Careem operates a multi-service platform across the greater Middle East, managing ride-hailing, food delivery, grocery delivery (Quik), and digital payments (Pay) services. The platform serves over 50 million customers across more than 70 cities in 10 countries spanning Morocco to Pakistan, with engineering teams distributed across Europe and the MENAP region.
At scale, the operation involves coordinating logistics, payments infrastructure, and user-facing services across fragmented markets with varying regulatory environments, payment systems, and connectivity constraints. This creates a specific threat model: protecting financial transactions and user data across multiple jurisdictions; securing driver-passenger interactions; preventing payment fraud and unauthorized access to the payments service; maintaining platform integrity across regions with different compliance requirements; and managing access controls across distributed engineering teams.
The platform handles sensitive data including driver and customer identities, payment card information, transaction histories, and location data from ride services. With 2.5 million drivers (termed Captains) and over 50 million customers, the attack surface spans mobile applications, backend infrastructure, third-party integrations for payments and logistics, and regional data storage. Security work must account for localized threat patterns, including regional payment fraud tactics and varying enforcement of data protection requirements across jurisdictions.