Built for the AI QA Gap

Who We Are

pentest.qa is the international AI security testing practice of the NomadX consulting family — and the first global firm to build a documented methodology specifically for engineering and QA teams shipping AI applications.

We operate from Dubai, UAE, and serve clients worldwide. Where pentest.ae handles AI security for the GCC enterprise market, pentest.qa serves the rest of the world — the SaaS companies, FinTech platforms, healthcare applications, and enterprise technology firms deploying AI globally.

We test what your QA pipeline cannot: prompt injection, tool poisoning, memory manipulation, and agentic privilege escalation. These are not theoretical vulnerabilities — they are active attack vectors being exploited in production AI systems today.

The QA Gap We Fill

Traditional software had a clear separation between functional testing (does it work?) and security testing (can it be exploited?). QA teams owned the first. Security teams owned the second. The separation worked because software was deterministic: given the same input, it produced the same output.

AI agents break this model. An AI agent doesn’t just run code — it reads natural language instructions, calls external tools, maintains memory, and takes autonomous actions. Each of those capabilities is an attack surface. And none of them can be tested with unit tests, integration tests, or end-to-end tests designed for deterministic software.

The result: engineering teams ship AI features that pass every QA gate and are still exploitable. Not because QA teams are doing a bad job — but because the testing methodology was designed for a different kind of software.

pentest.qa closes that gap. We bring AI security testing to the engineering organization — as a service you engage for periodic deep assessments, and as a capability you embed permanently in your CI/CD pipeline through our Security QA Integration service.

Our Methodology: APEX

We operate on the APEX methodology — Agentic Penetration Exercise:

• PLAN — Scope definition, threat modeling, AI architecture review, CI/CD pipeline access mapping, rules of engagement
• SURFACE — Asset discovery, tool connection mapping, privilege scope enumeration, pipeline integration point identification
• EXPLOIT — Manual prompt injection chaining, tool poisoning, memory manipulation. Parallel AI agent fuzzing with Garak and PyRIT
• PERSIST — Lateral movement simulation, privilege escalation through agent tool chains
• REPORT — Narrative findings, CVSS scoring, ISO 27001 / SOC 2 / NIST AI RMF compliance mapping, CI/CD integration recommendations

APEX is the first documented methodology for systematically testing AI agents and LLM applications — adapted for global compliance frameworks and, uniquely, for integration into engineering QA workflows.

No engagement begins without written authorization from a person with legal authority over all systems in scope. We provide a standard Authorization to Test (ATT) document.

Why Global Matters

AI is a global attack surface. The same OWASP LLM Top 10 vulnerabilities exist in an AI application whether it’s deployed in San Francisco, London, Singapore, or Dubai. The same prompt injection techniques work regardless of jurisdiction. The same APEX methodology tests them.

What changes by geography is the compliance framework: GDPR in Europe, HIPAA in the US healthcare sector, PCI DSS globally in financial services, NIST AI RMF for US government and defense, DORA for EU financial entities. pentest.qa maps every engagement to the compliance frameworks relevant to your organization — wherever you operate.

The NomadX Family

pentest.qa is the sixth brand in the NomadX consulting family:

• pentest.qa — AI Security Testing (Global)
• pentest.ae — AI Security Testing (GCC)
• nomadx.ae — AI Agents Consulting
• devsecops.ae — DevSecOps Consulting
• kubernetes.ae — Kubernetes & AI/ML Infrastructure
• ledgers.ae — Agentic Payment Infrastructure

The family integration is our structural advantage: pentest.qa finds vulnerabilities. devsecops.ae remediates them. kubernetes.ae hardens the infrastructure. No standalone security firm can offer this end-to-end offensive-to-defensive security loop.

Founder

Aizhan Azhybaeva leads pentest.qa as part of the NomadX consulting family, headquartered in Dubai, UAE. The NomadX family serves enterprise and regulated-sector clients across the GCC and globally — bringing together AI agents, DevSecOps, Kubernetes, payments, and AI security testing under one roof.