CERT-In Empanelled Auditor List 2026: Verify Before You Sign

The official CERT-In empanelled auditor list 2026 is published as a single PDF on cert-in.org.in and updated whenever a firm is added, renewed, suspended or removed. Before you sign a VAPT purchase order, open that PDF, search for the vendor's legal name, and confirm the empanelment category, cycle dates and contact details match what the salesperson sent you. Anything else, including a Top-10 listicle, a directory site or a vendor's own "CERT-In approved" badge, is hearsay until you check the source.

Search "CERT-In empanelled auditor list 2026" and the first page is dominated by marketing posts that rank vendors with no disclosed methodology. Most of those posts were written once, indexed, and never updated. CERT-In re-empanels firms in cycles, and the active list changes multiple times each year as new firms are added, others let their three-year cycle expire, and a smaller number are suspended for procedural breaches. A listicle published in January is already stale by April.

The buyer-side risk is concrete. If you award a VAPT engagement to a firm that lapsed two months before your audit, the report your CISO signs off cannot be cited in your RBI Cyber Security Framework SOC submission, your SEBI CSCRF filing, or your IRDAI cyber posture return. Several of those frameworks specifically require an audit conducted "by a CERT-In empanelled information security auditing organisation" — past tense or expired empanelment does not count. We have seen Indian banks fail RBI inspection cycles because the third-party VAPT report on their internet banking application was issued by a firm whose empanelment had silently expired between the SOW signature and the report delivery date.

There is also the directional issue. Most listicles include the same five or six metros-based firms because that is who runs PR. The actual CERT-In PDF runs to roughly 200 organisations across Categories A through D, spread across more than twenty Indian cities. If your asset footprint is in Surat, Pune, Hyderabad or Coimbatore, a regionally co-located auditor will typically resolve incidents faster than a Bangalore name you found in a sponsored post. The fix is to stop trusting listicles and learn the 60-second lookup we walk through below — once it becomes muscle memory, every future RFP gets cleaner.

CERT-In, the national nodal agency for cyber incidents under MeitY, runs the empanelment process under the IT Act, 2000 and the CERT-In Directions of 28 April 2022 under Section 70B(6). Empanelment is a three-year cycle. A firm applies, clears a documentary review, a capability assessment and a panel interview, and is then listed under one of four categories tied to the type of audit work it is qualified to deliver.

The four categories you will see in the PDF, in plain English:

• Category A — Network and application security audits, including VAPT, secure code review and configuration audits. This is the category that matters for most enterprise web, mobile and API engagements.
• Category B — ICS/OT and SCADA audits, for power, oil-and-gas, water, manufacturing and other critical sector control environments.
• Category C — Wireless network security audits, covering Wi-Fi, RF and emerging wireless attack surface.
• Category D — Compliance audits against ISO/IEC 27001:2022, PCI DSS 4.0, HIPAA and similar frameworks.

Each row in the PDF lists the firm name, address, the categories it holds, a primary contact, an empanelment effective-from date and a cycle-end date. Not every empanelled firm holds all four categories; a vendor pitching you a SCADA audit must specifically show Category B against its row. The current cycle for most firms runs into 2026 or 2027, but renewal can be delayed if the firm misses a documentation deadline or fails a re-assessment. Suspensions, when they happen, are listed in a separate notice on the same site and the firm's row is removed from the active PDF.

Two procedural facts buyers consistently miss. First, empanelment is awarded to the legal entity, not the brand. If the company you are talking to is a subsidiary or a re-branded spin-off, the parent's empanelment does not automatically transfer. Second, CERT-In's audit baseline requires that the named empanelled firm conduct the audit; sub-contracting to a non-empanelled partner is a procedural breach.

This is the workflow our procurement counterparts use during every VAPT shortlist. It takes under a minute once you have done it twice.

1. Pull the live PDF. Go to cert-in.org.in, navigate to the "Empanelled Information Security Auditing Organisations" page, and download the current PDF. Check the "last updated" date at the top of the document — it should be within the last 90 days. If the PDF you have is older than that, re-download.
2. Search by exact legal name. Use Ctrl-F with the vendor's registered entity name (the one on the GST certificate they will share, not the marketing name). If the entity appears, confirm the address matches what they have given you. A Bangalore-registered entity claiming a Mumbai-empanelled status is a red flag.
3. Confirm the category against your scope. Cross-check that the categories listed in their row include the audit you are buying. Buying a mobile app pentest? You need Category A. Buying an OT factory audit? You need Category B. A firm with only Category D (compliance) cannot legally deliver a CERT-In-recognised VAPT engagement.
4. Verify the cycle-end date covers your report delivery date. If the empanelment expires on 31 March 2026 and your report is due 15 April 2026, the auditor must show renewal correspondence before you issue the PO. Empanelment renewal is not retroactive — the firm must be active on the date the report is signed.

If all four checks pass, capture a screenshot of the PDF row and attach it to your vendor onboarding file. That single artefact has saved more than one CISO from an awkward conversation during an RBI or SEBI inspection. We bake the same screenshot into the kickoff deck for every Certbar engagement, and we recommend buyers ask all shortlisted vendors to do the same.

The pattern of dishonest claims is consistent. Here are the four most common we see, all of which the four-step workflow above will catch within minutes.

The "CERT-In approved" badge with no row. Some firms put a CERT-In-style logo or shield on their website without ever having been empanelled. Others were empanelled in a past cycle (say, 2017–2020) and never renewed, but kept the badge live. The PDF row is the only legitimate proof; the badge is decoration.

Cycle expired, renewal "in process". A firm whose three-year cycle ended six months ago will sometimes claim they are "in renewal" and ask you to sign on the strength of that. CERT-In's own guidance is unambiguous — audits conducted by firms outside an active cycle are not recognised. If renewal is genuinely in process, ask for the CERT-In acknowledgement letter and a written commitment to defer report sign-off until renewal is complete.

Wrong category on the engagement. A Category D (compliance) firm pitching a VAPT engagement. A Category A (network and applications) firm pitching an ICS/OT audit. We have seen both, in live RFPs in 2025. The category mismatch usually shows up only when the report is challenged downstream by an internal audit committee or a regulator.

Sub-contracted to a non-empanelled partner. The brand name on the SOW is empanelled, but the actual hands-on-keyboard testers are contractors from a non-empanelled vendor. This violates CERT-In's empanelment terms and breaches several sectoral frameworks — including PCI DSS 4.0 Requirement 11.4.x, which requires qualified, independent testers, and SOC 2 CC7.1 / CC8.1, which require evidence of tester competence. Ask in writing whether the audit team is on the empanelled firm's payroll. Get the answer in email, not on a call.

None of these red flags require expert technical knowledge to spot. They require one downloaded PDF and ten minutes of attention before signing.

The PDF lists every empanelled firm with a physical address. That address matters more than the buyer-side market acknowledges, for three reasons.

First, regulatory response. If your bank or insurer is hit by an incident and CERT-In requires a forensic-grade audit within the six-hour reporting window mandated by the 2022 Directions, a regionally co-located firm can typically reach your data centre or branch the same day. A flown-in team from another metro burns 12 to 24 hours on logistics that you do not have.

Second, sector specialty signals. Surat-based empanelled firms — Certbar Security included — tend to over-index on diamond and textile export houses with sensitive ERP and EDI exposure. Mumbai-based firms over-index on BFSI and capital markets. Pune-based firms over-index on automotive OEM and Tier-1 supplier OT. Hyderabad-based firms over-index on pharma and life sciences with HIPAA §164.308(a)(8) obligations. Bangalore-based firms over-index on SaaS scale-ups. Reading the PDF with that lens narrows your shortlist faster than any analyst report.

Third, cost. Firms with primary operations in Tier-2 cities typically quote 20-35% below comparable Tier-1 metro firms for the same scope, with no difference in deliverable quality. Our own engagement data across 1,200+ projects since 2019 shows the report depth — OWASP+CWE+MITRE ATT&CK+compliance-framework mapping, board brief plus technical report — is determined by the OSCP-led testing methodology and not by the office postcode. Use the PDF address field as a procurement lever, not just a logistics detail.

The simplest filter: open the PDF, search for your nearest commercial centre, and you will see four to twelve empanelled firms within a two-hour drive. That is a credible regional shortlist with zero listicle bias.

Take a worked example. Assume a Mumbai-based fintech needs an annual VAPT on its public APIs and a parallel SOC 2 readiness review. The buyer has three vendor pitches in hand. Here is the sixty-second pass through each.

Vendor 1 — a Surat-based firm claiming Category A and Category D empanelment. Buyer opens the CERT-In PDF, searches the legal entity name, finds the row, confirms Surat address, sees Category A and Category D both listed, sees the cycle valid through mid-2027. Screenshot saved. Verification done in 40 seconds. Vendor passes.

Vendor 2 — a Bangalore-based firm claiming Category A. Buyer searches the legal entity name. No row. The marketing brand exists; the legal entity name on the GST certificate does not. The vendor is using a parent company's empanelment without legal entitlement. Verification done in 30 seconds. Vendor fails.

Vendor 3 — a Delhi-based firm claiming Category A and Category B empanelment. Buyer searches the entity name, finds the row, but the cycle-end date is 28 February 2026. The buyer's report is due 30 April 2026. The vendor has not produced renewal documentation. Verification flags amber: ask for the CERT-In renewal acknowledgement before issuing the PO. Conversation done in 90 seconds.

That is the value of the PDF-as-dataset approach. Three vendors, two-and-a-half minutes, all checks logged. We use the same workflow internally before subcontracting any niche work — for example, when a client asks for a wireless audit in a region where we partner with a Category C specialist, we verify the partner's row in the live PDF and attach the screenshot to the SOW.

The cleanest defence against bad bids is to encode the verification rules into the RFP itself. Here are the four clauses our procurement counterparts copy-paste into every cybersecurity RFP, and that we encourage buyers to add before they shortlist.

• Mandatory empanelment evidence. "Bidder must provide a screenshot of the current CERT-In empanelled organisations PDF showing its legal entity name, address and current empanelment category, dated within 30 days of bid submission."
• Cycle validity through report delivery. "Bidder's CERT-In empanelment must be valid through [report due date]. If the cycle expires before that date, bidder must submit the CERT-In renewal application acknowledgement and a contractual commitment to defer report sign-off until renewal is granted."
• Category match to scope. "Bidder must hold the specific CERT-In category required for each scope item. For VAPT scope, Category A is required. For OT/ICS scope, Category B is required. Multi-category scopes require multi-category empanelment in the same legal entity."
• No undisclosed sub-contracting. "All hands-on-keyboard testers must be employees of the empanelled legal entity or of a disclosed Category-matched empanelled partner. Bidder must list the named lead testers, their OSCP / OSWE / CRTP credentials and their CERT-In empanelment alignment in the bid response."

Add a fifth clause for sectors with extra weight: "Bidder must demonstrate experience with [your applicable framework — RBI Cyber Security Framework, SEBI CSCRF, IRDAI cyber regs, DPDPA 2023, ISO 27001:2022 Annex A.8.29, PCI DSS 4.0 11.4.x, HIPAA §164.308(a)(8), Essential Eight, IRAP]." That single line filters out generalist firms that have empanelment but no sector depth.

Five clauses, fifteen minutes of RFP editing, an entire class of vendor risk eliminated. We give the full clause library to any prospect who asks during a scoping call — it costs us nothing, and a cleaner market raises the bar for everyone.

The CERT-In empanelled auditor list is the only authoritative source for who can legally deliver a CERT-In-recognised audit in India in 2026. Listicles are marketing. Vendor badges are decoration. The PDF is law. Build the 60-second verification into every procurement cycle, encode the four RFP clauses into every cybersecurity tender, and the conversation moves from "who can we trust?" to "which of these verified firms is the best technical fit?" That is where it should have been all along.

If you want a second pair of eyes on a CERT-In vendor claim before you sign, or you want to run a verified empanelled audit across web, mobile, API, cloud or OT scope, talk to our team at Certbar VAPT services. We will share the live PDF row, the OSCP-credentialled lead tester names, and the OWASP+CWE+MITRE ATT&CK+compliance-framework mapping you need on day one. No badge, no listicle — just the row in the PDF and the report your regulator will accept.