture. That work ran in parallel with their IT provider's recovery effort and completed within 11 days of the initial attack.

The second phase was the long-term hardening programme. We deployed VMaaS across their entire environment, implemented email security controls, rewrote their network segmentation, and established a phishing awareness programme for their staff. A Virtual CISO retainer was put in place to provide ongoing strategic oversight, manage vendor relationships, and ensure that security decisions at a business level were made with proper risk awareness.

We also redesigned their backup architecture to follow a proper air-gapped approach, ensuring that any future incident could not touch their recovery capability regardless of how far an attacker had moved through the network.

The Outcomes

Full operations restored in 11 days. A hardened environment. Zero incidents in the 14 months since.

  • Full operational recovery was achieved within 11 days of the initial attack, including the warehouse management system that had been the most severely affected.

  • The attack vector was fully closed and documented. The forensic findings were used to brief leadership and the wider team so the organisation genuinely understood what had happened and why.

  • The network was restructured and hardened, with proper segmentation, least-privilege access controls, and continuous monitoring in place within 30 days of the attack.

  • Zero security incidents have been recorded in the 14 months since the engagement began. Two phishing attempts were identified and blocked by the new email security controls in that period.

"The attack was genuinely frightening for the first 48 hours. Once Code Defence was on-site, something shifted. There was a clear plan, clear communication, and people who clearly knew what they were doing. We didn't just recover — we ended up in a significantly better security position than we were in before the attack."

General Manager

Logistics and Freight Company, Kuwait

The Situation

A genuinely good product. A deal on the line. And a certification requirement that felt like a wall.

The founders of this SaaS company had built something they were rightly proud of. The product solved a real problem in the financial services sector, and the enterprise client they were in conversation with was exactly the kind of anchor customer that would transform the business. The security questionnaire was not an obstacle anyone had anticipated.

ISO 27001 is a rigorous standard. It requires the implementation of a full Information Security Management System, documented across all relevant domains, with evidence of controls operating effectively over time. Many technology companies take 12 to 18 months to achieve it, particularly if they are starting from a limited security foundation. This company had six months and a commercial reason to hit that target.

When they came to us, they had good engineering practices and a security-conscious culture — but almost none of the formal documentation, risk management processes, or governance structures that ISO 27001 requires. The gap was significant but not insurmountable.

The Approach

We began with a full gap assessment against the ISO 27001:2022 standard and used the findings to build a project plan that was honest about what was achievable in the time available. The plan was sequenced around the certification audit requirements rather than ideal practice — we needed to ensure that every domain was evidenced and functioning before the auditors arrived, not just documented on paper.

Over five months, we built and implemented the Information Security Management System in its entirety. This included the risk register, statement of applicability, asset inventory, access control policies, incident management procedures, business continuity plan, vendor security assessments, and the staff awareness training programme. Every document was written by our team in collaboration with theirs, and every control was tested before the audit.

We also ran two internal audits during the process — one at the midpoint and one in the final week before the external auditors arrived — to identify and close any gaps before they became findings.

The Outcomes

Certified in 5 months. Enterprise deal closed. And a certification that kept opening doors.

  • ISO 27001 certification was achieved in five months, one month ahead of the commercial deadline. The external audit resulted in two minor observations and zero non-conformities.

  • The enterprise deal was signed within two weeks of the certification being issued. The contract represented a significant step change in the company's revenue profile.

  • Three additional enterprise opportunities that had previously stalled on security questionnaires were reopened and converted in the six months following certification. ISO 27001 became a genuine commercial asset.

  • A Virtual CISO retainer was retained to manage the ongoing ISMS, prepare for the annual surveillance audit, and extend the security programme as the company continues to grow.

"We went from 'ISO 27001 in six months sounds impossible' to certified in five. What surprised us most was that it didn't feel like a painful compliance exercise once we were inside it. It genuinely made our security better. The three enterprise deals that followed were something we hadn't even anticipated when we started."

Co-Founder and CTO

SaaS Company, Manama, Bahrain

The Situation

A silent breach. Client data at risk. And a firm whose reputation was on the line.

Professional services firms handle some of the most sensitive data in any organisation — strategic plans, financial information, personnel matters, and commercial negotiations that clients trust them to protect. When this firm's managing partner called us, the weight of that responsibility was evident in every word.

The threat intelligence notification had come at the end of a Friday afternoon. By the time we were engaged, it was Saturday morning. The forensic investigation that followed over the next 72 hours painted a detailed picture of what had happened. A compromised contractor account — unused for several months but never deprovisioned — had been the entry point. The attacker had moved carefully and quietly through a portion of the firm's file storage, accessing but not exfiltrating most of the sensitive material they had found. The exception was a folder containing proposal documents for a small number of active client engagements.

The immediate priorities were clear: contain the breach, assess the full scope of what had been accessed, understand the UAE FDPL notification obligations that arose from the incident, and prepare a communication strategy for the affected clients. All of this needed to happen quickly and carefully.

The Approach

We mobilised a team within four hours of the initial call and worked through the weekend to complete the forensic scope assessment. Every piece of accessed data was catalogued. Every account that had been active during the breach window was reviewed. The compromised account was isolated, the access pathway closed, and the environment audited for any secondary access points the attacker may have established.

In parallel, we worked with the firm's legal counsel to assess their notification obligations under UAE FDPL. The regulation is clear on breach notification timelines and requirements, and getting that advice right early meant that the firm was able to approach the regulator and their affected clients from a position of transparency and control rather than reactive panic.

The client communication strategy was handled with particular care. We helped draft clear, honest disclosures to the three clients whose proposal data had been accessed. Those conversations were difficult but they were handled professionally, with complete transparency about what had been accessed and what the firm had done and was doing in response.

Once the immediate crisis was managed, we built a comprehensive security programme to ensure the conditions that had enabled the breach could not recur: a formal offboarding process for contractors, continuous monitoring, privileged access management, and a Virtual CISO retainer to provide ongoing oversight.

The Outcomes

Breach contained. Regulatory obligations met. Client trust preserved.

  • The breach was fully contained and the attack pathway closed within 72 hours of the initial engagement. No further access or data movement occurred after the containment work was completed.

  • UAE FDPL notification obligations were met within the required timeframe, with full documentation of the incident scope, the response actions taken, and the measures implemented to prevent recurrence.

  • Zero client relationships were lost as a result of the breach. All three affected clients were notified directly and professionally. Two of them subsequently asked the firm to brief their own security teams on the incident response approach as a learning exercise.

  • A comprehensive security programme was implemented in the 60 days following the breach, covering access governance, continuous monitoring, and a formal security awareness programme for all staff and contractors.

"I won't pretend it wasn't one of the most stressful weeks of my professional life. What I will say is that having Code Defence in our corner made an enormous difference. They were calm, systematic, and completely honest with us about what had happened and what our obligations were. The way we handled it actually strengthened our relationship with two of the three affected clients. That was not an outcome I expected."

Managing Partner

Management Consulting Firm, Dubai, UAE