• Technology Partner
  • External Cybersecurity

Protect What Lives Outside Your Perimeter

Most security investments defend what is inside the firewall. Attackers operate outside it — targeting your brand, executives, customers, and digital assets across the open web, social media, and the dark web. ZeroFox closes that gap, delivered as a managed service by EnCyb.

Request a Demo
Talk to a Specialist
Platform at a Glance

Threats disrupted annually through ZeroFox's Global Disruption Network

2 M+

Digital platforms continuously monitored — social, dark web, marketplaces, and forums

180 +

Pre-built connectors for integration with SIEM, SOAR, ITSM, and ticketing platforms

700 +

The perimeter has moved. Most security programmes have not.

Your SIEM, EDR, and firewall are blind to external threats. The attack surface your adversaries target sits entirely outside your control.

Undetected Brand Abuse

Fraudulent domains, fake social profiles, and counterfeit listings damage customer trust and redirect revenue — and none of it appears in your internal logs.

Executive Targeting

C-suite impersonation, credential exposure, and physical threat signals on the dark web — these risks escalate before traditional security tooling sees them.

Invisible External Exposure

Unmanaged internet-facing assets, shadow cloud infrastructure, and third-party supply chain exposures remain unknown until an attacker exploits them.

About ZeroFox

External Cybersecurity — A Distinct and Growing Discipline

ZeroFox defines and leads the category of external cybersecurity — security for everything that exists and operates outside the corporate perimeter. While traditional security tools monitor network traffic, endpoints, and internal systems, ZeroFox focuses on the digital footprint your organisation leaves in the public domain: domains, social accounts, brand presence, executive identities, and internet-exposed assets.

The platform unifies four core disciplines — Digital Risk ProtectionExternal Attack Surface ManagementCyber Threat Intelligence, and Automated Takedowns — in a single managed service delivered by EnCyb for organisations across the GCC.

For GCC enterprises operating under NESA, CBUAE frameworks, PDPL, and DIFC/ADGM requirements, ZeroFox provides the external visibility layer that regulators increasingly expect security programmes to demonstrate.

Unified platform — DRP, EASM, CTI, and takedowns in one solution

No siloed tools; correlated detections across the external attack surface

Analyst-validated alerts — 24/7 OnWatch reduces noise at the source

Human-vetted detections before they reach your team's queue

MSSP-native architecture — integrates with your existing security stack

700+ pre-built connectors for SIEM, SOAR, ITSM, and ticketing platforms

GCC-relevant coverage — Arabic-language and regional threat actor monitoring

Aligned to MENA threat intelligence and local regulatory reporting requirements

Industry Recognition

G2 Summer 2024 — Leader across seven report categories, with ZeroFox ranked first in Brand Protection for three consecutive quarters.

G2 Leader

Dark Web Monitoring · 2024

G2 Leader

Brand Protection · 2024

G2 Leader

Threat Intelligence · 2024

G2 Leader

Fraud Detection · 2024

Source: G2 Grid® Summer 2024 Reports. Recognition based on verified user reviews across product categories.

Platform Capabilities

Six Disciplines. One Unified Platform.

ZeroFox integrates detection, intelligence, and disruption across every dimension of the external attack surface — delivered through EnCyb as a fully managed service.

Digital Risk Protection

Safeguards your external assets — brands, domains, executives, and social accounts — from threats originating outside the corporate perimeter across the surface, deep, and dark web.

  • Brand, domain, and executive monitoring across 180+ platforms
  • AI-powered detection of impersonation, phishing infrastructure, and account takeover
  • Automated and analyst-assisted takedown execution
  • Credential exposure monitoring with dark web correlation

External Attack Surface Management

Continuously discovers, inventories, and monitors all internet-facing assets — including unknown and unmanaged infrastructure — enriched with contextual threat intelligence for risk-informed prioritisation.

  • Continuous asset discovery across your full digital footprint
  • Vulnerability enrichment with visual context for accurate assessment
  • Threat-informed scoring to prioritise attacker-targeted exposures
  • Shadow IT, cloud misconfiguration, and third-party risk detection

Cyber Threat Intelligence

Delivers full-spectrum intelligence across the surface, deep, and dark web — with human analysts maintaining authenticated access to closed forums and encrypted channels that automated tools cannot reach.

  • Dark web monitoring: stealer logs, credential markets, combo lists, paste sites
  • Dark Ops operatives with persistent access to invite-only forums
  • Finished intelligence reports and analyst-validated threat assessments
  • Timestamped evidence chains suitable for regulatory filings

Executive & VIP Protection

Monitors and disrupts threats targeting executives and high-profile individuals — impersonation, deepfakes, PII exposure, credential theft, and physical risk signals — before they escalate.

  • Executive impersonation detection across social, dark web, and marketplaces
  • Automated PII removal from data broker sites
  • Physical threat signal monitoring with location-aware risk alerts
  • 360,000+ executive-related takedowns accepted in the past year

Brand & Domain Protection

Detects and removes fake profiles, phishing domains, counterfeit listings, and brand abuse across every digital channel — protecting revenue, customer trust, and regulatory standing.

  • Image recognition and NLP to detect sophisticated fake accounts
  • Phishing site and typosquatting domain identification and takedown
  • Counterfeit product listings across app stores and marketplaces
  • Continuous monitoring with automated crawling and API integration

Automated Takedown Services

Detection without remediation is incomplete. ZeroFox combines automation with analyst oversight to disrupt and remove malicious content at scale — not just alert on it.

  • 2 million+ takedowns executed annually
  • Global Disruption Network spanning 80+ platform and hosting partnerships
  • Automated and analyst-assisted workflows for fast, scalable response
  • Escalation paths for coordinated campaigns requiring legal or law enforcement referral
Use Cases

Threats CISOs Cannot Afford to Miss

Structured around the external threat scenarios most frequently impacting GCC enterprises in BFSI and regulated industries.

01
Brand & Fraud Risk

Customers Are Being Defrauded via Fake Versions of Our Brand

CBUAE
NESA
PDPL

The Problem

Fraudulent social media accounts, lookalike domains, and fake mobile apps impersonate your brand to harvest customer credentials and payment data. These channels operate entirely outside your network perimeter — invisible to your SIEM and endpoint controls. By the time customers report fraud, significant damage has already occurred.

How ZeroFox Addresses It

ZeroFox continuously monitors 180+ platforms for brand impersonation signals — matching logos, messaging, and domain patterns using AI and image recognition. Confirmed threats are disrupted through the Global Disruption Network. Takedowns are executed without requiring your team to manage platform relationships.

What EnCyb Delivers

EnCyb manages the ZeroFox deployment, configures brand seeds specific to your digital presence, and provides validated alerts integrated directly into your existing incident response workflow. Regulatory evidence packages are produced for CBUAE reporting obligations where required.

02
Credential & Dark Web Exposure

Our Employee or Customer Credentials Are on the Dark Web Before We Know It

PDPL
NESA NCA
DIFC

The Problem

Stealer malware, third-party data breaches, and phishing campaigns routinely surface employee credentials and customer PII in dark web marketplaces. Without visibility into these channels, your first indication of exposure is often an active breach — not a warning sign. GCC regulators increasingly expect organisations to demonstrate proactive monitoring.

How ZeroFox Addresses It

ZeroFox’s dark web intelligence team — including Dark Ops analysts with authenticated access to invite-only closed forums — continuously monitors stealer logs, combo lists, paste sites, and credential marketplaces. Validated exposures are escalated within hours, with timestamped evidence suitable for regulatory filings

What EnCyb Delivers

EnCyb operationalises ZeroFox dark web findings within your SOC — correlating exposed credentials against active accounts, triggering forced password resets, and feeding detections into your SIEM. We align findings to PDPL notification obligations and NESA threat intelligence requirements.

03
Attack Surface Visibility

We Don't Have Full Visibility of What We're Exposing to the Internet

NESA
NCA ECC
ADGM

The Problem

Digital transformation, multi-cloud adoption, and distributed development teams create internet-facing assets that were never formally catalogued. Shadow IT, abandoned cloud environments, and third-party integrations expand your external attack surface beyond what your asset management tools track. Attackers find these assets routinely — through automated scanning.

How ZeroFox Addresses It

ZeroFox EASM continuously discovers and inventories every external-facing asset — known and unknown — enriched with vulnerability data and contextual threat intelligence. Exposures are scored based on real attacker interest, not just CVE severity, enabling risk-proportionate remediation prioritisation. Third-party and supply chain assets are also surfaced.

What EnCyb Delivers

EnCyb configures EASM discovery scoped to your organisation’s digital footprint, manages ongoing monitoring, and integrates findings into your vulnerability management programme. Executive-level risk dashboards support NESA and NCA ECC compliance reporting, with remediation tracked to closure.

04
Leadership & Reputation Risk

Our Executives Are Being Targeted Online and We Need Early Warning

VARA
DIFC
PDPL

The Problem

Executive impersonation, doxxing, credential exposure, and physical threat signals have moved from edge cases to board-level concerns. Over 75% of executives have personal credentials for sale on underground marketplaces. Deepfake technology has made synthetic impersonation accessible to a far broader range of threat actors. Targeted attacks on leadership carry reputational and physical risk consequences.

How ZeroFox Addresses It

ZeroFox monitors social media, forums, the dark web, and location-adjacent signals for impersonation and physical threat indicators specific to named executives and VIPs. PII is automatically removed from data broker sites to reduce the targeting surface. Confirmed threats are disrupted through takedowns — not just flagged for manual review.

What EnCyb Delivers

EnCyb onboards executive and VIP profiles into ZeroFox, manages ongoing monitoring, and escalates high-confidence threats through your governance chain. For regulated entities in DIFC and ADGM, executive protection monitoring supports broader cybersecurity governance requirements and board-level reporting obligations.

Why EnCyb

ZeroFox Delivered as a Managed Service for the GCC

Technology alone does not close the external threat gap. Effective protection requires ongoing configuration, analyst expertise, and regional context — all of which EnCyb provides.

Analyst-Led Delivery, Not Just Platform Access

EnCyb's SOC analysts manage ZeroFox configuration, monitor validated detections, and triage external threat findings before they reach your team. You receive confirmed, actionable intelligence — not unfiltered platform alerts requiring internal security headcount to process.

Integrated with Your Existing Security Stack

ZeroFox feeds directly into your SIEM, SOAR, ticketing, and ITSM platforms via 700+ pre-built connectors. EnCyb handles the integration layer — ensuring external threat findings enrich your internal detections without requiring a parallel operations workflow.

GCC Regulatory Alignment Built In

EnCyb maps ZeroFox findings to the regulatory obligations most relevant to your organisation — CBUAE Electronic Fraud Management, NESA threat intelligence requirements, PDPL personal data breach obligations, and DIFC/ADGM cybersecurity frameworks. External threat evidence is documented in formats suitable for regulator engagement.

Rapid Time to Value

EnCyb's phased delivery model — Architect, Build, Commence, Deliver — means your external visibility programme is operational in weeks, not months. Brand seeds, executive profiles, and domain configurations are onboarded by our team with no internal security resource burden on your side.

Board-Ready Reporting and Metrics

External threat exposure is increasingly a board-level concern. EnCyb produces executive-level dashboards, threat summaries, and KPI reporting from ZeroFox data — enabling CISOs to demonstrate programme effectiveness to leadership and demonstrate compliance posture to regulators.

Flexible Engagement Models

Whether your organisation has no existing external threat programme or a mature internal team seeking augmentation, EnCyb scales ZeroFox delivery to match your operational model. Co-managed configurations are available for organisations with internal SOC teams who want visibility into the managed service layer.

EnCyb Service Model: External Threat Management

EnCyb delivers ZeroFox as part of its Managed Detection and Response (MDR) service offering — extending SOC coverage to the external attack surface. External threat findings are correlated with internal detections to provide a complete threat picture. Organisations operating in BFSI, Healthcare, and critical infrastructure sectors receive sector-specific context aligned to GCC regional threat intelligence.

Regulatory Framework

Guidance on Mandatory Brand Protection, Digital Impersonation Monitoring and Takedown Controls to Prevent Consumer Fraud

Central Bank of the UAE (CBUAE) — Version date: February 2026
Issued pursuant to Article 149, Federal Decree-Law No. 6 of 2025 and the Consumer Protection Regulation (Circular No. 8/2020, Article 6)
Read in conjunction with Notice CBUAE/FCMCP/2025/3057. Applies to all Licensed Financial Institutions (LFIs) operating in the UAE.

CBUAE

FCMCP/2025/3057

Clause 2.3 — Mandatory Monitoring Channels

8-Channel Monitoring Coverage Required for All LFIs

The Guidance mandates continuous monitoring across all channels and surfaces used to target UAE consumers. The table below shows ZeroFox and EnCyb coverage against each required channel.

  • ZeroFox + EnCyb: Full Coverage
  • ZeroFox + EnCyb: Monitoring Coverage (configuration action required by LFI)
  • Advisory / LFI Action Required

Domains / DNS & Websites

Clause 5.1

  • Full Coverage

Typosquatting, homoglyph domains, lookalike sites, certificate transparency monitoring, dangling DNS detection

Email Brand Spoofing

Clause 5.2

  • Partial

ZeroFox detects email impersonation campaigns. DMARC/SPF/DKIM enforcement is an LFI mail infrastructure action — EnCyb provides implementation advisory.

Social Media Platforms

Clause 5.3

  • Full Coverage

180+ platforms monitored. Impersonation accounts, scam campaigns, deepfake/AI-generated content, all content formats including posts, stories, and DMs

Search Engines & Paid Ads

Clause 5.4

  • Full Coverage

Fake ads on Google, Meta, Instagram using brand terms; fraudulent landing pages and lookalike funnels; credential harvesting redirects

Mobile App Stores

Clause 5.5

  • Full Coverage

Apple App Store, Google Play, and third-party repositories monitored for fake banking apps and apps misusing LFI brand assets

Online Marketplaces & Public Web

Clause 2.3

  • Full Coverage

Fraudulent financial product listings, counterfeit offerings, and brand abuse across major marketplace platforms and public web sources

Credit / Debit Card Abuse

Clause 5.6

  • Full Coverage

Unauthorized card promotions, counterfeit card application pages, OTP/credential capture scams, impersonation of card operations channels

SMS & Messaging / OTT Channels

Clause 2.3

  • Partial

ZeroFox monitors for brand impersonation signals linked to SMS campaigns where LFI has official presence. Direct SMS channel control requires telecom provider coordination.

Programme Requirements — How ZeroFox and EnCyb Map to Each Clause

The Guidance requires LFIs to implement a documented, board-approved Brand Protection & Digital Impersonation Risk Management Programme. Below is how ZeroFox capabilities and EnCyb’s managed delivery address each requirement area.

CBUAE Requirement — Programme Requirements Table
CBUAE Requirement
ZeroFox Platform
EnCyb Managed Delivery
Clause 4 — Governance
Board Oversight & Accountability
Board-approved programme, designated senior management accountable owner, documented roles across security, fraud, compliance, legal, SOC, and threat intelligence functions
Platform produces quarterly reporting data, KPI dashboards, and programme metrics suitable for Board reporting. Role-based access controls within platform support segregation of duties.
EnCyb provides programme documentation support — policies, procedures, governance templates, and quarterly management reports aligned to CBUAE expectations. Advisory on risk assessment process required by Clause 4.2 (annual digital impersonation risk assessment, first assessment before 30 June 2026).
Clause 5 — Preventive Controls
Mandatory Channel Controls
Documented controls across all 8 channels (see coverage grid above). Defensive domain registrations, DMARC enforcement, social media access hardening, evidence retention
Domain, social, ads, app stores, and card abuse monitoring — full coverage. AI-powered detection of impersonation signals across all channels with image recognition, NLP, and behavioural analytics.
⚡ DMARC/SPF/DKIM configuration (Clause 5.2) and internal privileged access controls (Clause 5.7) are LFI infrastructure actions — outside ZeroFox's scope
EnCyb configures all monitored brand seeds, domain watchlists, and detection rules. DMARC advisory included — EnCyb provides implementation guidance; LFI IT team configures DNS records. Internal access controls (Clause 5.7) supported through EnCyb's BeyondTrust PAM practice where applicable.
Clause 6 — Monitoring
Continuous, Adaptive Monitoring
24/7 continuous coverage for high-risk channels; adaptive to emerging platforms and threat shifts; integrated with fraud operations, SOC, threat intelligence, and incident response
24/7 platform monitoring across 180+ surfaces. 24x7 OnWatch analysts validate alerts before delivery. Keyword and logo/asset matching (including Arabic transliterations), lookalike domain detection, coordinated campaign aggregation.
EnCyb integrates ZeroFox alerts into your SIEM/SOAR via 700+ pre-built connectors — ensuring external detections reach fraud operations and incident response teams without manual intervention. Alert volumes are managed through analyst triage before queue delivery.
Clause 7 — Response & Takedown
End-to-End Takedown Process
Documented triage, evidence preservation, consumer impact assessment, takedown execution, platform/registrar coordination, post-incident review. Priority SLAs for active credential harvesting and funds transfer scams
2M+ takedowns executed annually through the Global Disruption Network — 80+ platform and hosting partnerships. Automated and analyst-assisted workflows. Evidence artefacts (screenshots, domain records, ad references) preserved in platform.
EnCyb operates the end-to-end takedown workflow on your behalf — triage, escalation, platform coordination, and outcome tracking. Takedown SLAs are documented in the EnCyb engagement contract per Clause 9.2. Post-incident review reports provided for material campaigns.
Clause 8 — Metrics & Records
KPIs, Assurance & Record Retention
Track time-to-detect, time-to-takedown, event volumes by channel, recurrence rates. Retain monitoring outputs, investigations, takedown records, and consumer communications for a minimum of 7 years
Platform provides dashboard reporting, KPI tracking, and timestamped event logs. Detection and response timelines recorded per event. Alert histories, investigation records, and takedown outcomes stored in platform.
EnCyb produces monthly KPI reports aligned to CBUAE-required metrics (time-to-detect, time-to-takedown, volume by channel, recurrence rates). 7-year record retention supported. Audit evidence packages available for internal audit and supervisory review per Clause 8.3.
Clause 10 — Regulatory Reporting
CBUAE Incident Notification
Material impersonation/scam campaigns must be reported to the CBUAE (ifpd@cbuae.gov.ae) with impacted channels, key indicators, estimated consumer impact, actions taken, and takedown status
Platform captures all required notification data: impacted channels, domain/handle/ad references, timeline of actions, and takedown outcomes. Correlated campaign view identifies coordinated attacks meeting the material incident thresholds in Clause 10.2.
EnCyb identifies when a campaign meets the Clause 10.2 materiality criteria (credential harvesting, confirmed financial loss, scale/velocity, paid amplification) and supports production of the CBUAE notification package — with verified channel indicators and documented response actions.

Clause 9 — Third-Party & Outsourcing Requirements

Your LFI Remains Accountable. Choose Your Vendor Accordingly.

The Guidance is explicit: “LFIs remain fully accountable for compliance with all relevant features of the Programme… Non-compliance with this Guidance by a third party will be treated as non-compliance by the LFI itself.” This means that choosing a brand protection vendor is a compliance decision, not just a technology procurement. Your vendor’s SLAs, audit rights, data handling, and incident obligations are your compliance obligations. EnCyb operates as your accountable managed service partner — with documented contracts that satisfy all six provisions of Clause 9.2.

Documented monitoring scope and channel coverage
Incident handling obligations and SLAs
Reporting requirements aligned to CBUAE timelines
Appropriate indemnity and recourse provisions
Confidentiality and data protection compliance
Audit and assurance rights for supervisory review

Material Incident Reporting to CBUAE (Clause 10)

When a confirmed impersonation or scam campaign meets the materiality thresholds defined in Clause 10.2 — including credential harvesting, confirmed financial losses, multi-platform propagation, or paid amplification — the LFI must notify the CBUAE at ifpd@cbuae.gov.ae. EnCyb identifies when these thresholds are met within the ZeroFox platform, prepares the required notification content (impacted channels, key indicators, consumer impact assessment, actions taken, and takedown status), and supports the LFI's compliance team in timely regulatory engagement.

Understand where your institution stands against the CBUAE Guidance requirements. EnCyb provides a no-obligation compliance gap assessment.

Request a Compliance Assessment