Penetration Testing Services in Oman
Oman runs on three industries: banking, energy and logistics. The banking layer — Bank Muscat, NBO, Bank Dhofar, Sohar International, Ahli Bank Oman and the wider licensed cohort — operates under the Central Bank of Oman Cybersecurity Framework with annual independent VAPT and SWIFT CSP overlay. The energy layer — PDO, OQ Group and the midstream and refining estate — runs IT and OT side-by-side with IEC 62443 and NIST CSF expectations on the boundary. The logistics anchor — Asyad, Sohar Port, the Duqm economic zone and the broader maritime corridor — sits across both, plus its own port-community-system attack surface. AxVeil delivers vulnerability assessment, penetration testing and red team services across Oman for commercial buyers in each of these segments — operator-led, named-operator engagements with fixed-fee USD proposals.
The founder spent 3+ years operating in Oman across the banking sector before founding AxVeil, with direct delivery into Omani financial-services engagements. AxVeil's prior MENA banking-sector delivery is referenced at /case-studies/banking-mena-vapt. Engagements are served from our Bengaluru-headquartered team across Muscat, Sohar, Salalah and Duqm. Gulf Standard Time (UTC+4) is one-and-a-half hours behind India Standard Time, which gives a fully overlapping working day for daily Slack / Teams triage, draft-report walkthroughs and readout calls. Whether you are an Omani bank running annual CBO-aligned VAPT plus SWIFT CSP overlay, an oil and gas operator scoping the IT / OT boundary, a telecom or logistics anchor consolidating ISO 27001:2022, or a foreign-HQ company with Oman operations preparing PDPL readiness, our methodology compresses 4-week manual audits into 10-14 day engagements without sacrificing depth. Reports are mapped to CBO, Oman PDPL, CMA cybersecurity expectations, ISO 27001:2022, OWASP ASVS L2, OWASP API Top 10, PCI DSS v4.0, SWIFT CSP, IEC 62443 and NIST CSF — so a single engagement satisfies multiple audiences.
AxVeil is not currently on the Information Technology Authority (ITA / MTCIT) panel. For Omani Government work and panel-mandated tenders AxVeil partners with a panelled provider that signs the regulator-facing report. Commercial focus is direct delivery to Omani banks under Central Bank of Oman supervision, oil and gas and energy operators, telecoms, logistics, insurance under CMA and foreign-HQ companies with Oman operations. The founder's 3+ years on the ground in Oman banking is the practical anchor — we have delivered against this regulator perimeter before, not from a deck. The contracting path is stated in the proposal up front.
Industries we serve in Oman
Banking is the densest cluster. Bank Muscat, National Bank of Oman, Bank Dhofar, Sohar International, Ahli Bank Oman and the rest of the licensed-bank cohort all run on the Central Bank of Oman Cybersecurity Framework with annual independent VAPT plus post-material-change retest. SWIFT Customer Security Programme overlay applies to the cross-border-payment surface, and PDPL governs personal-data flow across customer-facing channels. AxVeil's named-operator model is the deliverable Omani bank CISOs consistently rate above big-four faceless delivery — when the human writing the PoC is the human on the readout call, the gap between report and remediation collapses.
Oil and gas and energy is the second cluster. PDO, OQ Group and the midstream and refining estate run IT and OT side-by-side; AxVeil scopes IT / OT boundary engagements conservatively against IEC 62443 and NIST CSF, with active testing on the IT side and read-only assessment on the OT side unless the operator explicitly authorises active testing during a maintenance window. Telecoms (Omantel, Ooredoo Oman) and logistics (Asyad, Sohar Port, Duqm corridor) round out the AxVeil ICP — carrier-grade OSS / BSS surfaces in the telecom stack and port-community-system architectures in the logistics stack. Government and ITA / MTCIT panel work routes through a panelled local partner.
Oman regulators we map every report to
ITA — Information Technology Authority (now MTCIT)
ita.gov.omOman's Information Technology Authority (now under the Ministry of Transport, Communications and Information Technology) sets the national cybersecurity baseline and runs the OCERT incident-response function. AxVeil is not on the ITA panel — for ITA-mandated work we partner with a panelled provider.
CBO — Central Bank of Oman
cbo.gov.omCBO Cybersecurity Framework applies to licensed banks, exchange houses and finance and leasing companies. Annual independent VAPT and post-material-change retest are baseline expectations; SWIFT CSP is overlaid on cross-border-payment institutions.
CMA — Capital Market Authority
cma.gov.omCMA governs cybersecurity expectations for licensed insurers, brokers and listed market participants in Oman. Independent technology audits and penetration testing are referenced in the cybersecurity regulations issued to regulated entities.
Oman PDPL — Royal Decree 6/2022
www.mtcit.gov.omOman Personal Data Protection Law (Royal Decree 6/2022) and its executive regulations mandate lawful basis, breach notification, cross-border-transfer controls and DPO designation for in-scope controllers. Penalties include fines and operational suspension.
ISO 27001:2022
www.iso.orgISMS certification baseline expected by Omani enterprise procurement, banks and government-adjacent buyers. Stage-1 / stage-2 audit prep, Statement of Applicability evidence and operating-effectiveness sampling supported.
OWASP ASVS L2 + API Top 10
owasp.orgApplication-layer floor for Omani banking and telecom-adjacent platform engagements. AxVeil engagements run ASVS L2 control-by-control with reproducible PoCs and remediation guidance mapped to engineering tickets.
Gulf threat landscape we test against
Oman's risk profile is anchored in three places: the cross-border-payment corridor its banks run, the IT-OT bridge across energy and ports, and the core-banking integration surfaces our team has tested first-hand. We threat-model against that reality, not a generic template.
SWIFT-corridor & cross-border-payment fraud
Omani banks run material cross-border-payment volume. We test the SWIFT CSP environment (read-only), payment-initiation controls, four-eyes approval integrity and the messaging-interface attack surface that ransomware and payment-fraud crews probe first.
IT-OT bridge exposure in oil, gas & ports
PDO / OQ-class upstream and the Sohar / Duqm port estate run IT and OT side-by-side. The recurring critical is a flat or weakly-segmented IT-OT bridge. We verify Purdue-model segmentation conservatively — passive enumeration on production, active testing only on staging mirrors.
Core-banking & switch integration weaknesses
Integration surfaces between internet banking, the core and the card switch are where real findings live. Our lived Omani-banking delivery means we scope these around live maintenance windows without breaking the switch schedule.
Mobile-banking & customer-channel abuse
Omani retail-banking apps face MENA-tuned overlay malware and credential-stuffing against customer portals. Mobile VAPT covers root / jailbreak and overlay defence; API testing covers IDOR, rate-limiting and OTP-flow abuse across customer channels.
Data residency & PDPL handling
Oman's PDPL (Royal Decree 6/2022) carries real cross-border-transfer and breach-notification obligations. We resolve data-flow and handling before the test starts so the engagement never becomes a compliance exposure of its own.
Oman PDPL data-flow mapping
Royal Decree 6/2022 mandates lawful basis, cross-border-transfer controls and breach notification. We inventory every personal-data store in scope and document the transfer mechanism before any test data is touched.
Engagement data handling
Evidence and sampled data stay in an encrypted, access-controlled vault. We never exfiltrate production PII; PoCs use minimal redacted samples. Retention and secure-destruction timelines are written into the DPA.
Banking & SWIFT-adjacent residency
Where CBO expectations or SWIFT CSP drive in-country residency for sensitive workloads, we document region-pinning, log-pipeline residency and key-management posture so your CBO and SWIFT evidence answers the residency question directly.
Engaging from the Gulf — language, calendar, on-site
A clean Oman engagement is as much about operating cadence as methodology. Here is exactly how we run language, the regional calendar and on-site logistics.
Language & contracting
English is the working language of every Omani bank, energy and telecom CISO and is our contracting and reporting language. We sign MSAs and DPAs under the buyer's preferred jurisdiction; Arabic executive summaries supported on request via a translation partner.
Working week & calendar
We cover the Omani Sunday-Thursday week within our IST window and plan around Ramadan reduced hours and Omani public holidays so readouts and core-banking maintenance windows never collide.
On-site logistics
Remote-first delivery covers the full scope. On-site kick-offs in Muscat, Sohar or Duqm for sensitive internal-AD, banking-core or oil-and-gas IT / OT scopes are arranged per engagement, with visas, NDAs and site-access vetting handled ahead of travel. We do not maintain a Muscat office.
Why AxVeil for an Oman engagement
The differentiator is lived experience. The founder spent 3+ years operating in Oman across the banking sector before founding AxVeil, including direct delivery into Omani financial-services engagements and prior MENA banking-sector work referenced at /case-studies/banking-mena-vapt. That history shows up in the way we scope: we know how Omani CBO submissions read, how Omani bank procurement actually moves, and how to integrate a VAPT engagement around a core-banking switch maintenance window without breaking the schedule.
Time-zone match is clean: GST is one-and-a-half hours behind IST, so the entire Omani business day — including the Sunday-Thursday working week — is fully covered by our IST working window. English is the contracting language and is the working language of every Omani bank, energy and telecom CISO. Pricing is USD with OMR invoicing on request. Engagements are served from our Bengaluru-headquartered team across Muscat, Sohar, Salalah and Duqm — we are explicit in proposals that we do not maintain an Oman office, and onsite kick-offs are arranged per engagement when the scope demands.
Engagement model — Starter / Professional / Enterprise
Web + API VAPT
5-7 business days. OWASP Top 10, business logic, auth flows. PDPL gap notes. Suited to a single product surface or a follow-on retest cycle.
Full-stack VAPT
10-14 business days. Web + API + mobile + internal AD + cloud IAM + integration surfaces. CBO / PDPL / ISO 27001 / SWIFT CSP cross-reference.
Red Team / IT-OT
4-8 weeks. MITRE ATT&CK adversary emulation, IT / OT boundary review against IEC 62443 and NIST CSF, purple-team detection engineering.
Engagement timeline (typical 14-day Professional VAPT)
Scoping call in GST (UTC+4). NDA + MSA exchanged under preferred jurisdiction. Scope, RoE and asset list locked. PDPL data-flow noted up front.
Recon + threat-modelling against Oman-relevant actors and regulators (CBO, CMA, ITA-aware where applicable, PDPL, ISO 27001, SWIFT CSP).
Active testing — web, API, mobile, internal AD, cloud IAM, integration surfaces, IT-OT boundary where in scope. Daily Slack / Teams digest.
Draft report: CBO / PDPL / ISO 27001 / SWIFT cross-references with reproducible PoCs and developer-friendly remediation guidance.
Readout call with engineering + CISO in GST. Free retest of remediated criticals within 30 days. Final signed PDF for board, regulator and SWIFT auditors.
Oman FAQ
›Does AxVeil have on-the-ground experience in Oman?
Yes. The founder spent 3+ years operating in Oman across the banking sector before founding AxVeil, with direct delivery into Omani financial-services engagements. AxVeil's prior MENA banking-sector delivery is referenced at /case-studies/banking-mena-vapt. We understand the local procurement cadence, the way Omani CISOs read a report, and the practical realities of integrating with core-banking and switch infrastructure operated by the major Omani banks.
›Is AxVeil on the ITA panel for Omani Government work?
No. AxVeil is not currently on the Information Technology Authority (now MTCIT) panel in Oman. For Omani Government tenders and any panel-mandated cybersecurity work, AxVeil partners with a panelled provider that signs the regulator-facing report. For commercial buyers — Omani banks under CBO supervision, oil and gas and energy operators, telecoms, logistics, insurance under CMA and foreign-HQ companies with Oman operations — AxVeil contracts directly. Reference: https://ita.gov.om/.
›Can you deliver penetration testing for Omani banks under Central Bank of Oman expectations?
Yes. The Central Bank of Oman Cybersecurity Framework expects annual independent VAPT and post-material-change retest for licensed banks, exchange houses and finance and leasing companies. AxVeil delivers the technical engagement directly under MSA to the bank's information-security or risk function; SWIFT CSP-aligned scope is overlaid on cross-border-payment infrastructure. Where a specific bank requires a tester from a pre-approved internal panel, we partner with that panelled provider. Reference: https://cbo.gov.om/.
›How does Oman PDPL apply and do you deliver readiness?
Yes. Oman's Personal Data Protection Law (Royal Decree 6/2022) and its executive regulations mandate lawful basis, breach notification, cross-border-transfer controls and DPO designation for in-scope controllers. Every Oman engagement includes a PDPL gap pack covering data-flow inventory, consent architecture, retention timelines and breach-notification runbook. Penalties under the PDPL include fines and operational suspension for serious violations.
›Where is AxVeil based and how do you deliver in Muscat and Sohar?
Engagements are served from our Bengaluru-headquartered team across Muscat, Sohar, Duqm and Salalah. Gulf Standard Time (GST, UTC+4) is one-and-a-half hours behind India Standard Time, so our IST working day fully covers Oman business hours including the Sunday-Thursday week. Onsite kick-offs in Muscat for sensitive internal-AD, banking-core or oil-and-gas IT / OT scopes are arranged on a per-engagement basis. We do not maintain a Muscat office.
›What is the typical engagement timeline and pricing in Oman?
Pricing tiers mirror /pricing. Starter web + API VAPT runs 5-7 business days from USD 12,000. The Professional tier (web + API + mobile + cloud + CBO / PDPL alignment, ISO 27001 / SWIFT CSP evidence) runs 10-14 business days from USD 18,000-30,000. Enterprise red team and IT / OT adversary simulation engagements scope at 4-8 weeks. Pricing is USD; OMR invoicing is supported for Omani-resident buyers on request.
›Do you support oil & gas and logistics sector engagements?
Yes. The Omani energy stack — PDO and OQ Group analogues, midstream operators, refining and chemicals — and the logistics anchor (Asyad, Sohar Port, Duqm and the broader maritime corridor) require IT / OT boundary testing aligned to IEC 62443 and NIST CSF, alongside the standard IT VAPT methodology. Telecoms (Omantel, Ooredoo Oman) follow a similar pattern with carrier-grade and OSS / BSS surfaces in scope. AxVeil scopes these conservatively — OT testing is read-only by default unless the operator explicitly authorises active testing during a maintenance window.
Cross-links
See /services/vapt for the CBO / SWIFT-aligned VAPT methodology, /services/red-team for IT / OT adversary emulation and /services/compliance for Oman PDPL + ISO 27001 evidence-pack design. Sibling Gulf locations: /locations/uae, /locations/qatar and /locations/saudi-arabia. Relevant industry verticals: /industries/bfsi and /industries/energy-utilities.
Need penetration testing in Oman? Talk to a tester who has worked here.
Free 30-minute scoping call in GST. We map your attack surface, name the regulators you must satisfy, and quote in USD with OMR invoicing on request.
Book Oman Scoping Call →