How we operate.
DarkCov operates under the laws of the Kingdom of Saudi Arabia and the standards set by its regulators. This page describes what we are willing to disclose about our jurisdiction, our engagement model, the controls we apply, and the answers we give to the questions we are asked most often. Specific engagement details are not published here and will not be shared, under any circumstance, with any party outside a signed agreement.
Operating jurisdiction
DarkCov LLC is established and headquartered in Riyadh, Kingdom of Saudi Arabia. Our operations, personnel, and primary infrastructure are Saudi resident by default. This is a position, not a marketing line. Sovereign capability requires sovereign control of the people, the data, and the supply chain that produce it.
Engagements are scoped against the national interest considerations of the Kingdom as a matter of policy, before they are scoped against the requirements of any specific client. Where an engagement would not be compatible with Saudi national interest, it does not proceed.
Regulatory framework
Our work falls under, and where applicable is aligned to, the following instruments issued by the Kingdom of Saudi Arabia and its competent authorities.
Engagement model
Every engagement with DarkCov follows a fixed sequence. The sequence exists because capability is a serious instrument and the process of transferring it is a serious undertaking.
- Inbound contact. Direct email to our principals. Referrals from existing sovereign clients are preferred.
- Qualification. The identity of the ultimate principal is verified. Intermediaries whose principal cannot be identified are declined.
- NDA execution. A written, signed Non Disclosure Agreement is in place before any technical detail is exchanged.
- Scoping. The problem, the objective, and the success criteria are defined in writing.
- Engagement agreement. A separate, signed contract setting out deliverables, price, term, governing law, and delivery controls.
- Execution. Work performed under program specific controls.
- Delivery. Handoff under controlled conditions. Artefacts, documentation, and any residual material are accounted for.
The existence of an engagement is never confirmed or denied to third parties. Once an engagement concludes, it remains confidential unless the client authorises otherwise in writing.
Personnel
Critical positions within our cybersecurity and engineering functions are held by Saudi nationals, in line with the personnel requirements of the NCA Essential Cybersecurity Controls. Background verification is applied to all personnel in sensitive roles.
Access to engagement material is granted on a need to know basis, is time bounded, and is logged. Personnel may only discuss engagements within authorised channels. Termination of access follows a documented offboarding process.
Information security
Our information security program maps to the four pillars of the NCA Essential Cybersecurity Controls: Governance, Defense, Resilience, and Third Party and Cloud. Applicable subdomains are implemented as controls and reviewed on the cadence specified by the framework.
Cryptographic protection uses algorithms, key lengths, and implementations consistent with the National Cryptographic Standards (NCS 1:2020). Data in transit is protected by strong transport security. Data at rest is protected by encryption at the level required by its classification. Systems and networks are segmented by engagement and by classification.
Data handling
Operational data resides within the Kingdom of Saudi Arabia by default. Where a cross border transfer is unavoidable, it is performed in accordance with the Regulation on Personal Data Transfer outside the Kingdom, using one of the lawful mechanisms recognised by SDAIA at the time of transfer.
Classified material follows the controls set by the relevant engagement and by the competent authority. Those controls are, in some cases, more restrictive than the PDPL baseline. Where that is so, the more restrictive standard applies.
Infrastructure
Primary infrastructure is hosted inside the Kingdom. Where third party hosting or managed services are used, the provider is selected in accordance with the NCA Cloud Cybersecurity Controls (CCC 1:2020) and a written contract that binds the provider to the confidentiality, security, and data residency terms of the engagement.
No engagement material leaves managed infrastructure without explicit authorisation, without logging, and without the controls appropriate to its classification.
Incident response
DarkCov operates a formal incident response capability. Incidents are triaged against severity, data classification, and regulatory reporting obligations.
Where a personal data breach is likely to pose a risk to the rights and interests of data subjects, SDAIA is notified within seventy two hours in accordance with Article 24 of the PDPL Implementing Regulations. Material incidents are coordinated with Saudi CERT as appropriate. Affected parties are informed without undue delay where the law or the engagement requires.
Disclosure policy
DarkCov does not publish engagement details, case studies, or client logos. We do not grant interviews that discuss active or historical engagements. Requests for comment on named or alleged work are declined.
Where a public statement is appropriate, it is made by the firm through official channels and not by individuals. Our personnel are not spokespeople for our clients and will not answer for them.
Questions we are asked most.
Riyadh, Kingdom of Saudi Arabia. The entity, the critical personnel, and the primary infrastructure are resident in the Kingdom.
We are a research and development firm. Our work spans advanced cyber capability, unmanned aerial systems, multi spectrum sensor and ISR systems, and high assurance engineering. Capability detail is scoped under NDA on an engagement basis.
Only when explicitly authorised under the relevant engagement. The majority of what we do is not, and will not be, publicly referenced. If you are looking for published work as evidence of capability, we are not the right firm for you.
No. DarkCov works with government, defense primes, and vetted sovereign partners. We do not operate in the commercial grey market. We do not accept orders placed anonymously or through intermediaries whose principal cannot be verified.
Yes. DarkCov processes personal data in accordance with the Personal Data Protection Law of the Kingdom of Saudi Arabia (Royal Decree No. M/19, as amended by Royal Decree No. M/148) and its Implementing Regulations. Our Data Protection Officer oversees compliance and engages with SDAIA on behalf of the firm.
Yes. Our security program references the current Essential Cybersecurity Controls (ECC 2:2024) across the applicable domains. For engagements that touch Critical National Infrastructure, the Critical Systems Cybersecurity Controls (CSCC) apply in addition. Cryptographic protection follows NCS 1:2020.
Inside the Kingdom. Contact details submitted through darkcov.com are processed under the terms of our Privacy Policy and retained only for as long as required for the relevant correspondence, or for any longer period imposed by Saudi law.
No. We do not confirm or deny the existence of any engagement to any third party. This holds regardless of the source of the request, including media, researchers, and commercial counterparties.
No. We do not purchase bugs, exploits, or capability from unverified sources. We do not participate in open bug bounty programs. Researchers interested in working with us should do so through a formal employment or contractor relationship.
Email contact@darkcov.com from an identifiable organisational address with the name of the principal and the subject of the briefing you are requesting. A briefing slot is arranged through direct contact under NDA. We do not respond to anonymous inbound traffic.
Disputes are governed by the laws of the Kingdom of Saudi Arabia and are subject to the exclusive jurisdiction of the competent courts sitting in Riyadh. Where appropriate, commercial disputes may be referred to the Saudi Center for Commercial Arbitration under the rules of that Center.
Our Data Protection Officer at dpo@darkcov.com. You may also file a complaint directly with the Saudi Data and Artificial Intelligence Authority through the National Data Governance Platform.
security@darkcov.com. Disclosures made in good faith without exploiting or extracting data are handled through our incident response process and treated as confidential. Unauthorised testing remains a criminal matter under Royal Decree No. M/17.
Each third party is engaged under a written agreement that binds them to the confidentiality, security, and lawful processing requirements of the PDPL and of the relevant engagement. Where personal data is involved, a Data Processing Agreement is signed. Residency, access, and audit rights are set contractually and enforced.
Yes. Engagements that do not meet our qualification criteria, that are not compatible with the national interest of the Kingdom, or that cannot be delivered to the standard we expect, are declined. The decision is final and is not appealable.