Why this directory exists
The Malaysian Cyber Security Act 2024 (Act 854) introduced a licensing regime for cybersecurity service providers (CSSPs) operating in or selling into Malaysia. The Act is administered by the National Cyber Security Agency (NACSA). The licensing framework distinguishes between a number of service categories — penetration testing, managed security services, digital forensics, incident response, vulnerability assessment and others — and requires providers in scope to hold a current licence to lawfully sell those services.
For Malaysian buyers — particularly NCII operators, BNM-regulated FIs, and government departments — engaging an unlicensed CSSP for a licensable service is an enforcement risk on both sides. This directory exists as a publicly available reference compiled from announcements, vendor disclosures and the NACSA registry, intended to help buyers shortlist and to give providers a fair side-by-side. It is not exhaustive and not authoritative — the NACSA registry is the only authoritative source.
Important caveats — please read
- Licensing status changes. Always confirm against the NACSA registry at the time of procurement decision.
- Accreditations listed are as claimed by the provider on their website or marketing material at time of writing. We have not independently verified each claim.
- The list is not ranked or scored. Provider order is alphabetical with one exception (we are listed last so this never reads as self-ranking).
- nCrypt's own application is currently submitted; we are not yet licensed at time of writing.
- Inclusion does not imply endorsement. Exclusion does not imply absence — many small or new entrants are not represented here.
Provider summary table
| Provider | CSA / NACSA Status | Primary Service Line | Geography | Accreditations Claimed |
|---|---|---|---|---|
| LE Global Services (LGMS) | Licensed (announced) | VAPT, SOC, compliance | Malaysia + regional | CREST member, ISO 27001, PCI ASV (claimed) |
| Firmus Sdn Bhd | Application status: per NACSA registry | VAPT, GRC, training | Malaysia | ISO 27001 (claimed) |
| BDO Cyber Security | Application status: per NACSA registry | Advisory, audit, IR | Malaysia + global Big-5 network | ISO 27001 (claimed) |
| EY Malaysia (Cyber) | Application status: per NACSA registry | Advisory, IR, transformation | Malaysia + global | ISO 27001 (claimed) |
| PwC Malaysia (Cyber) | Application status: per NACSA registry | Advisory, audit, IR | Malaysia + global | ISO 27001 (claimed) |
| KPMG Malaysia (Cyber) | Application status: per NACSA registry | Advisory, GRC, IR | Malaysia + global | ISO 27001 (claimed) |
| Deloitte Malaysia (Cyber) | Application status: per NACSA registry | Advisory, IR, OT | Malaysia + global | ISO 27001 (claimed) |
| TIME dotCom (Avensys / TGV) | Application status: per NACSA registry | Managed services, SOC | Malaysia | ISO 27001 (claimed) |
| TM ONE (Cyber Defence Centre) | Application status: per NACSA registry | Managed SOC, MDR, advisory | Malaysia | ISO 27001, ISO 27017 (claimed) |
| Cyber Intelligence Sdn Bhd | Application status: per NACSA registry | VAPT, IR | Malaysia | OSCP team certifications (claimed) |
| SecureKi | Application status: per NACSA registry | PAM, IAM, advisory | Malaysia + ASEAN | ISO 27001 (claimed) |
| nCrypt Malaysia | Application submitted | Pentesting, MSSP, BCP, ISMS, IR | Malaysia | CREST member-firm in application; OSCP / OSCE / OSWE / CREST CRT individuals; ISO 27001 audit in progress |
This list reflects publicly available information at time of writing — check the official NACSA registry for the latest licensing status before making procurement decisions.
How to evaluate a CSSP
Licensing is necessary but not sufficient. Strong shortlisting criteria for Malaysian buyers in 2026:
- Independent technical accreditations at the firm level (CREST member firm) and individual level (OSCP, OSCE, OSWE, CREST CRT/CCT for testers; GIAC, ISACA, (ISC)² for advisory)
- Demonstrated sector experience in your regulatory context — BNM RMiT, PCI DSS, ISO 27001, NACSA scope, OT/SCADA
- Local Malaysian delivery presence — particularly for engagements requiring data residency, cleared analyst access, or regulator coordination
- Independence model — assessor independence is mandatory for ISO 27001 audits and increasingly required for BNM examinations; firms cannot both implement and audit the same control set
- Reference customers — particularly customers in your sector who can speak to engagement quality and post-delivery support
- Insurance coverage — professional indemnity and cyber liability appropriate to the engagement value
A note on “CREST” and “ISO 27001” claims
Two accreditations are particularly easy to misrepresent. CREST membership is granted to firms (CREST Member Firm) and to individuals separately (CRT, CCT, CCSAS); a firm having a CREST individual is not the same as being a CREST Member Firm. ISO 27001 certification belongs to a defined scope of services, not the whole legal entity; a parent group certification does not automatically cover a Malaysian subsidiary or a specific service line.
Always ask for: the CREST Member Firm certificate (with current expiry), the ISO 27001 certificate with the explicit scope statement, and confirmation that the certification body is accredited under a recognised IAF mutual-recognition arrangement. Reputable providers will share these on request.
Updates and corrections
This directory is maintained on a best-effort basis. If your firm should be listed, your status has changed, or any information is inaccurate, please contact us via our contact form and we will update the entry within 5 business days.
See also: Cyber Security Act 2024 readiness, NACSA compliance practice, and our own accreditations.