VAPT Services in India
India runs on six regulators, one Act and a 6-hour reporting clock. Between CERT-In's breach-notification mandate, the DPDP Act 2023's INR 250 crore penalty ceiling, RBI's cyber resilience baseline and SEBI's CSCRF framework, the compliance perimeter has tightened more in the last 24 months than in the previous decade. AxVeil delivers vulnerability assessment, penetration testing and red team services across India for SaaS, D2C and e-commerce, healthtech, foreign-headquartered firms with Indian engineering ops, and Indian fintech / insurtech buyers running pre-regulator readiness work — direct contract, operator-led delivery, fixed-fee proposals.
We are remote-first by design. Engagements are served across Bengaluru's SaaS corridors, Mumbai's BFSI floors, Delhi NCR's GCC estate, Hyderabad's HITEC City, Chennai, Pune and Ahmedabad — coordinated entirely in IST hours over Slack, Teams and Zoom, with onsite kick-offs arranged when an internal AD or OT scope demands it. Whether you are a Series-B SaaS onboarding US Fortune 500 customers under SOC 2, a D2C brand surviving the next Flipkart Marketplace or Razorpay partner-program audit, an Indian healthtech preparing for DPDP Rules 2025, or an Indian fintech still below the formal RBI VAPT obligation threshold, our methodology compresses 4-week manual audits into 7-14 day engagements without sacrificing depth. Every report is mapped to the relevant standards — DPDP Act 2023, AICPA Trust Services Criteria, OWASP ASVS L2, OWASP API Top 10, PCI DSS v4.0, ISO 27001:2022 — so a single engagement satisfies multiple board, auditor and customer asks.
The India threat surface we scope against
Generic OWASP coverage misses the attack paths that are specific to how India actually runs money and identity. These are the threat clusters we threat-model first.
UPI & payments-rail abuse
India processes 18bn+ UPI transactions a month. We see business-logic abuse on collect-request flows, mandate / autopay manipulation, and PSP / TPAP onboarding gaps that NPCI risk guidelines now explicitly call out.
Account-aggregator & consent fraud
The AA ecosystem has onboarded hundreds of millions of consent artefacts. Consent-replay, scope-escalation and FIP / FIU token-handling flaws are a live attack surface for any RBI-regulated lender or fintech on the rails.
GCC / supply-chain targeting
Foreign-HQ engineering centres across Bengaluru, Hyderabad and Delhi NCR are a favoured pivot into parent estates. We threat-model the GCC as the third-party-risk node it actually is for the parent jurisdiction.
Ransomware & extortion crews
India-targeting ransomware affiliates lean on exposed RDP, unpatched edge VPNs and weak AD tiering. Our red team emulates the initial-access and lateral-movement TTPs these crews actually use against Indian enterprises.
AxVeil LLP is a young Indian entity and is not currently on the CERT-In Information Security Auditor empanelment list. For CERT-In mandated audits — RBI cyber security framework audits, SEBI CSCRF audits for MIIs and Qualified REs, IRDAI annual cyber audits, MeitY / PSU empanelment work, NPCI scheme certifications — AxVeil delivers the technical engagement under sub-contract to a CERT-In empanelled partner firm (eSec Forte, Network Intelligence Global Services, SAFE Security, NII Consulting, ThreatRavens, K7 Computing, Zerone Consulting and similar) who signs the regulator-facing report. For SaaS, D2C, healthtech, foreign cos with India engineering, Indian fintech / insurtech advisory and Web3 work, AxVeil contracts directly. The contracting path is stated in the proposal up front.
Why India needs a different VAPT playbook
The Indian threat surface is unusually concentrated. UPI processed over 18 billion transactions in a single month in 2025; account aggregators have onboarded hundreds of millions of consent artefacts; the DPDP Act has reshaped what "personal data" means for every fiduciary; and CERT-In's 2022 directions removed the polite fiction that breach reporting could wait until the next quarterly board meeting. A pentest report that ignores that context is paperwork — not security.
Our India engagements are scoped against the regulators or buyers you actually answer to, not a generic OWASP checklist. Bengaluru SaaS work hits SOC 2 + ISO 27001 + DPDP. Mumbai BFSI work runs as MENA banking direct or as advisory / sub-contract via a CERT-In empanelled partner for the formal RBI / SEBI / IRDAI submission. Delhi NCR work covers foreign-HQ GCCs (parent-jurisdiction policy + DPDP) and private enterprise advisory; the MeitY / PSU / government-procurement track routes through an empanelled partner. The technical methodology is the same; the deliverable and the contracting path are tuned per audience.
VAPT
Web, API, mobile and network penetration testing aligned with OWASP, CREST and the CERT-In VAPT reporting format.
Learn more →Red Team
MITRE ATT&CK adversary emulation tuned for India-targeting actors and ransomware crews active across Indian enterprises.
Learn more →Compliance
DPDP Act 2023, RBI cyber resilience, SEBI CSCRF, IRDAI cybersecurity guidelines, ISO 27001:2022 and SOC 2 evidence packs.
Learn more →AdSim
Continuous purple-team adversary simulation with detection-engineering output for Indian SOC and MDR stacks.
Learn more →Indian regulators we map every report to
CERT-In
April 2022 directions: cyber incidents must be reported within 6 hours; logs retained for 180 days inside India.
MeitY
Owns the DPDP Act 2023 — penalties up to INR 250 crore per instance for failure to safeguard personal data.
Cyber security framework for SCBs, NBFC IT framework and digital lending guidelines — annual VAPT + SAR mandated.
SEBI
Cybersecurity and Cyber Resilience Framework (CSCRF) applicable to brokers, MFs, KRAs, AIFs and depositories.
IRDAI
Information and Cybersecurity Guidelines mandate annual cyber audit + VAPT for life, general and health insurers.
NPCI
UPI security guidelines and risk management framework for PSPs, TPAPs and acquiring banks on UPI rails.
Engagement timeline (typical 14-day VAPT)
30-minute scoping call in IST. NDA + MSA exchanged under Indian jurisdiction. Scope, RoE and asset list locked.
Recon + threat-modelling against your stack and the regulator(s) you actually answer to (RBI, SEBI, IRDAI, MeitY).
Active testing — web, API, mobile, internal AD, cloud. Daily Slack / email digest with critical findings as they surface.
Draft report: CERT-In aligned VAPT format + DPDP Act gap notes + ISO 27001 / SOC 2 evidence cross-references.
Readout call with engineering + CISO. Free retest of remediated criticals within 30 days. Final signed PDF for auditors.
Pan-India SaaS — DPDP Act readiness + SOC 2 Type 2 window VAPT
Indicative engagement: a multi-tenant B2B SaaS scale-up with engineering across Bengaluru and Pune commissions a consolidated VAPT plus DPDP Act 2023 readiness pack. Result: critical / high findings triaged inside the SOC 2 Type 2 observation window, DPDP personal-data inventory and consent-architecture review delivered, breach-notification runbook tuned to the Data Protection Board timeline, and a single evidence base that answers both the SOC 2 auditor and the next enterprise customer security questionnaire. Pattern available on request under NDA.
India FAQ
›Is AxVeil empanelled by CERT-In?
No. AxVeil LLP is a young Indian entity and is not currently on the CERT-In Information Security Auditor empanelment list. Empanelment requires multiple years of operating history, a minimum trained-auditor headcount, an audited revenue threshold and a CERT-In technical evaluation; we will apply once we cross those thresholds. For audits where the regulator legally requires an empanelled signature — RBI cyber security framework audits, SEBI CSCRF audits for MIIs and Qualified REs, IRDAI annual cyber audits, MeitY / PSU empanelment work, NPCI scheme certifications — AxVeil delivers the technical work under sub-contract to a CERT-In empanelled partner firm (eSec Forte, Network Intelligence, SAFE Security, NII Consulting, ThreatRavens, K7 Computing, Zerone Consulting and similar) who signs the regulator-facing report. For SaaS, D2C, Indian healthtech, MENA banking, foreign cos with India ops, Indian fintech / insurtech advisory and Web3 work, AxVeil contracts directly. Reference: https://www.cert-in.org.in.
›Within how many hours must we report a cyber incident in India?
CERT-In's April 2022 directions mandate that 20 categories of cyber incidents be reported within 6 hours of noticing or being brought to notice. The reporting obligation applies to every organisation operating computer resources in India regardless of empanelment status of the audit firm. AxVeil engagements include incident-response runbooks and a tabletop walkthrough so your team can hit that 6-hour clock under real pressure. Reference: https://www.cert-in.org.in.
›Does AxVeil deliver DPDP Act 2023 readiness work directly?
Yes. DPDP Act advisory does not require CERT-In empanelment, so AxVeil contracts directly. Every engagement produces a DPDP Act 2023 evidence pack covering Data Fiduciary obligations, consent architecture, breach notification readiness, retention timelines, grievance officer mandate and (where the platform is likely classified Significant Data Fiduciary) DPIA and DPO appointment guidance. The DPDP Act exposes data fiduciaries to penalties of up to INR 250 crore per breach. Reference: https://www.meity.gov.in.
›Do you support RBI cyber security framework audits for banks, NBFCs and PSPs?
Where the audit submission requires a CERT-In empanelled signature — the RBI cyber security framework for SCBs, the NBFC IT framework, the RBI digital lending guidelines, account aggregator master directions and the master direction on IT governance, including the SAR (System Audit Report) — AxVeil delivers the technical engagement under sub-contract to an empanelled partner firm who signs the report. For pre-audit readiness, ongoing offensive security, evidence-pack design and retest closure on prior findings, AxVeil contracts directly. Reference: https://www.rbi.org.in.
›Can you deliver SEBI CSCRF audits for brokers, MFs and depositories?
The formal CSCRF cyber audit submission to SEBI requires a CERT-In empanelled audit firm on the signed report. AxVeil delivers the technical work — VAPT, configuration audit, control-mapping evidence — under sub-contract to an empanelled partner firm who signs the regulator submission. For pre-audit gap assessment, internal readiness work, CSCRF principle mapping (Anticipate / Withstand / Contain / Recover / Evolve) and the supporting evidence pack, AxVeil contracts directly. Reference: https://www.sebi.gov.in.
›How long does a typical pan-India enterprise VAPT engagement take?
Standard web + API VAPT runs 7-10 business days. A multi-region red team or hybrid cloud assessment scopes at 3-6 weeks depending on asset count, AD complexity and how many regulators are in scope. Engagements that route through an empanelled partner add a 5-7 day onboarding overhead at the start (kick-off paperwork between buyer ↔ empanelled partner ↔ AxVeil) but the technical timeline is unchanged.
›Are you remote-first or do you fly out to client offices?
AxVeil is remote-first across India — testing, reporting and readouts run over Slack / Teams / Zoom in IST hours. Engagements are served across Bengaluru, Mumbai, Delhi NCR, Hyderabad, Chennai, Pune, Ahmedabad and other metros. Onsite kick-offs for sensitive internal AD or OT scopes are arranged on a per-engagement basis.
›Can you sign Indian-jurisdiction MSAs and NDAs and raise GST invoices?
Yes. We sign MSAs governed by Indian law with jurisdiction in Bengaluru, Mumbai or New Delhi at the customer's preference, and we raise GST-compliant INR invoices supporting TDS deduction and Form 16A reconciliation. For sub-contracted regulator audits the buyer signs paperwork directly with the empanelled partner; AxVeil signs paperwork with the empanelled partner.
Need VAPT in India? Talk to a tester, not a sales team.
Free 30-minute scoping call in IST hours. We map your attack surface, name the regulators you must satisfy, and quote in INR with GST.