They shipped an eval suite before they shipped the model. That's when I knew we hired the right team.
RH
Ryadh Hussein
Head of Platform · Riyadh fintech
✦ Made in the Kingdom
Yoursystems.
Protected, compliant, and always on.
We secure your systems, build custom software, and make sure your organization meets every regulatory requirement — so you can operate with confidence.
Security · Compliance · Software
Tuwaiq Tech helps Saudi organizations stay secure, compliant, and operational. Cybersecurity, custom systems, compliance, vCISO — all under one team.
shipping in production for
✦ Who we are
Built to hold up
when it matters.
Built in Saudi Arabia, our name comes from Mount Tuwaiq — one of the most enduring landmarks in the Kingdom. We carry that same posture: built to hold up when it matters.
We work with government entities, financial institutions, and businesses that can't afford downtime, security gaps, or failed audits. We know the Saudi regulatory environment from the inside, and we're here for the long term.
✦ Principles
What we
hold to.
01
Robustness
Systems built to hold up — under pressure, under attack, and over time.
02
Agility
Fast response to change. No 12-month timelines for decisions that need to happen now.
03
Transparency
You always know where you stand — in your security posture, your project, and your risks.
04
Compliance
NCA, SAMA, ISO 27001. Non-negotiable in every engagement, from day one.
✦ What we do
We hand you a
capable working system.
Not a slide deck and not a backlog of promises. Compliance ends with controls in place; software ends with a system your team can run.
tuwaiq — live
$ [boot] tuwaiqtech.engine v4.7 ready
$ [auth] mTLS handshake · cipher=TLS_AES_256_GCM_SHA384
$ [model] loaded riyadh-7b · ctx=128k · quant=q6
$ [sla] p50=41ms p95=118ms p99=204ms
$ [deploy] region=me-central-1 · replicas=6/6
$ [sec] scan=0 findings · last 14d
✦ How we work
Four stages. No surprises.
You always know what's been done, what's next, and what you'll own at the end.
01
Discover
We map your environment, your compliance obligations, and your actual risk — not a generic risk template. Honest goals, written down.
02
Design
Architecture and security controls are agreed before anything is built. No surprises mid-project.
03
Build & Test
Weekly demos. Small, verifiable increments. Every finding is closed end-to-end — not logged and forgotten.
04
Hand Over
You receive the full system: source code, runbooks, policies, SLA documentation. A running operation — not a slide deck.
✦ Selected work
Shipped in the Kingdom.
Fintech−73% p95
Bilingual SME lending platform
Migrated a legacy SAMA-regulated lending flow to an Arabic-first portal. p95 latency cut by 73%.
Read case study
Public sector2M docs / mo
Arabic document intelligence
RAG pipeline processing 2M Arabic documents a month. Human-in-the-loop, fully auditable, on-prem.
Read case study
✦ Wall of clients
Loved by the teams we care about most.
Bilingual from the first pixel. No retrofits, no awkward Arabic. Our users felt it on day one.
NS
Noura Al-Sayed
Product Lead · Jeddah e-commerce
Small team, senior engineers, zero theatrics. We skipped three months of vendor dance and just built the thing.
FH
Faisal Al-Harbi
CTO · Riyadh-based fintech
They found two gaps in our threat model before we'd even signed. That set the tone for the whole engagement.
KM
Khalid Majed
CISO · Dhahran energy sector
Runbooks, evals, on-call docs — we inherited a system we could actually operate without them.
LB
Lina Bakr
Director of Engineering · NEOM partner
They told us the cheaper path three times. I still don't know another agency that would have done that.
OG
Omar Ghanem
VP Data · Riyadh conglomerate
p95 latency cut 73% in nine weeks. We expected a slide deck, we got a shipped system.
RD
Reem Al-Dossary
Head of Ops · SME lending
Weekly demos against real users. No 12-month waterfall, no PowerPoint theater. Refreshing.
TS
Turki Al-Shammari
Director · Public sector digital
FAQ
Questions we hear a lot
Straight answers. If you need more, just say so.
Still got questions? Talk to usYes — every engagement maps to NCA's Essential Cybersecurity Controls by default. SAMA CSF, ISO 27001, and NIST are layered in where the sector requires it. Gap assessments come with a remediation plan your team can actually execute, not just a list of findings.
Yes. AppSec Solutions, the EMS, and the Event Management System all support fully on-premise and air-gapped deployments — no outbound data to external servers. This is the standard setup for regulated sectors in the Kingdom.
A named senior security professional, embedded with your team. They handle security strategy, board and regulator reporting, vendor risk reviews, and incident oversight. Typically 2–5 days per month, scaled up during audits or active incidents.
Yes — most of our clients aren't. If your organization handles data, operates systems, or answers to a regulator, you need what we offer. We explain everything in plain language and never assume prior technical knowledge.
Discovery usually begins within one to two weeks of signing. Gap assessments and vCISO engagements often start sooner. If our schedule is tight, we'll tell you upfront — no false promises.
You do — completely. Source code, policies, assessment reports, configurations, everything. No ongoing license fees for things we built specifically for you.
Yes. Infrastructure and systems we build can stay under a managed support contract with defined response times, resolution commitments, and monthly reporting.
✦ Let's begin