Saudi cybersecurity controls

Penetration testing evidence for NCA ECC programs

Structure authorized penetration testing and remediation evidence for an NCA ECC program while keeping regulatory interpretation and compliance decisions with the proper authority.

Authorized scope

Document target owners, permitted assets, identities, techniques, exclusions, test windows, and escalation contacts before active testing.

Traceable evidence

Keep dated findings, reproducible observations, risk context, remediation decisions, and retest outcomes available for review.

Official NCA source

Confirm the current ECC version, applicability, implementation guidance, and assessment expectations directly with NCA materials.

Use ECC as governed context

NCA’s official regulatory page currently identifies ECC 2-2024 and links implementation guidance. Revaizor does not reproduce or reinterpret the controls. Control owners should use the current NCA publications to decide what applies and how penetration-testing evidence is mapped.

Plan an evidence-producing engagement

Translate approved risk and assurance objectives into a bounded test plan. Confirm which systems are in scope, whether authenticated access is appropriate, what exploitation limits apply, how sensitive evidence will be handled, and who can authorize changes during the engagement.

  • Preserve the signed authorization and rules of engagement with the report.
  • Identify assumptions, unavailable systems, exclusions, and environmental constraints.
  • Record finding validation and retest status separately from initial discovery.

Map only after technical review

Findings can be associated with an organization’s internal ECC evidence matrix after security and compliance owners review the facts. A single finding may inform several controls, while a clean test result does not prove that every related control is designed or operating effectively.

Prepare for assessor questions

A reviewer may ask why the scope was selected, which attack paths were attempted, how severity was assigned, what could not be tested, and how remediation was verified. Clear boundaries and evidence provenance are as important as the finding list.

Frequently asked questions

Does Revaizor certify NCA ECC compliance?

No. Revaizor can support authorized testing and produce technical evidence. It does not issue an NCA certification or determine compliance.

Which ECC version should our team use?

Use the current version and guidance published by NCA at the time of your assessment. The official NCA ECC page is the primary source; do not rely on this marketing page for control text or regulatory interpretation.

Is a vulnerability scan enough for ECC evidence?

A scan and a penetration test answer different questions. Evidence needs depend on your approved scope and assessor expectations. Confirm the required method, depth, cadence, and validation with your control owners and assessor.

Define your next security mission

Tell us the target type and desired outcome. Sensitive scope details are collected after qualification.

Request a scoped pentest