“The problem with legacy players is that most of them will come at you with software. But the thing is that if you don’t think like a hacker, you will not be able to fight back the hacker."

Ankush is a journalist hailing from India, who has edited and written for publications in his home country, the UAE, US, and UK. Previously the editor of Gulf Business in Dubai and of Entrepreneur in India, Ankush is a keen student of economics, a follower of Manchester United since 1996 and a disciple of Archer.

What we do know as of now is that it started on Friday, May 12, somewhere in Asia, and quickly spread to over 200,000 computers in over 150 countries, according to Europol Director Rob Wainwright, crippling everything from Britain’s National Health Service to Telefonica, the Spanish telecom giant. According to Kaspersky Lab, the Moscow-based cybersecurity provider, Russia, Ukraine, India, and Taiwan were the worst affected.

In most of the Middle East, given the attack started on a Friday (day one of the weekend in most parts of the Arab world), organizations both private and public scrambled to get their house in order before the working week started on Sunday.

Needless to say, Mohamed Amine Belarbi, the Moroccan co-founder and CEO of UAE-based VUL9 Security Solutions, had one of his busiest weekends on record starting that Friday.

As one of the few regionally built cybersecurity providers, and one on its way up, VUL9 had its hands full beating down one of the bigger cybersecurity threats the world has seen in a while. Not that Belarbi is complaining.

Threat = opportunity

Cyberattackers have for long found institutions and businesses in the MENA region, and especially the Gulf countries, to be easy and frequent targets for their nefarious ways.

In the Middle East, cybercrime is the second most common form of economic crime reported with total losses varying between $1 million and $100 million annually, according to PricewaterhouseCoopers’ 2014 Global Economic Crime Survey.

According to a global annual study by Gemalto, called the Data Security Confidence Index, almost 100% of organizations surveyed in the MENA region have said that they’d experienced a breach of some kind in the last five years leading up to 2016.

The same report also said that companies all around the Middle East have suffered multiple cyberattacks and data breaches in the last five years, totaling a massive $1.5 million in losses. The cost of detecting and fixing these breaches? $35 million.

Belarbi explains the reasons why the region is a cybercrime hotbed: Huge cash flows within the economic ecosystems, political instability (save the UAE and Qatar), and extremely high smartphone and internet penetration rates.

“In Saudi Arabia, for example, every person has two or three connected devices. And the adoption rate of new technologies and devices is high. The exposure to technology, and thus the risks with it are high too.”

Predictably, all this cybercrime has made the region a  revenue churner for global cybersecurity providers ranging from the likes of Symantec and Kaspersky Labs to smaller players operating out of technology hotbeds like India.

This is precisely the apple cart that VUL9, Belarbi, and his co-founder and CTO, and fellow Moroccan Mohamed Zakariae El Khdime want to upset.

El Khdime, an ethical hacker who was also once student ambassador for the likes of Google and Microsoft, states proudly that legacy companies just cannot do what they can.

“These companies are now in the proprietary solutions business…more revenue with less effort. They want you and your business to buy software. But cybersecurity is an infinite game, and no one [in the region] is doing active cybersecurity,” he says.

Belarbi is reluctant to say that states like UAE and Saudi Arabia, which are some of the most affected countries in the world when it comes to cyberattacks, and the organizations there are not putting the safeguards in place or not looking to combat cyberattacks.

“It is unfair to say the safeguards are not in place. But the nature of threats keeps changing” says Belarbi.

“You can fix a breach today, and tomorrow there will be new vulnerabilities. Firms here tend to buy these solutions from global providers for a million dollars but they only give you a false sense of security. They can be obsolete in no time with the constantly changing nature of cyberattacks.”

“We can do much more than the India or US-based providers, and that is to say nothing of the quality of work we can offer,” adds El Khdime.

The work

Belarbi has been in the UAE for over five years, which included a finance and economics degree at New York University, Abu Dhabi (NYUAD).

But the degree was finished along with many side gigs, all entrepreneurial in nature including running a lifestyle magazine and a business media platform.

It was at a hackathon at NYUAD that Belarbi met El Khidme, a white hat hacker (cyber security specialists and experts who break into protected systems and networks to test and assess their security).

El Khdime came with more than his share of fame in the ethical hacking world. 

He was also connected to what you can call the internet-you-don’t-see and knew more than a fair share of fellow white hat hackers working in the cybersecurity world.

It took all of a day for the two to come together and start VUL9’s first avatar—a collective of white hat hackers out to tap into the growing cybersecurity opportunity in the Middle East, and especially the Gulf region.

With not much to go for but the skills of the white hat hackers they now represented, the duo went in with a unique (as far this region goes) strategy to get new clients—going straight for the jugular of the biggest gun in town.

Eager to tap into the region’s emerging business ecosystem, the collective went after the biggest emerging business in town—Souq.com, the e-commerce giant. “The first platform we looked at was Souq.com. We found a major flaw in their security, and reached out to the management after that,” says Belarbi, without disclosing the nature of the breach.

“It was significant,” and Souq.com became their first client.

Belarbi says that their approach has managed to get them the attention they would not have got in the sea of cyber security providers. “For businesses in the region, access to user data is of vital importance. This is what we try focus on, find a flaw there, and take it to the management or CTO,” he says.

“This got us through the door even when we did not have a logo in place. Hit the core asset of the company or no one is going to pay attention.”

Attention, they have paid.

Careem, a possible-unicorn-in-the-making is now its flagship client, and many others are coming on board. Manageo, a CRM and ERP solutions firm based out of Morocco is also onboard.

The firm is also finalizing agreements with four major entities in the UAE, including two major banks and two universities. The company is also starting work with Insydo, a hyper-local listing and guide for Dubai, and what Belarbi says is eventually going to be one of the UAE’s first few influencer marketing platforms.

Investors have taken notice too. VUL9 raised a seed funding of $90,000 from Mohammad Kamali, the firm’s investing partner, and is currently finalizing a $100,000 investment by Dr. Nasser Al Tayyar, chairman of KSA-based Al Tayyar Travel Group, at a $2 million pre-money valuation.

The strategic funding, which values them at about $2 million, is expected to help them break into the Saudi markets, as well as expand their R&D, says Belarbi, disclosing that they are on track to make revenues of $500,000 for the current financial year.

Hack for Good

But what next, after you get through the door? How do you fight the big guys with their million-dollar marketing budgets and relationships that have been built up over the years?

Once through the door, Belarbi explains, the VUL9 team does a one-on-one security audit, which involves deeply understanding and investigating the firm’s IT architecture and infrastructure, and then presenting the final findings to the senior management.

Predictably, he says, most of the findings are scary, and with due reason. The relationship typically goes to the next level, with VUL9 offering a long-term security package, which includes recurrent security audits, real-time monitoring from the security operations center they have set up in Morocco, training of the technical and non-technical staff, and consulting on policy-making to influence the firm’s cybersecurity culture.

For El Khidme, the legacy players in cybersecurity have little chance of matching an upstart like VUL9, which he claims has more drive and adaptability than the former.

For one, says Belarbi, it helps that they are a regional, Arab entity and can dispatch someone from their centers in Morocco or UAE in a matter of hours should a major breach happen as against an overseas player that will offer help depending on the size of the deal they have signed with the client.

“We tell our clients that we will grow with you. We sit with their tech teams from the beginning, assimilating the best practices to help continually develop their cybersecurity from within,” says Belarbi.

Explaining why he invested in VUL9, Kamali points to that ability as well.

“What makes VUL9 unique are its human assets…globally recognized ethical hackers…and its investment in building products that target the weakest link in any company’s security structure…its human factor.”

According to the duo, the VUL9 team, made up of in-house and contractual white hat hackers, is unmatched in the region when it comes to sheer talent.

Belarbi says that the VUL9 collective is made up of Hall of Fame bug bounty hunters who have hacked and reported flaws in tech giants like LinkedIn, PayPal, Google, and Facebook.

“We are super proud of the people we work with,” says El Khidme. “They have been recognized by tech giants for the work they have done in cybersecurity. But they choose to work with us because they trust us and what we are doing.”

He gives the example of a 16-year old hacker and high-schooler VUL9 works with, who discovered major security flaws in PayPal and is on their Hall of Fame.

“The problem with legacy players is that most of them will come at you with software,” says Belarbi.

“But the thing is that if you don’t think like a hacker, you will not be able to fight back the hacker. Our people can find things that checklists cannot.”