Skip to content
MA

Hi, I'mMohammed AlYahya

Cybersecurity Leadership

Open source · Apache-2.0

Saqr: grounded RAG over Saudi cybersecurity frameworks

A PHP library and live chatbot that answers questions about NCA, SAMA, CST, Aramco SACS-002, PDPL, and ISO 27001 from a curated practitioner corpus. The same library powers the assistant on this site, and it’s open source. No embeddings service, no vendor stack, no hidden corpus.

Why I built it

Almost no Saudi cybersecurity consultant ships code. PDFs, slides, recommendations, sure. Working artifacts you can actually run yourself? Rare.

Saqr is my counter to that. It’s the smallest thing I could ship that shows what I’d tell a client in a first meeting about the KSA regulatory landscape, instead of just claiming to know it. Retrieval is deterministic, so you can audit which entry answered your question. The LLM layer is optional. The source for every answer stays visible.

What it does

30 Practitioner entries
11 Frameworks covered
2 Languages (AR/EN)
0 Embeddings services

Ask a question in Arabic or English. An alias map translates common Arabic phrasings into the corpus’s English keyword space. A length-weighted keyword scorer ranks corpus entries. The top three go to Claude Haiku as [SOURCE 1] through [SOURCE 3] blocks, with a grounding prompt that bans em-dashes, sycophancy, and made-up statistics. No API key? The top match is returned verbatim. Either way, you can see exactly which entry answered the question.

Saqr in action

Saqr answering an English question comparing NCA ECC and ISO 27001
ENHow does NCA ECC compare to ISO 27001?
Saqr answering an Arabic question about PDPL with right-to-left layout
ARماهو نظام حماية البيانات الشخصية؟

Coverage

  • NCAECC, CCC, CSCC, DCC, TCC, OSMACC, SCyWF
  • SAMACSF, ITGF, BCM
  • CSTCRF
  • Saudi AramcoSACS-002 / CCC (contractor)
  • SDAIAPDPL
  • InternationalISO 27001
  • Cross-frameworkECC↔ISO, ECC↔CCC, SAMA↔NCA, PDPL↔DCC, Aramco↔NCA
  • Practitioner adviceWhere to start · maturity · audit · third party

Stack & openness

PHP 7.4 or newer, tested through 8.3. Apache-2.0 with a patent grant. The corpus is plain JSON, so anyone reading the repo can see exactly what Saqr knows. CI runs the lint matrix on every push. No database. No embeddings service. No vendor lock-in. The Anthropic key is optional, read from an environment variable, never hard-coded.

A note on what this is and isn’t.
Saqr is educational content, not legal advice. The corpus is one practitioner’s read of the frameworks. For any decision that matters, verify against the official regulator publication before acting. PRs that add citations or correct mappings are welcome at cybersafe-lab/saqr.

Why curated corpus, not RAG-over-PDFs

Saudi regulator documents are dense, and general-purpose embeddings misread them constantly. Especially the cross-framework stuff: “ECC and CCC overlap here,” “PDPL and DCC handle classification differently.” Embedding search finds the right paragraph for the wrong question.

A small corpus, written by a practitioner, gets higher precision for the same effort. Every entry was written by someone who has advised a Saudi client on the framework in question. Keywords reflect what visitors actually ask, Arabic phrasings included. Cross-framework comparisons are first-class entries, not lucky paragraph adjacencies.

If you need RAG over PDFs, build that. Saqr is a different design point. A deliberately small one.