Chakan · Talegaon · Hinjewadi · Automotive · OT / ICS

VAPT Services in Pune

Pune is India's most concentrated manufacturing-plus-IT corridor. The Chakan, Talegaon, Pimpri-Chinchwad and Ranjangaon MIDC industrial belts host Tata Motors, Bajaj Auto, Mahindra, Volkswagen, Mercedes-Benz, Bharat Forge, Cummins and the wider tier-1 automotive supplier estate — IEC 62443-relevant OT / ICS surface at Indian scale. Hinjewadi, Magarpatta and Kharadi run the IT corridor — Infosys, TCS, Wipro, Persistent, KPIT, Tata Technologies, Bajaj Auto Connected Mobility and the deep-vertical automotive-software cohort that ships ECU code, telematics and OTA platforms to OEMs in Europe and North America. Pune is the only city in India where ISO/SAE 21434, TISAX and IEC 62443 all show up in the same buyer conversation.

AxVeil's Pune practice contracts directly for OT / ICS pentesting at auto OEM and tier-1 plants under IEC 62443 with explicit safety-preserving rules of engagement, ISO/SAE 21434 + UN R155 CSMS-aligned ATO-supporting penetration testing of connected-vehicle telematics and OTA back-ends, TISAX readiness for automotive-software and component-engineering buyers cascaded by European OEMs, Hinjewadi / Magarpatta / Kharadi SaaS and GCC engineering teams shipping to US enterprise procurement under SOC 2 Type II and ISO 27001:2022, and DPDP Act 2023 work across the lot. For CERT-In mandated audits we partner with empaneled firms — see /partners. The empanelled firm holds the buyer paper and signs the regulator submission; AxVeil does the operator-led technical work behind it.

IEC 62443

Safety-preserving OT / ICS testing

ISO 21434

Connected-vehicle ATO / UN R155 support

6 hours

CERT-In incident-reporting clock

18 days

Typical Pune OT + IT engagement

Honest disclosure — OT safety + CERT-In

AxVeil tests Pune OT / ICS environments under explicit safety-preserving rules of engagement — production PLCs and safety-instrumented systems are never directly tested, only network-passive enumeration on production and active testing against staging / read-only mirrors. AxVeil LLP is not currently on the CERT-In Information Security Auditor empanelment list. For CERT-In mandated audits we partner with empaneled firms — see /partners. For private manufacturing OT / ICS, automotive software (ISO 21434 / TISAX), connected-vehicle work, Hinjewadi SaaS, DPDP Act 2023 and SOC 2 / ISO 27001 driver engagements, AxVeil contracts directly. The contracting path is named in the proposal.

Why Pune is two threat surfaces in one

A Pune auto OEM with a Hinjewadi engineering centre and a Chakan plant carries an OT threat model (IEC 62443, Purdue model, IT-OT bridge, safety-instrumented systems) and an IT threat model (ISO/SAE 21434 cybersecurity engineering, TISAX VDA-ISA, SOC 2 / ISO 27001 for the SaaS layer, DPDP Act over driver data) simultaneously. Treating each as a separate audit is how findings get lost across the plant gate; treating them as one cyber-resilience surface is how you actually reduce risk on a connected vehicle shipping over OTA from Hinjewadi to a customer in Berlin.

AxVeil's Pune engagements cross-map findings across the IT-OT-CSMS stack — one critical finding generates one fix, not three parallel remediation streams. Cross-links: see /industries/bfsi for adjacent automotive-captive BFSI patterns, and sibling India locations /locations/mumbai and /locations/bengaluru.

OT / ICS VAPT (manufacturing)

IEC 62443-aligned OT / ICS penetration testing for Pune auto OEMs and tier-1 suppliers across Chakan, Talegaon, Pimpri-Chinchwad and Ranjangaon MIDC — Purdue model segmentation, PLC / SCADA exposure, IT-OT bridge security and safety-instrumented-system isolation.

Learn more →

Automotive & Connected-Vehicle Red Team

ISO/SAE 21434 + UN R155 CSMS-aligned cybersecurity testing for connected-vehicle telematics, OTA platforms, in-vehicle gateways and EV charging back-ends — relevant to Pune-headquartered OEMs (Tata Motors, Bajaj Auto, Mahindra) and EV cohort.

Learn more →

Hinjewadi SaaS Compliance

SOC 2 Type II, ISO 27001:2022, DPDP Act 2023 and TISAX evidence packs for Hinjewadi / Magarpatta / Kharadi SaaS, GCC engineering and automotive-software platforms shipping to OEM customers in Europe and North America.

Learn more →

AdSim

Continuous purple-team simulation against Pune production OT and IT stacks with detection-engineering output for in-house SOC and OEM / tier-1 cyber-security operations — tuned for ransomware crews active against Indian manufacturing.

Learn more →

Pune regulators and frameworks we map every report to

IEC 62443 — Industrial Automation Control Systems Security

www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

The reference standard for OT / ICS cybersecurity in Pune manufacturing — Chakan, Talegaon, Pimpri-Chinchwad and Ranjangaon MIDC plants. Zone-and-conduit modelling, security levels SL1-SL4 and asset-owner / system-integrator / product-supplier role mapping. AxVeil scopes IEC 62443-aligned OT VAPT directly.

ISO/SAE 21434 + UN R155 CSMS

www.iso.org/standard/70918.html

Road vehicle cybersecurity engineering and Cyber Security Management System type-approval requirements. Mandatory for OEMs selling type-approved vehicles into UNECE markets. AxVeil scopes ATO (Automotive Type Approval) supporting penetration testing of connected-vehicle telematics, OTA, in-vehicle gateways and back-end PKI directly.

MeitY — DPDP Act 2023 (direct)

www.meity.gov.in

Pune SaaS firms, automotive-software platforms and connected-vehicle telematics processing Indian-resident driver / vehicle data are Data Fiduciaries under the DPDP Act. Penalties up to INR 250 crore per instance. AxVeil contracts directly.

CERT-In — 6-hour Reporting (direct playbook)

www.cert-in.org.in

April 2022 directions: 20 categories of cyber incidents must be reported within 6 hours; logs retained 180 days inside India. Applies to every Pune enterprise, plant and SaaS firm regardless of empanelment status of the audit firm. AxVeil engagements include the IR runbook directly.

TISAX — Trusted Information Security Assessment Exchange

portal.enx.com/en-US/TISAX

The German VDA-anchored automotive supply-chain assessment that European OEMs (VW, BMW, Daimler, Stellantis) cascade to Indian tier-1 and tier-2 suppliers. AxVeil scopes TISAX assessment-level (AL1 / AL2 / AL3) readiness directly for Pune automotive-software and component-engineering buyers.

ISO 27001:2022

www.iso.org

ISMS certification baseline asked for by OEM and Tier-1 customers and government-adjacent procurement. Stage-1 / stage-2 audit prep, Statement of Applicability evidence and operating-effectiveness sampling supported.

18-day Pune OT + IT engagement timeline

Day 0

Scoping call with CISO + plant IT / OT engineering head. Confirm contracting path — direct (OT / ICS, automotive, connected-vehicle, Hinjewadi SaaS, DPDP, SOC 2 / ISO 27001 / TISAX) or sub-contract via CERT-In empanelled partner for any tender naming an empanelled auditor. NDA + DPA signed under Maharashtra jurisdiction. Plant safety + change-control window locked.

Day 1-3

Recon + threat-modelling against your stack — Purdue model walk-through, OT asset inventory (PLCs, SCADA, HMIs, historians), IT-OT bridge inventory, in-vehicle gateway / telematics architecture for connected-vehicle scopes, Hinjewadi SaaS surfaces where applicable.

Day 4-10

Active VAPT — IT-side web / API / cloud first; OT-side network-passive enumeration, segmentation verification, IT-OT bridge testing only against staging or read-only mirrors. Production PLCs and safety-instrumented systems never directly tested. Daily CISO + plant-IT digest.

Day 11-14

Connected-vehicle scopes: telematics back-end, OTA, in-vehicle gateway against staging vehicles, PKI / certificate management. ATO supporting evidence collated. TISAX scopes: control-set walk-through and information-protection assessment per VDA-ISA.

Day 15-18

Reports issued — IEC 62443 zone / conduit model, ISO 21434 cybersecurity-case evidence, TISAX gap pack and (where applicable) DPDP / SOC 2 / ISO 27001 cross-references. Plant readout in IST with engineering, OT and (for automotive) OEM-facing CSMS owner.

Sample Pune engagements (indicative)

Engagement Pattern · OT plant

Chakan tier-1 auto supplier — IEC 62443 IT-OT bridge VAPT

Indicative engagement: a Chakan tier-1 automotive supplier commissions an IEC 62443-aligned IT-OT bridge VAPT across two plant facilities. Scope: Purdue model zone-and-conduit walk-through, IT-OT bridge segmentation verification, network-passive PLC / SCADA enumeration on production, active testing against the OT staging mirror, OEM-mandated TISAX gap pack. Deliverable: IEC 62443 SL-mapped findings, segmentation-hardening plan, TISAX AL2 readiness pack. Pattern available on request under NDA.

Engagement Pattern · Connected vehicle

Pune-HQ OEM — ISO 21434 ATO-supporting telematics + OTA pentest

Indicative engagement: a Pune-headquartered OEM commissions an ISO/SAE 21434-aligned cybersecurity-case engagement to support UN R155 type approval for a connected EV platform. Scope: in-vehicle gateway (staging vehicle), telematics back-end, OTA signing infrastructure, back-end PKI, mobile companion app, dealer-portal integration. Deliverable: cybersecurity-case evidence, ATO-supporting penetration test report, CSMS gap notes for the OEM's type-approval submission. Pattern available on request under NDA.

Engagement Pattern · Hinjewadi SaaS

Hinjewadi automotive-software SaaS — SOC 2 + TISAX readiness

Indicative engagement: a Hinjewadi-based automotive-software SaaS commissions a window-period pentest under TSC CC7.1 / CC8.1 paired with TISAX AL2 readiness ahead of a German OEM onboarding. Scope: multi-tenant web app, fleet-management APIs, customer mobile app, AWS IAM, multi-tenancy isolation, VDA-ISA control walk-through. Deliverable: SOC 2 evidence pack, TISAX gap pack with evidence references, DPDP Act gap notes. Pattern available on request under NDA.

Pune FAQ

›Can you test OT / ICS at a Chakan or Talegaon plant without breaking production?

Yes — directly. OT / ICS testing at Pune manufacturing plants (Chakan, Talegaon, Pimpri-Chinchwad, Ranjangaon MIDC) is scoped under explicit safety-preserving rules of engagement. Production PLCs and safety-instrumented systems are never directly tested — we run network-passive enumeration on production, segmentation verification across the IT-OT bridge, and active testing only against staging or read-only mirror environments. The Purdue model zone-and-conduit map is the contract; nothing crosses a conduit without written authorisation and a rollback plan. Reports are aligned to IEC 62443 SL1-SL4 with explicit asset-owner / system-integrator role mapping. Reference: https://www.isa.org.

›Do you support ISO/SAE 21434 ATO and UN R155 CSMS for Pune-HQ OEMs?

Yes — directly. ISO/SAE 21434 cybersecurity engineering and UN R155 Cyber Security Management System type-approval testing for connected-vehicle telematics, OTA platforms, in-vehicle gateways and back-end PKI. Pune-headquartered OEMs (Tata Motors, Bajaj Auto, Mahindra) and the EV cohort selling type-approved vehicles into UNECE markets must demonstrate a working CSMS with documented cybersecurity activities across the vehicle lifecycle. AxVeil delivers ATO-supporting penetration testing and cybersecurity-case evidence directly under MSA. Reference: https://www.iso.org/standard/70918.html.

›What is TISAX and do you deliver it for automotive-software suppliers?

TISAX (Trusted Information Security Assessment Exchange) is the German VDA-anchored automotive supply-chain assessment that European OEMs — VW, BMW, Daimler / Mercedes-Benz, Stellantis — cascade to Indian tier-1 and tier-2 suppliers. Assessment levels are AL1 (self-assessment), AL2 (plausibility check) and AL3 (on-site audit). AxVeil scopes TISAX readiness directly — VDA-ISA control walk-through, evidence pack, gap remediation and audit prep — for Pune automotive-software and component-engineering buyers. The formal AL2 / AL3 assessment is performed by an ENX-approved audit provider; AxVeil delivers the readiness layer beneath it.

›Is AxVeil empanelled by CERT-In?

No. AxVeil LLP is a young Indian entity and is not currently on the CERT-In Information Security Auditor empanelment list. For CERT-In mandated audits we partner with empaneled firms — see /partners. For Pune auto OEM OT / ICS testing, automotive software (ISO 21434 / TISAX), connected-vehicle telematics, Hinjewadi SaaS, DPDP Act 2023 work and SOC 2 / ISO 27001 driver engagements, AxVeil contracts directly. For Maharashtra State / PSU procurement and any tender naming a CERT-In empanelled auditor, AxVeil delivers under sub-contract to an empanelled partner who holds the buyer paper and signs the regulator submission. Reference: https://www.cert-in.org.in.

›Are you remote-first or do you come to Chakan / Talegaon / Hinjewadi sites?

Remote-first for IT-side scopes — testing, daily digests and the readout call run over Teams / Zoom in IST hours. OT / ICS plant scopes require onsite kick-off at the plant gate — Chakan, Talegaon, Pimpri-Chinchwad, Ranjangaon MIDC — under the plant's visitor-management and safety-induction policy. Connected-vehicle in-vehicle gateway testing is scoped against staging vehicles either at the OEM's Pune engineering facility or shipped to a controlled lab. Hinjewadi / Magarpatta / Kharadi SaaS scopes are served remote-first with onsite kick-off on request.

Explore related work

→Manufacturing industry playbookPurdue model, IT-OT bridge and plant-floor risk.

→Automotive industry playbookISO 21434, UN R155 CSMS and TISAX threat models.

→Red team serviceConnected-vehicle and telematics adversary emulation.

→Mumbai locationsSibling Maharashtra metro on the BFSI corridor.

Pune OT, automotive or Hinjewadi SaaS? Test against the actual threat model.

Free 30-minute scoping call in IST. Direct delivery for IEC 62443 OT / ICS, ISO 21434 connected-vehicle, TISAX, Hinjewadi SaaS and DPDP work; sub-contract via a CERT-In empanelled partner for Maharashtra State / PSU / MeitY tenders — see /partners.

Book Pune Scoping Call →