Continuous API & GraphQL Pentesting: The 2026 Buyer's Guide for Indian SaaS

It's mid-2026, and your engineering team has shipped roughly 80 API changes since the last board meeting. Your annual penetration test, the one signed off in January, tested a product that no longer exists in production. The IBM Cost of a Data Breach Report 2024 puts the average Indian breach at INR 19.5 crore, and API or web-app vectors lead the initial-access patterns auditors now see.

That is the problem on every CISO's desk this quarter. If you sign the security budget for an Indian SaaS, fintech or regulated platform that ships APIs every sprint, the live question is no longer whether to run a penetration test. It is whether the annual external audit you already pay for is still a defensible control between board cycles. A single careless pull request can reintroduce a Broken Object Level Authorization flaw that no scanner catches, and your auditor will not accept "we trust the engineering team" as a minute.

This guide answers the buyer-side questions: what to procure, what evidence regulators actually accept, how to price a continuous program against an in-house build, and how to defend the line item in front of the audit committee. It is the operating model Certbar Security has built across 1,200+ engagements as a CERT-In empanelled partner with delivery in India and the US.

Most Indian SaaS and fintech teams still procure API security as a once-a-year fixed-scope audit. The model breaks for a structural reason any CISO can defend in front of an audit committee: APIs change faster than the audit cycle. A typical mid-stage SaaS ships 40 to 120 endpoint or resolver changes a quarter, including new tenant scopes, fields, webhooks and internal admin endpoints. By the time the annual report lands, the threat surface tested is months stale.

The OWASP API Security Project's API Top 10 2023 reflects this reality. The top three categories carry the risk:

• API1:2023 Broken Object Level Authorization (BOLA)
• API2:2023 Broken Authentication
• API3:2023 Broken Object Property Level Authorization, which now absorbs mass assignment and excessive data exposure

These are logic flaws introduced by a single careless PR. They do not show up in SAST. They rarely show up in DAST. They only surface when a tester with two valid tenant accounts walks the object graph by hand.

The financial cost of getting this wrong is no longer abstract. The Optus 2022 breach in Australia, an unauthenticated REST endpoint exposing roughly 9.8 million customer records, is the canonical BOLA-adjacent case study, and Indian regulators now cite it in CERT-In advisories. An annual test would not have caught it. A continuous program scoped around authorization decisions across tenants would have.

The point is not to abandon the deep annual assessment. CERT-In empanelment requirements and SEBI CSCRF still expect one. The point is to wrap that annual artefact in a lighter, release-gated layer that prevents regressions between full audits. Boards that approved an annual line item alone are now being asked, in writing, what their assurance posture is between audits, and that question now needs a real answer.

Procurement leaders ask two questions before signing a retainer: what does this prevent, and what does the prevention cost relative to the loss. The breach math for API authorization failures in India is unusually clean.

Start with the loss side. The IBM 2024 Indian-average of INR 19.5 crore understates regulated-sector exposure. A fintech that loses payment instrument data triggers RBI reporting obligations, customer notification costs, card-network fines, forensic retainer fees, and a six-to-twelve-month sales freeze in enterprise channels while the SOC 2 letter is renegotiated. A SaaS that loses personal data triggers DPDPA 2023 Data Protection Board scrutiny, with penalties up to INR 250 crore per instance of significant non-compliance.

Add the indirect costs: churn on the largest accounts that insist on a post-incident security review, board-level distraction for two quarters, and the cyber insurance premium step-up at renewal. The realistic landed cost of a single BOLA regression sits between INR 8 crore and INR 60 crore.

Now the prevention side. A continuous API and GraphQL testing retainer for a mid-stage Indian SaaS or fintech typically runs INR 1.5 lakh to INR 6 lakh per month, depending on endpoint count, GraphQL surface and tenant count. Annualised, that is INR 18 lakh to INR 72 lakh, a fraction of the lower bound of the loss curve.

One BOLA finding caught in staging on a Tuesday afternoon is, by any reasonable cyber-insurance actuarial model, worth more than a year of retainer fees.

That math is why continuous penetration testing has shifted, in the last 24 months, from a security-team aspiration to a CFO-defensible line item. The cheap question, "can we afford continuous testing," has been replaced by the harder one: "can we afford to defend an annual-only program to the audit committee if a BOLA hits the news next quarter."

The build option, on paper, is to hire two to three senior application security engineers, license the tooling, and run testing in-house. The buy option is a retainer with a CERT-In empanelled partner. The decision is rarely about capability. It is about utilisation, regulator acceptance and time-to-coverage.

A senior AppSec engineer in India costs roughly INR 35 lakh to INR 70 lakh fully loaded. Two of them plus a lead is an INR 1.5 crore to INR 2.5 crore annual run-rate before tooling. The team will take six to nine months to build the harness, the two-tenant test data, the evidence templates and the GRC integrations. During that ramp, your regulator clock is still ticking.

Even after the build, internal teams are not CERT-In empanelled. SEBI CSCRF Annexure I and the RBI Master Direction on IT Governance (Nov 2023) expect a CERT-In empanelled auditor's sign-off on the periodic VAPT artefact. Your in-house team can do excellent work, but the audit committee still has to procure an external empanelled report. You end up paying twice.

The pragmatic pattern most Indian SaaS and fintech leaders are converging on has three legs:

1. One internal AppSec engineer who owns the program, the threat model, the schema-diff job and vendor management.
2. A continuous retainer with a CERT-In empanelled VAPT partner for per-release automation, monthly senior-tester reviews and the quarterly grey-box engagement.
3. An annual deep assessment from the same partner, which doubles as the regulator artefact.

That hybrid costs less than a fully built-in team, produces regulator-grade evidence on day one, and keeps the internal hire focused on engineering uplift rather than writing test cases.

Pricing varies because scope varies, but the variables are predictable. A clean scoping conversation should establish six numbers before any quote is exchanged: total documented REST endpoints, total GraphQL types and mutations, number of authentication roles, number of tenants in production, release cadence, and whether internal admin and partner APIs are in or out of scope.

The cadence model below is what we deploy at Indian SaaS and fintech clients shipping weekly or faster, and the one most retainer pricing is anchored to.

At the per-release tier, you test the OWASP API Top 10 2023 mapped to authenticated, role-aware checks: BOLA across a two-tenant matrix, mass assignment fuzzing, BFLA on every write verb, unrestricted resource consumption, SSRF on URL-handling endpoints, security misconfiguration, shadow and zombie endpoints, and unsafe consumption of upstream APIs.

GraphQL adds four risk classes that move too fast for annual coverage: introspection enabled in production, query depth and complexity abuse (we recommend max depth 7), alias-based batching, and field-level authorization gaps. Each check is a parameterised script your CI runs, not a sentence in a report. Pair the program with annual attack simulation and you have a defensible, two-layer assurance posture.

The market is crowded and the labels overlap. The nine questions below are the ones our buyers report make the difference between a vendor that produces audit-ready evidence and one that produces a PDF you cannot defend.

1. CERT-In empanelment. Ask for the current empanelment letter, valid through your engagement window. This is a hard gate for SEBI and RBI-regulated entities.
2. Lead-tester credentials and continuity. Demand named, OSCP or equivalent certified leads, with a clause that staffing changes require written notice. The lead who scoped your engagement should sign the report.
3. Two-tenant, multi-role test data. A vendor that cannot describe how they will provision and exercise two production-like tenants with three roles each cannot test BOLA or BFLA properly.
4. GraphQL competence. Ask for a sample GraphQL finding covering introspection, depth, batching or field-level auth. If the team only shows REST findings, GraphQL is a gap.
5. Evidence-pack format. A regulator-grade pack contains seven artefacts: finding record with CVSS 4.0 vector, reproduction script, 60-to-180-second PoC video, root-cause note, remediation guidance, dated retest artefact, and compliance mapping row. Confirm all seven before signing.
6. GRC integration. JSON export to Jira, ServiceNow or your GRC platform is non-negotiable for a continuous program.
7. India and global delivery footprint. If you sell to US and EU customers, your partner should have credible delivery on both sides. Certbar operates from India and the US precisely because cross-border buyer due-diligence asks for it.
8. Retest included. Retests should sit inside the retainer, not as a change order. This is the single most common margin trap in the market.
9. Indemnity and confidentiality. Mutual NDA, scoped indemnity, and a clear data-handling clause aligned to DPDPA 2023 Section 8.

Score every shortlisted vendor on these nine items and put the matrix in front of procurement. The cheapest line item is almost never the best-scoring one, and that is exactly the conversation you want to have with the CFO before signing.

Indian regulators have moved fast in the last 24 months. An API pentest report that does not map to specific control IDs forces your compliance team to do the translation imperfectly, and auditors will challenge it. The mapping below is what a continuous program should produce by default.

• DPDPA 2023 Section 8. The "reasonable security safeguards" obligation on every Data Fiduciary. BOLA and mass assignment findings map directly because they expose personal data to unauthorised principals. DPDP Act compliance consulting ties the evidence to your Section 8 narrative.
• RBI Master Direction on IT Governance (Nov 2023). Chapter VI on Information Security mandates application security testing, secure SDLC and vulnerability management. Continuous API testing evidences clauses on periodic testing, session controls and risk-based scoping.
• SEBI CSCRF (2024). Applies to all SEBI-regulated entities. Annexure I prescribes VAPT with defined frequency and CERT-In empanelled vendor requirements. A continuous program plus the annual deep assessment from the same empanelled partner satisfies it cleanly.
• ISO 27001:2022 Annex A.8.29. "Security testing in development and acceptance." A continuous program is the natural evidence; an annual report is borderline.
• SOC 2 CC7.1 and CC8.1. Change management and detection of anomalies. Per-release API testing directly evidences both.
• PCI DSS 4.0 Requirement 11.4.x. Penetration testing requirements for any in-scope cardholder data API. The 4.0 timelines are now mandatory.

For every finding, the report row should carry the control IDs above so your compliance team can lift the evidence into the next audit submission with zero re-work. The retest artefact, the same reproduction script re-run after the fix with timestamp, tester ID and result, is the artefact ISO 27001:2022 Annex A.8.29 auditors and SOC 2 CC7.1 reviewers ask for first. Pair this with 24/7 SOC monitoring and your assurance and detection stories line up under one narrative.

A CISO who walks into the audit committee with a 120-page pentest report has lost the room. The board does not need findings. It needs a risk narrative tied to revenue, regulator exposure and remediation velocity. The four slides below are the ones that work consistently.

Slide one: posture trend. A single line chart of open high-severity API findings over the last four quarters, with the mean-time-to-remediate overlaid. Boards understand trends; they do not need raw counts.

Slide two: regulator alignment. One row per regulator (DPDPA, RBI MD-ITG, SEBI CSCRF, ISO 27001, SOC 2, PCI DSS 4.0) with status: evidenced, partial, gap. Continuous testing should keep every row in "evidenced" outside of newly introduced controls.

Slide three: top three residual risks. Three findings with the highest CVSS 4.0 scores still open past SLA, plain-language business impact, named owner and committed close date. This is the slide that drives accountability.

Slide four: spend versus loss avoidance. Retainer cost (INR 18 lakh to INR 72 lakh annualised) against the conservative loss curve (INR 8 crore floor on a regulated-sector BOLA breach). The ratio is the answer to the only question the audit committee actually wants to ask.

Behind those four slides sit the seven evidence artefacts and the OWASP, CWE and MITRE ATT&CK mappings. They never appear in the deck, but they sit in the appendix the regulator may request. A program that cannot produce both the board narrative and the audit appendix from the same engagement is incomplete. Layering AI risk assessment on top of the API program is now common for boards asking specifically about LLM-backed endpoints and agent APIs.

Not every organisation needs a continuous program. The criteria below are the ones we walk buyers through on the first scoping call.

An annual pentest is defensible if all of these hold: your platform releases monthly or less often, your API surface is small and stable (under 50 endpoints, no GraphQL), you are not regulated by RBI or SEBI, and your enterprise customers do not require a current-quarter VAPT letter. Even then, the annual assessment should map findings to the controls listed above so the artefact is auditor-ready.

Continuous is non-negotiable if any one of the following is true:

• You release weekly or faster, or you run a CI/CD pipeline that merges to production on its own clock.
• You are RBI or SEBI regulated. The periodic testing and CERT-In empanelment requirements force a continuous posture once release cadence exceeds quarterly.
• You operate multi-tenant infrastructure with role-based access. Every new role or scope is a fresh BOLA and BFLA exposure surface.
• You expose a GraphQL endpoint to the internet. The four GraphQL-specific risk classes (introspection, depth, batching, field-level auth) move too fast for annual coverage.
• Your enterprise customers ask for an attestation letter dated within the last 90 days. That is now standard in US and EU procurement and increasingly common from Indian banking and insurance buyers.
• You have processed a DPDPA 2023 notification, a CERT-In incident report, or a near-miss in the last 18 months.

If you tick any one of those, the question is not whether to move to continuous. It is which partner to move with.

Annual API testing is a compliance artefact. Continuous API testing is a control. That distinction is the one the audit committee will ask you to defend in the next cycle, and the one Certbar Security has built across 1,200+ engagements as a CERT-In empanelled partner serving India and US clients. To scope a continuous API and GraphQL program against your release cadence, request a 30-minute call through our penetration testing services hub. We will share the OWASP API Top 10 2023 collection and a sample evidence pack on the first conversation.