Build a real channel with AxVeil
Four partner tracks built around how you already go to market — refer, resell, integrate, or partner with us as a CERT-In empanelled audit firm. Recurring commissions, white-label delivery, subcontract-delivery economics, and co-marketing that goes beyond a logo on a slide.
4
Partner tracks
20%
Recurring referral · 12 mo
90d
Deal-registration protection
~30d
Apply to first deal
Findings your customers can act on
Every engagement is led by a named senior operator with reproducible PoCs and remediation written for engineers. When you put your name on a report, you can defend it line by line.
Margins, not marketing fluff
Recurring 20% on referrals, tiered margin on resells, and quarterly Stripe Connect payouts. We publish the schedule before you sign, not after the first deal closes.
Reviewed every quarter
Quarterly business reviews track pipeline, certifications, and co-marketing. We invest in partners who invest back, with a clear path from referral to reseller as your business grows.
Built around how you already go to market
MSSP, reseller / VAR, technology alliance, or CERT-In subcontract — each motion maps to a partner track with economics published up front.
MSSP / managed delivery
→ Reseller- Best fit
- You run a SOC or managed-security practice and want continuous offensive testing baked into a retainer your customers already pay.
- The motion
- AxVeil delivers the offensive layer (external + internal VAPT, attack-surface monitoring, retests) under your managed wrapper; you own the relationship, the SLA, and tier-one support.
- Economics
- Tiered reseller margin on subscription + engagement revenue, increasing with quarterly volume.
Reseller / VAR
→ Reseller- Best fit
- You sell security tooling and services into a regional or vertical book of business and want a defendable pentest line in the catalogue.
- The motion
- Package AxVeil into your own service catalogue with white-label PDF reports, joint scoping calls, and deal registration with 90-day first-mover protection.
- Economics
- Silver / gold / platinum margin schedule, published before you sign — not after the first close.
Technology alliance
→ Technology- Best fit
- Your product (SIEM, ticketing, CI/CD, IdP, EDR) gets more useful paired with AxVeil scan data, findings, or evidence.
- The motion
- Build a certified integration against documented APIs and webhook schemas, then ship it to a shared customer base via a joint integrations listing and co-authored launch content.
- Economics
- No revenue share required — value accrues through mutual retention, joint pipeline, and co-marketing reach.
CERT-In empanelled subcontract
→ CERT-In Empaneled Audit Partner- Best fit
- You hold CERT-In empanelment and regulator-driven demand (RBI, SEBI, IRDAI, NPCI, MeitY) outpaces your internal bench during the Sep / Mar audit compression.
- The motion
- AxVeil delivers operator-led VAPT under your empanelment; you retain the client relationship and the regulator-facing signature. AxVeil delivers, you sign.
- Economics
- 60 / 40 split on the delivery fee, fixed in the subcontract MSA — no claw-backs, written non-solicit protecting your client.
Pick the track, see the deal
Referral Partner
20% recurring commission for 12 months on every paying customer you send our way.
Independent consultants, vCISOs, fractional security advisors, and agencies who recommend tooling but don't want billing or delivery overhead.
- +20% recurring commission on Pro and Team subscriptions, paid for the first 12 months of each referred account.
- +A trackable referral link plus a partner dashboard for attribution, MRR, and payout history.
- +A short pitch deck, one-page solution brief, and a demo sandbox account you can show prospects directly.
- +Quarterly payouts via Stripe Connect (USD, INR, EUR, GBP) with self-serve invoicing.
- ·Honest positioning — sell us against what we actually do (no fabricated capability claims).
- ·Disclose the referral relationship to prospects per FTC and your local advertising rules.
- ·Pass a basic anti-fraud check and accept our partner code of conduct.
Reseller Partner
Margin-based reselling with white-label reports, joint scoping, and co-delivered engagements.
MSSPs, regional VARs, boutique pentest firms, and SI partners who want to package AxVeil into their own service catalogue.
- +Tiered margin (silver / gold / platinum) on subscription and engagement revenue, increasing with quarterly volume.
- +White-label PDF reports with your logo, brand colours, and executive summary template.
- +Deal registration with first-mover protection on net-new opportunities for 90 days.
- +Joint scoping calls, technical pre-sales support, and access to our internal Nuclei template library for custom checks.
- +Quarterly enablement workshops covering scanner internals, scoping, retest workflows, and report storytelling.
- ·A signed reseller agreement, MSA, and DPA covering customer data handling.
- ·At least two staff certified through our enablement programme before delivering on-platform engagements.
- ·Annual minimum revenue commitment (waived for first two quarters while you ramp).
- ·First-line support for your end customers, with escalation paths into our team.
Technology Partner
Build integrations — SIEM, ticketing, CI/CD, IdP, EDR — and ship them to a shared customer base.
Security and developer tooling vendors whose product becomes more useful when paired with AxVeil scan data, findings, or evidence.
- +API documentation, webhook schemas, sandbox tenants, and named engineering contacts during integration build.
- +Joint listing on a public integrations directory with logo, copy, and link-back to your product page.
- +Co-authored launch content (blog post, demo video) and a co-marketing slot in our quarterly newsletter.
- +Early access to upcoming API surfaces under NDA so your integration ships on day one of the public release.
- ·A working integration that passes our API style and security review (auth, rate limiting, error handling).
- ·Documented setup steps in your own product so mutual customers can self-serve the connection.
- ·A named technical contact for ongoing maintenance and a 30-day SLA on critical-bug fixes.
CERT-In Empaneled Audit Partner
Senior operator delivery for empanelled audit firms with deal flow exceeding delivery capacity. AxVeil delivers, you sign.
Small-to-mid CERT-In empanelled cybersecurity audit firms with regulator-driven demand (RBI, SEBI, IRDAI, NPCI, MeitY, STQC) outpacing internal bench, especially during the Sep / Mar audit compression cycles.
- +Senior operator delivery — OSCP + CEHv12, 4+ years frontline VAPT and red team delivery, 80+ engagements pre-AxVeil including 1000+ server enterprise estates and 100+ application portfolios for tier-one MENA banks plus government, shipping & logistics references.
- +Indian + MENA delivery experience — RBI / SEBI / IRDAI / NPCI familiarity on the Indian side, SAMA / CBUAE / QCB / CBO familiarity on the MENA side, methodology aligned to OWASP / NIST SP 800-115 / CREST / MITRE ATT&CK.
- +No client-poaching — written non-solicit clause covering the client and any subsidiaries for a defensible window post-engagement (typically 18–24 months). The relationship belongs to the empanelled prime.
- +Professional indemnity coverage on the AxVeil side — covers AxVeil's delivery scope so the prime's own PI doesn't shoulder the subcontract risk solo.
- +Evidence-pack discipline — timesheets, scope acceptance, retest sign-off and reproducible PoCs handed back to the prime in the format the regulator expects.
- ·You retain the client relationship, the formal audit signature on the regulator-facing report, the lead price quoted to the buyer, and 60% of the engagement revenue.
- ·AxVeil takes 40% of the delivery fee for the operator-led work, named in delivery (or anonymous as the prime requires), with case-study rights subject to written prime + buyer permission.
- ·A signed subcontract MSA with reasonable IP terms, no exclusivity, no requirement that AxVeil misrepresents itself as the prime's employee on regulator-facing communications.
- ·Background-verification of AxVeil personnel handled per the prime's policy (CV, credentials, police verification on request, signed personnel-disclosure form).
- ·Tooling sign-off by the prime before kickoff — AxVeil defaults to Burp Suite Pro, Nuclei, Nmap, Nessus, BloodHound, CrackMapExec, Impacket, MobSF, Frida, Objection but will conform to the prime's approved-tool list.
From application to first deal in roughly 30 days
Apply
Send us a short note via the form below — your tier of interest, target customer profile, and a sentence on why the fit makes sense. Expect a reply within 3 business days.
Discovery call
30-minute call to understand your business, validate fit, and answer commercial questions. We share commission terms or margin schedule and walk through the partner portal.
Paperwork & enablement
Mutual NDA, partner agreement, and (for resellers) MSA + DPA. In parallel, your team gets sandbox access and a kickoff enablement session covering positioning, scoping, and demos.
Go-live & first deal
We co-pitch your first one or two opportunities so you have a reference motion. From there you run independently with quarterly business reviews to track pipeline and unblock issues.
We help you close, not just sign you up
A partner program is only worth the margin if it helps you win deals. Here is what running an opportunity with AxVeil looks like end to end.
We join the technical call
A named senior operator hops on your prospect call to scope the engagement, answer methodology questions, and de-risk the technical sell. You stay the lead voice; we back you on depth.
Defensible scope, written down
Joint scoping produces a scope document the buyer's security team can sign off and the prime can defend — asset counts, test windows, rules of engagement, and retest terms, in plain language.
White-label reporting you can stand behind
Reproducible PoCs, engineer-readable remediation, and an executive summary template in your brand. When your name is on the report, you can defend every finding line by line.
Retests that keep the account warm
The free 30-day retest gives you a built-in reason to re-engage, prove remediation, and tee up the next cadence — turning a one-off pentest into a recurring security relationship.
Marketing motions that actually move pipeline
We run co-marketing as a programme, not a favour. Activities are scheduled in joint quarterly business reviews and tied to attributable outcomes.
Joint case studies
When a mutual customer agrees to be referenced, we co-author a case study with quotes from both teams and publish it on both sites with reciprocal backlinks.
Co-branded webinars
Quarterly webinars on shared themes (e.g. SOC 2 readiness, API security, attack-surface monitoring) with split speaking slots and shared lead routing.
Conference presence
We sponsor selected partner-led tracks at regional events (BSides, c0c0n, Nullcon, OWASP chapters) and offer co-branded booth presence where relevant.
Content syndication
Mutual blog cross-posting, newsletter mentions, and a quarterly partner spotlight in our customer newsletter — no pay-to-play, allocated by deal momentum.
Questions partners ask before signing
How fast do referral commissions get paid out?
Quarterly via Stripe Connect, in arrears. Commissions accrue the moment a referred account converts to a paid plan and continue for 12 months on every renewal during that window. Payouts are reconciled in the first week of January, April, July, and October, with self-serve invoicing through your partner dashboard.
Can resellers white-label both the platform and the engagement reports?
Reports yes — PDF deliverables ship with your logo, brand colours, and an executive summary template you control. The platform itself remains AxVeil-branded for end users; full white-label of the application surface is a custom enterprise arrangement reviewed case by case based on volume and certification status.
Is there deal protection between referral and reseller partners?
Yes. We operate a deal-registration system: the first partner to register a qualified opportunity holds first-mover protection for 90 days. If a second partner registers the same prospect, our partner team mediates based on registration timestamps, prior engagement evidence, and customer preference.
What does technology-partner integration review actually look like?
We schedule a one-hour technical review covering authentication (we expect OAuth or signed webhook payloads, never shared secrets), rate-limit handling, error semantics, and data minimisation. We also walk through your end-user setup flow to make sure mutual customers can self-serve. Most integrations pass review on the first or second pass.
How is the 60 / 40 subcontract split structured for CERT-In empaneled audit partners?
The empanelled prime quotes the buyer at the prime's lead price (the price paid by the bank, NBFC, insurer, MII, broker, MeitY procurement entity, etc.) and retains 60% of that engagement revenue. AxVeil receives 40% of the delivery fee for the operator-led technical work — VAPT, internal AD review, mobile + API testing, evidence-pack drafting, retest. Worked example: a ₹35L Tier-2 bank scope billed by the prime at the prime's lead price → prime retains ₹21L (covers the regulator-facing accountability, client management, audit-committee briefing, signed-report liability and PI cover on the prime side); AxVeil receives ₹14L for the delivery effort (covers operator days, tooling, retest discipline and AxVeil's own PI cover on the subcontract). The split is fixed in the subcontract MSA — no hidden carve-outs, no claw-back clauses tied to follow-on work. Larger programmes (₹80L+ Tier-1 bank scopes, ₹150L+ MII multi-quarter programmes) preserve the same 60 / 40 structure.
What about non-solicitation, IP ownership and follow-on work between AxVeil and the empanelled prime?
Non-solicitation: AxVeil signs a written non-solicit clause covering the prime's client and any subsidiaries for a defensible window post-engagement — typically 18 to 24 months — which means AxVeil does not approach the buyer directly during that window for any work that would compete with the prime's relationship. The relationship belongs to the prime. IP ownership: AxVeil retains rights to its proprietary tooling, custom Nuclei templates, internal methodology and detection content; the prime owns the regulator-facing report and the client-specific evidence pack; client data is handled per the prime's NDA with the buyer (which flows down to AxVeil's NDA with the prime). Follow-on work: if the buyer subsequently asks AxVeil directly for a non-empanelment-gated engagement (DPDP advisory, SOC 2 / ISO 27001 work, MENA group entity, foreign-HQ India ops outside the original scope), the standard pattern is referral back to the prime first; if the prime declines or the scope is structurally outside the prime's offering, the deal is fair game subject to the non-solicit window expiring.
Can AxVeil be named in delivery, or does the prime require anonymity?
Either works — the prime sets the policy. The default for most CERT-In empanelled primes is that AxVeil is named in delivery as the technical sub-contractor (operator name on the kickoff document, in the methodology section of the report, and in any internal client-facing project documentation), but the regulator-facing title-page signature is the prime's. Some primes prefer full anonymity on regulator-facing material, in which case AxVeil delivers under the prime's brand and methodology pack with no AxVeil mention on the buyer-facing artefacts. Case-study rights are always subject to written permission from both the prime and the buyer; AxVeil does not publish references without that permission. Either approach is fine — the subcontract MSA names the policy at signing so there are no surprises after kickoff.
Tell us about your business
Fill in the fields below — they pre-populate an email to our partner team. We reply within 3 business days. Prefer to circulate internally first? Grab the one-pager.