Company / About

Built by operators. Shipped on your turf.

Muscat, Oman Founded 2025 Build 0.7.2

01Origin

ctOS:BLADE started on a pentest engagement. We were tracking findings across Nessus, Burp, and manual testing in a shared spreadsheet — cross-referencing scan results with asset owners, attaching PoC screenshots to Jira tickets that weren't built for this, and scrambling to assemble evidence packages before the auditor showed up.

Every security team we talked to in the GCC had the same problem. The scanners were fine. The tracking was broken.

BLADE is the tool we wanted and couldn't find: a single backlog for every finding, from every source, with signal weighting, SLA enforcement, and auditor-grade exports — without a six-month integration project.

02Who we are

ctOS:BLADE is an Omani security company based in Muscat. We do real penetration testing work — web applications, APIs, cloud infrastructure, and LLM red-teaming for financial institutions and regulated firms in the GCC region.

Recent engagements include authorized red-team work against a GenAI banking platform and full-stack pentesting for mid-market financial services clients operating under SAMA and NCA frameworks.

BLADE exists because the tools we wanted as operators didn't exist — so we're building them. We use it on our own engagements. If it doesn't work for us, it doesn't ship.

Practitioner-built, not VC-funded This is not a platform play. There is no board asking about ARR growth or pushing feature churn. We ship what mid-market security teams actually need, tested on real engagements, at a price that doesn't require executive sign-off for a year.

03What we focus on

4–40

Person security teams

GCC +

MENA primary, global secondary

500–50k

Assets under management

Industries: Banking, fintech, insurance, government, regulated SaaS — any organisation where a regulator can ask to see your remediation evidence and you need a better answer than "let me check Slack."

Compliance regimes we build for: PCI DSS, ISO 27001, SAMA CSF, NCA CRF, GDPR. BLADE's export packs are structured to match what auditors actually ask for, not generic PDF dumps.

04How we work

Deployment	SaaS, VPC, on-prem, or fully air-gapped. Your findings never leave your trust boundary unless you push them.
Telemetry	SaaS sends a daily heartbeat (license check, build version, aggregate count — no finding content). Air-gapped sends nothing. Literally nothing.
Support	Direct access to the people who build the product. No ticketing queue, no tier-1 script readers.
Pricing	Transparent. Three tiers, no per-finding fees, no surprise add-ons. See pricing.
Roadmap	Public and honest. Pre-v1.0 now. GA is 2027. If a feature matters to your evaluation, ask — we'll give a real timeline. See FAQ.

05Security posture

We build a security product. Our own security posture is non-negotiable.

TLS 1.2+ for all data in transit
Encryption at rest for customer tenant data and backups
Role-based access with least privilege and mandatory MFA for administrative access
Tenant isolation and separation of production, staging, and development environments
Regular penetration testing by independent third parties
Incident response runbooks documented, roles defined, tested annually

Security researchers can report vulnerabilities via our responsible disclosure policy. We acknowledge within 2 business days, triage within 5, and coordinate disclosure with a typical 90-day embargo.

06Contact

We're a small team. You'll talk to the people who write the code.

General inquiries and demos: support@ctosblade.com
Security vulnerabilities: security@ctosblade.com

Ready to see it?

We'll wire up a scanner, import a recent pentest, and show you your backlog — signal-weighted — in under 20 minutes.

Request Access →