Built for the AI Attack Surface

Who We Are

pentest.ae is a Dubai-based Agentic AI Security consultancy — the first in the GCC to build a documented methodology for testing AI agents, LLM applications, and autonomous systems.

We exist at the collision of two forces: the rapid enterprise deployment of AI agents across UAE and GCC, and the corresponding explosion in AI-specific attack surface that traditional penetration testing firms are entirely unequipped to assess.

What We Believe

AI agents are the new attack surface. Every AI agent your enterprise has deployed can read instructions, call tools, maintain memory, and take autonomous actions. Each of those capabilities is an attack vector. Prompt injection, tool poisoning, memory manipulation, and agentic privilege escalation are not theoretical risks — they are active threat vectors being exploited now.

Human-led beats fully automated. AI agents in our APEX methodology automate reconnaissance and fuzzing — covering attack surface that would take a human team weeks to enumerate manually. But human senior researchers drive creative attack chaining, findings narrative, and remediation guidance. This combination eliminates the false-positive noise that purely automated tools produce.

The NomadX family is the advantage. pentest.ae finds vulnerabilities. devsecops.ae remediates them. kubernetes.ae hardens the infrastructure. No standalone security firm can offer this end-to-end offensive-to-defensive loop.

Our Methodology: APEX

We operate on the APEX methodology — Agentic Penetration Exercise:

• PLAN — Scope definition, threat modeling, AI architecture review, rules of engagement
• SURFACE — Asset discovery, tool connection mapping, privilege scope enumeration
• EXPLOIT — Manual prompt injection chaining, tool poisoning, parallel AI agent fuzzing
• PERSIST — Lateral movement simulation, privilege escalation through agent chains
• REPORT — Narrative findings, CVSS scoring, prioritized remediation roadmap

We never begin an engagement without written authorization from a person with legal authority over the systems being tested — Federal Decree-Law No. 34 of 2021 (UAE Cybercrime Law) compliance is non-negotiable.

Founder

Aizhan Azhybaeva leads pentest.ae as the fifth brand in the NomadX consulting family, headquartered in Dubai, UAE. The NomadX family serves enterprise and regulated-sector clients across the GCC — nomadx.ae (AI Agents), devsecops.ae (DevSecOps), kubernetes.ae (Kubernetes), ledgers.ae (Agentic Payments), and pentest.ae (AI Security Testing).