VAPT Services in Mumbai
Mumbai is the only Indian city where four primary financial regulators sit inside the same metropolitan area — RBI on Mint Road, SEBI in BKC, the BSE on Dalal Street, and the NSE in BKC, with IRDAI in Hyderabad but its regulated insurers headquartered along the BKC-Worli-Lower Parel corridor. The Bandra Kurla Complex alone concentrates more BFSI cyber risk per square kilometre than any address in South Asia. AxVeil's Mumbai practice is structured around that map — but honest about which slices we contract directly and which we deliver under sub-contract to a CERT-In empanelled partner.
AxVeil contracts directly for Mumbai fintech and insurtech buyers running pre-regulator readiness, foreign-headquartered banks running engineering or back-office out of BKC / Lower Parel under parent-jurisdiction policy, lending-tech / wealth-tech / payments players preparing for the next ICICI / HDFC / Axis / Razorpay / PhonePe vendor onboarding, DPDP Act 2023 advisory across the lot, and SOC 2 / ISO 27001 driver engagements where empanelment is not the gate. For the formal RBI cyber security framework audit submission, the SEBI CSCRF audit submission for MIIs and Qualified REs, the IRDAI annual cyber audit submission, and NPCI scheme certifications — where the regulator legally requires a CERT-In empanelled signature on the report — we deliver the technical engagement under sub-contract to an empanelled partner firm. The empanelled firm holds the buyer contract and signs the regulator submission; AxVeil does the operator-led technical work behind it. The contracting path is stated in the proposal up front. For CERT-In mandated audits we partner with empaneled firms — see /partners.
AxVeil LLP is a young Indian entity and is not currently on the CERT-In Information Security Auditor empanelment list. For CERT-In mandated audits we partner with empaneled firms — see /partners. The empanelled partner holds the buyer paper and signs the regulator-facing report; AxVeil delivers the operator-led technical work under sub-contract. For Mumbai fintech / insurtech advisory, foreign-bank India ops, DPDP Act work, pre-regulator readiness and SOC 2 / ISO 27001 driver engagements, AxVeil contracts directly.
Why Mumbai BFSI is a four-regulator stack
A Mumbai universal bank with a brokerage arm, an AMC subsidiary and an insurance JV is regulated simultaneously by RBI, SEBI, IRDAI and (over its payment-systems business) by NPCI and the RBI Department of Payment and Settlement Systems — with CERT-In's 6-hour breach-reporting clock and the DPDP Act 2023 sitting over the entire group. Treating each line of business as a separate audit is how findings get lost in handoffs; treating them as one cyber-resilience surface is how you actually reduce risk.
Our Mumbai engagements cross-map findings across the regulator stack so one critical finding generates one fix, not four parallel remediation streams. The technical methodology is identical across direct and sub-contracted engagements — what differs is the contracting path and the cover signature on the regulator-facing submission. For the formal RBI / SEBI / IRDAI submission piece, where a CERT-In empanelled signature is the legal floor, the empanelled partner co-reviews and signs; for pre-audit readiness, fintech / insurtech advisory, foreign-bank India ops and DPDP Act work, AxVeil contracts directly.
Fintech / Insurtech VAPT (direct)
Pre-regulator readiness, buyer-questionnaire-driven VAPT and ongoing offensive security for Mumbai fintech, insurtech, lending-tech and wealth-tech buyers below the formal RBI / SEBI / IRDAI obligation threshold.
Learn more →Foreign-bank India ops (direct)
MITRE ATT&CK adversary emulation against BKC and Lower Parel offices of foreign-headquartered banks running Indian engineering or back-office under parent-jurisdiction policy plus DPDP Act over Indian-resident data.
Learn more →RBI / SEBI / IRDAI formal audits (sub-contract)
Where the regulator legally requires a CERT-In empanelled signature, AxVeil delivers technical depth under sub-contract to an empanelled partner who holds the buyer paper and signs the regulator submission.
Learn more →AdSim
Continuous adversary simulation against ransomware crews known to target Indian BFSI — LockBit, Akira, BianLian — plus Lazarus-style SWIFT-adjacent TTPs.
Learn more →Mumbai BFSI regulators we map every report to
RBI — Cyber Security Framework (SCBs)
www.rbi.org.inMumbai-headquartered banks and PSPs operate under the RBI cyber security framework — formal audit submission requires a CERT-In empanelled auditor on the signed report. AxVeil sub-contracts via an empanelled partner for that piece; pre-audit readiness AxVeil contracts directly.
RBI — NBFC IT Framework
www.rbi.org.inTop-layer and middle-layer NBFCs carry IT governance obligations under the master direction on IT governance. Formal audit signature is empanelled-only; pre-audit readiness, ongoing offensive security and remediation review AxVeil contracts directly.
SEBI — CSCRF
www.sebi.gov.inCybersecurity and Cyber Resilience Framework for brokers, DPs, MFs, AIFs and KRAs. Formal CSCRF cyber audit submission to SEBI requires a CERT-In empanelled audit firm. AxVeil delivers under sub-contract for the regulator-facing piece; gap assessment + retest closure direct.
IRDAI — Cybersecurity Guidelines
www.irdai.gov.inAnnual cyber audit, VAPT and CISO reporting for Mumbai-headquartered life, general and health insurers. Formal audit signature requires CERT-In empanelment — sub-contract path. Pre-regulator readiness work AxVeil contracts directly.
NPCI — Member Bank Security
www.npci.org.inMumbai-headquartered acquiring banks, PSPs and PSOs on UPI / IMPS / NACH rails operate under NPCI security guidelines. Member-bank scheme certifications route through CERT-In empanelled auditors.
CERT-In — 6-hour Reporting
www.cert-in.org.inApril 2022 directions: 20 categories of incidents must be reported within 6 hours; logs retained 180 days inside India. The reporting clock applies to every BFSI entity regardless of empanelment status of the audit firm.
DPDP Act 2023 (direct)
www.meity.gov.inDPDP Act advisory does not require CERT-In empanelment — AxVeil contracts directly for fiduciary obligations, consent architecture, breach-notification readiness and DPIA / DPO appointment guidance for likely Significant Data Fiduciaries.
21-day BFSI engagement timeline
Scoping call with CISO + IT head. Confirm contracting path — direct (fintech / insurtech advisory, foreign-bank India ops, DPDP, SOC 2) or sub-contract via CERT-In empanelled partner (formal RBI / SEBI / IRDAI audit submission). NDA + DPA signed under Maharashtra jurisdiction. Scope, RoE and change-control window locked.
Recon + threat-modelling against your stack — payment-gateway integrations, mobile / internet banking, broker / dealer terminals, internal AD, partner / LSP integrations on the lending-tech side.
Active VAPT under tightly scoped RoE. Production payment rails (SWIFT, RTGS, NEFT, NPCI UPI) tested read-only or against staging only, with explicit rollback plans.
Internal AD + segmentation testing, privilege-escalation chains, lateral movement to fund accounting / treasury / trading systems if in scope. Daily CISO digest.
Reports issued — for direct engagements on AxVeil letterhead; for sub-contracted engagements the empanelled partner co-reviews and signs the regulator-facing submission. Board-pack and statutory-auditor evidence files included.
BKC-area lending-tech — pre-regulator readiness + partner-buyer questionnaire pack
Indicative engagement: a Mumbai lending-tech / wealth-tech buyer below the formal regulator obligation threshold commissions a pre-audit readiness sweep ahead of an ICICI / HDFC / Axis vendor onboarding and a Razorpay / PhonePe / Pine Labs partner audit. Scope: consumer lending app, partner LSP integrations, FLDG control flows, internal AD. Deliverable: technical findings and remediation plan, plus a CAIQ-style buyer-questionnaire pack with evidence references. AxVeil contracts directly because empanelment is not yet a legal requirement at this scope. The day a regulator-mandated formal audit becomes unavoidable, AxVeil hands off cleanly to a CERT-In empanelled partner — see /partners — for the regulator-facing submission. Pattern available on request under NDA.
Mumbai FAQ
›Is AxVeil empanelled by CERT-In?
No. AxVeil LLP is a young Indian entity and is not currently on the CERT-In Information Security Auditor empanelment list. For CERT-In mandated audits we partner with empaneled firms — see /partners. Empanelment requires multiple years of operating history, a 5+ trained-auditor headcount, an audited revenue threshold and a CERT-In technical evaluation; we will apply once we cross those thresholds. For Mumbai fintech / insurtech advisory, foreign-bank India ops, DPDP Act work and SOC 2 / ISO 27001 driver engagements, AxVeil contracts directly. Reference: https://www.cert-in.org.in.
›Within how many hours must we report a cyber incident under CERT-In and RBI rules?
CERT-In's April 2022 directions require 20 categories of cyber incidents to be reported within 6 hours of noticing or being brought to notice. RBI separately requires regulated entities to report unusual cyber incidents to the Department of Supervision within prescribed windows under the cyber security framework. AxVeil engagements include a Mumbai-tuned incident response playbook so your CISO can hit both clocks. The reporting clock applies to every BFSI entity regardless of empanelment status of the audit firm. Reference: https://www.cert-in.org.in.
›How does AxVeil handle SEBI CSCRF audits for stockbrokers and depository participants?
The formal CSCRF cyber audit submission to SEBI requires a CERT-In empanelled audit firm on the signed report. AxVeil is not currently on that list. For the regulator-facing submission we deliver under sub-contract to a CERT-In empanelled partner (see /partners) — the partner holds the buyer paper and signs the submission, AxVeil delivers the operator-led technical work behind it. For pre-audit gap assessment, CSCRF principle mapping (Anticipate / Withstand / Contain / Recover / Evolve), evidence-pack design and retest closure on prior findings, AxVeil contracts directly. Reference: https://www.sebi.gov.in.
›How does AxVeil handle RBI cyber security framework audits and SAR for banks and NBFCs?
Where the RBI submission requires a CERT-In empanelled signature (the cyber security framework for SCBs, the cyber resilience baseline for UCBs, the NBFC IT framework, the digital lending guidelines, the master direction on IT governance and the SAR), we deliver the technical work under sub-contract to an empanelled partner who signs the regulator-facing report — see /partners for the partner roster. For pre-audit readiness, ongoing offensive security on the production stack, evidence-pack design and retest closure on prior findings, AxVeil contracts directly. Reference: https://www.rbi.org.in.
›Do you cover IRDAI cybersecurity guidelines for Mumbai insurance companies?
The formal IRDAI annual cyber audit submission requires a CERT-In empanelled audit firm. AxVeil delivers the technical engagement under sub-contract to an empanelled partner for the regulator-facing piece. Pre-audit readiness, ongoing offensive security, ISNP / web-aggregator security review and CISO reporting support AxVeil contracts directly. Reference: https://www.irdai.gov.in.
›How do you handle SWIFT, NPCI and RTGS adjacent systems during a pentest?
Critical payment systems (SWIFT CSP, NPCI UPI, RTGS / NEFT) are tested under tightly scoped read-only or staging-only methodology with explicit RBI-aligned change controls. We never touch production payment rails without written authorisation and a rollback plan. SWIFT CSP attestation alignment is supported on request.
›What is the DPDP Act exposure for a Mumbai BFSI entity?
Every Mumbai BFSI entity processes personal data of customers and is therefore a data fiduciary under the DPDP Act 2023, with penalties of up to INR 250 crore per instance for failure to safeguard personal data. Most large banks, AMCs and insurers will likely be designated Significant Data Fiduciaries (SDFs) requiring DPIA, DPO appointment and independent data audit. Reference: https://www.meity.gov.in.
›Are you remote-first or do you come to BKC / Nariman Point offices?
Remote-first by default — testing, daily CISO digests and the readout call run over Teams / Zoom in IST hours. Engagements are served across Bandra Kurla Complex, Lower Parel, Nariman Point, Worli, Powai, Andheri East and Navi Mumbai. Onsite kick-offs for internal AD, treasury or trading-floor scopes are arranged on a per-engagement basis under your visitor-management policy.
Explore related work
BFSI in Mumbai? Test against the actual threat model.
Free 30-minute scoping call in IST. Direct delivery for fintech / insurtech advisory, foreign-bank India ops, DPDP and SOC 2 / ISO 27001 work; sub-contract via a CERT-In empanelled partner for formal RBI / SEBI / IRDAI submissions — across the BKC-Lower Parel-Nariman Point corridor.
Book Mumbai Scoping Call →