Operator-led security
for financial services that pick on merit
MENA banking experience (SAMA, CBUAE, QCB), Indian fintech and insurtech advisory and readiness work, and a transparent sub-contract path for the formal regulator-mandated audits where CERT-In empanelment is the legal floor. The technical work is the same operator-led VAPT and red team an AxVeil engagement always delivers; the contracting path is honest about where we sit on the empanelment list.
AxVeil is not currently CERT-In empanelled
AxVeil LLP is a young Indian entity and does not appear on the CERT-In Information Security Auditor empanelment list. Empanelment requires multiple years of operating history, a minimum trained-auditor headcount, an audited revenue threshold and a CERT-In technical evaluation — we will apply once we cross those thresholds.
For RBI cyber security framework audits, SEBI CSCRF audits, IRDAI annual cyber audits, MeitY / PSU empanelment work and NPCI scheme certifications — where the regulator legally requires a CERT-In empanelled auditor — AxVeil delivers the technical engagement as a sub-contractor to an empanelled partner firm. The empanelled firm holds the buyer contract and signs the regulator-facing report; AxVeil does the operator-led technical work behind it. Partner firms include eSec Forte, Network Intelligence Global Services, SAFE Security, NII Consulting, ThreatRavens, K7 Computing and Zerone Consulting (all real CERT-In-listed members). We name the partner up front; the buyer signs paperwork directly with them.
For MENA banking, GCC tech, foreign-headquartered firms with Indian engineering ops, Indian fintech / insurtech advisory and readiness work, Indian crypto / Web3 buyers, and any private engagement outside the empanelment-mandated regulatory scope, AxVeil contracts directly. Buyers who choose vendor on technical merit rather than empanelment roster get full operator-led delivery, Indian-jurisdiction MSAs, and INR / USD / AED invoicing.
MENA banking — the strongest part of the practice
Founder Aman Kumar (OSCP, CEHv12) led offensive security engagements across Gulf banking customers for several years before AxVeil — including 1000+ server enterprise estates and 100+ application portfolios for tier-one MENA banks. The supervisory stack across the GCC is structurally similar to the Indian regulator stack but the empanelment gate does not apply: the SAMA Cyber Security Framework (Saudi Arabia), CBUAE information-assurance regulations (UAE), QCB cyber-risk circulars (Qatar), CMA cybersecurity regulation (Oman) and the Bahrain Open Banking Framework all set technical depth and audit cadence directly, with regional auditor-acceptance criteria that recognise operator credentials and methodology rather than a single national empanelment list.
For MENA banks, GCC fintechs and Gulf insurance carriers AxVeil contracts directly. SWIFT CSP attestation support, payment-rail VAPT, mobile and internet-banking testing, internal AD and segmentation review, adversary simulation against the threat actors that target Gulf financial services (FIN7, FIN11, MuddyWater, OilRig, APT34) and the regional ransomware crews. Engagements run remote-first across IST / GST hours; onsite kick-offs are arranged for sensitive internal-AD or treasury scopes.
Where AxVeil fits in BFSI
MENA banks & GCC fintech (direct contract)
Tier-one and tier-two GCC banks, payment processors, neobanks and Islamic finance entities operating under SAMA / CBUAE / QCB / CMA / CBB. SWIFT CSP attestation, payment-rail VAPT, internal AD red team, adversary simulation. AxVeil signs the contract; AxVeil signs the report.
Indian fintech / insurtech advisory & readiness (direct contract)
Series-A / B / C Indian fintech, insurtech, lending-tech and wealth-tech buyers preparing for RBI / SEBI / IRDAI thresholds, responding to enterprise-buyer security questionnaires (ICICI / HDFC / Axis vendor onboarding, Razorpay / PhonePe / Pine Labs partner audits) and chasing foreign-investor diligence. Pre-regulator readiness, ongoing offensive security, evidence pack design. AxVeil contracts directly because empanelment is not yet a legal requirement.
Foreign banks with India engineering (direct contract)
Foreign-headquartered banks running engineering, data or operations from Indian GCCs under parent-jurisdiction policy. Engagement bar is set by the parent regulator (FCA, OCC, MAS, FINMA, ECB) plus DPDP Act 2023 over the Indian-resident data. AxVeil contracts directly.
Indian RBI / SEBI / IRDAI / NPCI formal audits (sub-contract via empanelled partner)
Where the regulator legally requires a CERT-In empanelled auditor on the signed report. AxVeil delivers technical depth under sub-contract to an empanelled partner; the empanelled firm holds the buyer paper and signs the regulator submission. Pricing reflects partner share.
Crypto / Web3 Indian buyers (direct contract)
VDA exchanges, Web3 product teams and DeFi infrastructure operating in India. No specific Indian financial regulator yet (DPDP Act, FIU-IND PMLA registration and tax obligations apply but not RBI / SEBI). Smart-contract review, key-management red team, internal infrastructure VAPT. AxVeil contracts directly.
PSU banks, public-sector insurers, NPCI participants (sub-contract or referral)
Public-sector buyers and NPCI participants almost always require the empanelled-firm signature plus government-procurement-track paperwork (GFR, GeM listing, PSU empanelment beyond CERT-In). AxVeil declines or sub-contracts; we are upfront before the RFP closes.
Threats that actually hit financial services
Generic test plans miss the attacks that empty BFSI accounts. AxVeil scopes against the threat archetypes that have caused real financial loss across Gulf and Indian institutions in the public record — then maps each finding to the regulator clause it threatens.
Business email compromise & vendor-payment fraud
Treasury and AP teams are the highest-value social-engineering target in any bank. We test the controls around payment-instruction changes, dual-authorisation enforcement, out-of-band verification on vendor bank-detail edits, and the email-authentication posture (SPF / DKIM / DMARC enforcement, look-alike-domain monitoring) that BEC crews exploit.
Payment-rail & instant-transfer fraud
Card-issuance, UPI / IMPS / NEFT, SWIFT and wallet rails carry direct monetisable risk. We test 3-D Secure step-up logic, transaction-limit and velocity controls, beneficiary-add re-authentication, OTP-replay and SIM-swap-assisted takeover, and the SWIFT CSP control set on the messaging interface.
API & open-banking abuse
Mobile, partner and aggregator APIs are the dominant modern attack surface. OWASP API Top 10 (2023) across REST and GraphQL — BOLA / BFLA across tenant and customer boundaries, mass-assignment on account objects, unrestricted resource consumption against balance / statement endpoints, and broken function-level authorisation on admin and reconciliation APIs.
Ransomware & destructive intrusion
Ransomware against core banking, treasury or trading is the board's top-of-mind scenario. We exercise the initial-access-to-impact chain — phishing / vendor pivot, AD attack paths (Kerberoasting, ADCS, NTLM relay), segmentation breaks between corporate and CBS / treasury zones, backup-tampering resistance, and the detection / response coverage that decides whether an intrusion becomes an outage.
Insider & privileged-access abuse
Core-banking operators, DBAs and DevOps hold the keys. We test privileged-access workflow enforcement, just-in-time and break-glass controls, session recording integrity, segregation-of-duties on payment-release paths, and the cloud control-plane IAM privilege graph that lets a single role escalate to data exfiltration.
Mobile & third-party SDK risk
Banking and insurer apps ship dozens of third-party SDKs. We test client-side secret storage, certificate pinning and bypass, root / jailbreak detection robustness, deep-link and intent abuse, and the data leakage and tracking introduced by analytics / attribution / payment SDKs in the app bundle.
Regulator references
For MENA buyers AxVeil maps technical findings directly to the regulator's framework. For Indian buyers AxVeil maps to the same source documents — but if the engagement is a formal regulator-facing audit, the empanelled partner co-signs.
SAMA Cyber Security Framework (Saudi Arabia)
www.sama.gov.sa ↗Saudi Central Bank cyber-security framework v1.0 covering cyber governance, risk management, defence-in-depth controls, third-party risk, incident response and business continuity for member organisations (banks, insurance, payment-system operators). Annual independent assessment expected against the framework's 4-domain control catalogue.
CBUAE Information Assurance Regulation (UAE)
www.centralbank.ae ↗Central Bank of UAE information-assurance and cyber-resilience regulations for licensed financial institutions. Covers governance, technical controls, third-party risk and incident reporting timelines. Aligned to NESA / SIA national-level guidance.
Reserve Bank of India (Indian buyers — sub-contract path for formal audits)
www.rbi.org.in ↗2016 Cyber Security Framework master direction for SCBs, the 2023 IT Governance master direction across all RBI-regulated entities including NBFCs and PSOs, and the 2024 cyber-resilience and digital-payment-security controls direction. AxVeil delivers under sub-contract to a CERT-In empanelled partner where the regulator-facing report requires empanelled signature.
SEBI CSCRF (Indian buyers — sub-contract path for formal audits)
www.sebi.gov.in ↗2024 Cybersecurity and Cyber Resilience Framework with graded tiers (MII, Qualified RE, Mid-size RE, Small-size RE). AxVeil delivers under sub-contract to a CERT-In empanelled partner. Pre-regulator readiness work — gap assessment, evidence-pack design, retest closure on prior findings — AxVeil contracts directly.
IRDAI Information and Cyber Security Guidelines (Indian buyers — sub-contract path)
www.irdai.gov.in ↗2017 baseline (with amendments) prescribing CISO appointment, board-approved cyber policy, annual VAPT, cyber crisis management plan and incident reporting for insurers and intermediaries. Formal annual audit submission requires empanelled-firm signature; pre-audit readiness and ongoing offensive security AxVeil contracts directly.
DPDP Act 2023 (Indian buyers — direct contract)
www.meity.gov.in ↗Digital Personal Data Protection Act 2023 obligations for Data Fiduciaries — consent architecture, purpose limitation, retention, breach notification to the Data Protection Board, and (if classified) Significant Data Fiduciary obligations including DPIA and DPO appointment. No empanelment required for DPDP advisory; AxVeil contracts directly.
AxVeil BFSI engagement model
A typical MENA banking engagement runs 8-12 weeks; an Indian fintech advisory engagement runs 4-6 weeks; an Indian formal regulator audit (sub-contracted via empanelled partner) runs 10-14 weeks with the empanelled firm in the loop on every milestone.
Sample artefacts handed back
Related work
Frequently asked questions
Is AxVeil empanelled by CERT-In?+
No. AxVeil LLP is a young Indian entity and does not appear on the CERT-In Information Security Auditor empanelment list. CERT-In empanelment requires multiple years of operating history, a minimum number of trained auditors, audited revenue thresholds and a CERT-In technical evaluation — we will apply once we meet the operating criteria. Where a buyer is legally required to engage a CERT-In empanelled auditor (RBI cyber security framework audits for scheduled commercial banks, SEBI CSCRF audits for Market Infrastructure Institutions, IRDAI annual cyber audits, MeitY / PSU empanelment work, NPCI scheme certifications), we deliver the technical engagement as a sub-contractor to an empanelled partner firm — eSec Forte, Network Intelligence Global Services, SAFE Security (formerly Lucideus), NII Consulting, ThreatRavens, K7 Computing, Zerone Consulting and similar — who signs the regulator-facing report. Buyers retain a direct contract with the empanelled firm; AxVeil does the operator-led technical work behind it.
Where does AxVeil contract directly without an empanelled partner?+
Anywhere CERT-In empanelment is not legally mandated. That covers MENA banks and GCC tech (regional regulators — Central Bank of UAE, Saudi Central Bank, Qatar Central Bank — set the bar, not CERT-In), foreign banks engaging Indian engineering teams under parent-jurisdiction policy, Indian fintech and insurtech buyers running pre-regulator readiness work and buyer-facing security questionnaire response, Indian crypto / Web3 firms, and any private engagement an Indian financial buyer commissions on technical merit rather than empanelment. The operator and methodology are identical; the contracting path differs.
What MENA banking experience does AxVeil bring?+
Founder Aman Kumar (OSCP, CEHv12) led offensive security engagements across Gulf banking customers including 1000+ server enterprise estates and 100+ application portfolios for tier-one MENA banks before AxVeil — work governed by SAMA Cyber Security Framework (Saudi Central Bank), CBUAE information assurance regulations, QCB cyber-risk circulars and the broader GCC supervisory stack. The MENA practice does not depend on Indian empanelment and is the strongest part of the BFSI offering today: SWIFT CSP attestation support, payment-rail VAPT, internal AD red teaming and adversary simulation against the threat actors that target Gulf financial services.
How does AxVeil help an Indian fintech that isn't ready for the formal regulator audit yet?+
Pre-regulator readiness, buyer-facing security questionnaire response, ongoing offensive security on the production stack, and a sub-contract path the day a regulator-mandated audit becomes unavoidable. The typical Series-A / Series-B Indian fintech does not yet trigger an RBI VAPT obligation in its own right but does trigger an enterprise-buyer security review (ICICI / HDFC / Axis vendor onboarding, Razorpay / PhonePe / Pine Labs partner program audits, foreign-investor diligence). Those reviews care about the technical work and the operator profile, not about the audit firm's empanelment list. AxVeil contracts directly for that work and prepares the artefact set so when empanelment-required scope finally arrives, the sub-contract handover is clean.
What about IRDAI annual cyber audits and SEBI CSCRF observation work?+
Those are formal regulator-facing engagements where the audit-firm signature on the report has to come from a CERT-In empanelled entity. AxVeil is not that signature. We deliver the technical depth — application VAPT, API testing, internal AD, cloud control-plane review, adversary simulation — under sub-contract to an empanelled partner who carries the regulator-facing accountability. The buyer still gets operator-led work; the regulator still gets a compliant signed audit. Pricing reflects the partner-share split (typically the empanelled firm retains 55-65% of the engagement value as the contracting party).
Can a single engagement satisfy MENA banking, an Indian fintech buyer review and a SOC 2 driver at once?+
Yes for the technical work — most controls overlap (governance, vulnerability management, identity, encryption, logging, incident response, third-party risk). We map every test case to the source control across all applicable regimes — SAMA / CBUAE / QCB section reference for the MENA arm, RBI / DPDP / NPCI references for the Indian arm, AICPA Trust Services Criteria for the SOC 2 arm — so a single evidence pack drops cleanly into multiple submissions. The contracting path may still split (AxVeil direct for the MENA and SOC 2 work, sub-contract via an empanelled firm for the Indian regulator-facing arm), but the testing programme runs once.
Scope a BFSI engagement
Send the entity type (MENA bank, Indian fintech, insurtech, foreign bank with India ops, Web3 firm), the regulator(s) you report to, and the next milestone. We respond with a fixed-fee proposal, a clear statement of which contracting path applies (direct or sub-contracted via empanelled partner) and a redacted MENA banking sample report under NDA.
Request a scoping call →