The UAE vs India cybersecurity buyer — same problem, very different sale.

Wattlecorp does work on both sides of the Gulf. We sell pentests, red team engagements, compliance work, and training to enterprises in the UAE and to enterprises in India. The underlying technical work — running an engagement, finding the same classes of bug, writing the same kind of report — is largely identical between the two markets. Almost everything else is different. The buyer is different, the procurement cycle is different, the pricing logic is different, the way you close is different, and the way you keep the relationship after you close is very different.

I'm writing this for two audiences. One, peers in the region who keep asking why their UAE pipeline converts so much slower than their India pipeline (or vice versa). Two, founders thinking about expanding from one to the other and assuming it'll be a transplant. It won't.

The UAE buyer is compliance-driven and committee-led. The India buyer is ROI-driven and champion-led.

That's the headline. Everything else flows from it.

In the UAE — and this generalises across most GCC enterprises, with shades for KSA and Qatar — the cybersecurity purchase is almost always triggered by a regulatory or audit obligation. NESA, ADHICS, ISR, SAMA, sectoral regulators, internal audit committees with real authority. Buyers have a deadline that came from a regulator, a budget that's already been ringfenced, and a procurement process that involves three or four people who have to all agree before you sign. The economic buyer is rarely the same person as the technical buyer, who is rarely the same person as the procurement gatekeeper. You will pitch the same engagement four times to four different audiences, and the contract terms will get walked back in the last week by a legal review you didn't know about. The successful sale here is the one that survives that gauntlet — clear scope, clear deliverables, clear mapping to whatever regulation triggered the spend, and pricing that fits inside the pre-approved budget envelope. Going under the envelope to win on price actively hurts you in this market — the buyer assumes you cut corners. Going over forces a re-approval the buyer doesn't want to do. Land inside.

In India, the same pentest engagement is sold completely differently. The technical decision-maker, very often, is also the budget holder, and they want to talk to your senior engineer for forty-five minutes about methodology before they care about commercials. They're benchmarking you against two or three other vendors, sometimes in real time on the call. They're making a calculated bet on quality-per-rupee. The procurement step exists but it's not the gate; the technical buyer's say-so largely closes the deal. The cycle is faster — three to six weeks from first call to signed SOW is common — but the price elasticity is brutal. There is always a smaller competitor willing to undercut you by 30%. The way you win is by being so obviously better on substance that the buyer can defend the higher number internally as the right call.

Pricing logic flips between the two. In the UAE, fixed-price scopes win because they fit procurement. Time-and-materials makes the procurement officer nervous. The premium for being a known regional name is real and bookable. In India, time-and-materials is fine and often preferred — the technical buyer wants flexibility. Discounts are expected; not offering one signals you don't take the buyer seriously. The premium for being a known name is much smaller; the buyer is looking at the senior engineer's CV, not the company logo on the proposal.

The relationship after the sale is also opposite. UAE clients, once you're in, tend to stay in. The renewal happens because the procurement of switching is painful and your contact got promoted to the role that signed off on you. The compounding from a single relationship over five years is enormous. India clients are loyal to senior engineers, not to firms. If your senior moves, the client may move with them. The retention work is at the engineer level — give your seniors visible client relationships, not generic account managers — or you'll lose work you thought was sticky.

A few practical implications I've watched founders get wrong.

Sending the same proposal deck to both markets is a mistake. The UAE proposal needs the regulatory mapping section as the first substantive content; the India proposal needs the senior engineer profiles as the first substantive content. Same engagement, two completely different documents.

Hiring the same kind of seller for both markets is a mistake. The UAE sale wants somebody who can navigate procurement, government interfaces, and Arabic-language relationships at the executive layer. That's a different person than the India seller, who needs to be a working technical mind willing to scope on a call and defend methodology against three competitors live.

Pricing the same engagement at the same number in both markets is a mistake. UAE rates can be roughly 1.5–2× India rates for the same scope, and the UAE buyer will accept that price more easily than the India buyer will accept a 30% discount off it. Pricing is a strategic signal, not just a cost-plus number, and the signal it sends is read very differently in each market.

I should also say: this is not a value judgement. Both markets are excellent for this business in different ways. UAE has higher absolute revenue per client, longer cycles, stickier retention. India has more deal volume, faster cycles, deeper technical buyers, and a labour market that lets you build the engineering team that delivers everywhere. We've decided we want both, but they're being run as effectively two different go-to-market motions inside one company. I think anyone trying to scale across the region needs to do something similar, or accept they're going to be average in both.

—

Zuhair runs Wattlecorp Cybersecurity Labs. Kerala-headquartered, UAE-active, occasionally KSA. Happy to compare notes if you're sizing the same expansion.