CERT-In Empanelled Pentesters in 2026: How to Choose + Cost Breakdown

Two years into DPDP Act enforcement and one year past the RBI cyber resilience update, "Are you CERT-In empanelled?" has stopped being a procurement nicety in India and become a deal-breaker.

If you're a CISO, founder, or compliance lead shortlisting a VAPT partner in 2026, this guide gives you what most vendor websites won't: how the empanelment actually works, what the ~150 currently-empanelled organizations differ on, real cost ranges by service type, and the red flags worth walking away from. We're writing this as a CERT-In empanelled firm ourselves — so where our perspective is biased, we'll say so.

CERT-In — the Indian Computer Emergency Response Team, under the Ministry of Electronics and Information Technology — maintains an empanelment program that certifies organizations to conduct information security audits. Empanelled firms appear on a public list that government bodies, regulated industries, and critical-infrastructure operators are required (or strongly encouraged) to procure from.

What empanelment confirms:

• The firm has demonstrated technical capability across the categories CERT-In tests for: network, web application, mobile application, cloud, and source code review.
• Lead auditors hold recognised certifications (commonly OSCP, CEH, CISSP, ISO 27001 LA).
• The firm has been assessed for documentation quality, methodology, and report sample submissions.
• The firm operates from India and meets data-handling requirements under Indian law.

What empanelment does not confirm:

• Engagement quality. Empanelment is a baseline — it does not differentiate a 200-engineer enterprise auditor from a 6-person boutique that out-pentests them on web apps.
• Sector fit. Empanelment is general; your fintech or healthcare-specific risk model is your own homework.
• Currency. Empanelment is valid for three years from grant date. Some listed firms haven't published a new sample report in years.

Treat empanelment as a hard filter, then evaluate the empanelled vendors on the criteria below.

Four parallel pressures have made empanelment effectively mandatory for any India-facing buyer:

1. DPDP Act 2023 enforcement. Penalties up to ₹250 crore per breach. Data fiduciaries (most B2B SaaS, fintech, healthtech, edtech, and e-commerce companies operating in India) need demonstrable security audit evidence. CERT-In empanelment is the auditor-credential standard regulators look at first.

2. RBI cyber security framework updates. Scheduled commercial banks, NBFCs, payment aggregators, and payment system operators are required to commission annual VAPTs by CERT-In empanelled auditors. The 2025 NBFC scale-based regulation extended this to the upper layer.

3. SEBI Cyber Security and Cyber Resilience Framework (CSCRF). Stockbrokers, depository participants, AMCs, and regulated market infrastructure institutions need periodic security audits — CERT-In empanelment is the floor.

4. CERT-In's six-hour incident reporting mandate. Tightened in 2024. The buyer-side reality: when an incident occurs, your CERT-In report becomes regulator-facing within hours. A non-empanelled auditor's report has limited weight in that conversation.

If any of those four apply to you or your customers, "we used a great non-empanelled vendor" is a sentence that will end procurement.

Knowing the process helps you read between the lines of a vendor pitch.

Applicants submit (paraphrased from the CERT-In empanelment guidelines):

• Corporate documentation: incorporation, GST, tax filings, financial statements.
• Auditor credentials: CVs and certifications of the lead and supporting auditors. CERT-In looks for OSCP, CEH, CISSP, CISA, OSWE, OSCE, GPEN, and ISO 27001 LA.
• Methodology documentation: how the firm approaches network, application, mobile, cloud, and source code audits. Most firms reference OWASP, OSSTMM, PTES, NIST 800-115, and SANS Top 25.
• Sample reports for each category they want to be empanelled in.
• Infrastructure declarations: tooling, lab setup, secure storage of audit data.
• Demonstrated engagement history.

CERT-In reviews the submission, may request a technical demonstration, and grants empanelment for three years. Re-empanelment requires fresh sample reports and proof of continued engagement.

The signal hidden in this process: the sample reports submitted at empanelment are often years old. Always ask vendors for their most recent (anonymised) report — empanelment vintage is not engagement quality.

The current empanelment list runs roughly 150 organizations. Filter them with these eight criteria, in order:

1. Sectoral specialization. If you're a fintech, you want auditors who've handled UPI flows, PA/PG architectures, and RBI tokenisation. If you're a healthtech, ABDM compliance and HL7/FHIR knowledge matter. Generalists are fine for low-risk SaaS — specialists are worth their premium for regulated industries.

2. Methodology depth. Ask which methodologies they actually use and how. "OWASP Top 10" is table stakes; "OWASP ASVS Level 2 with manual business logic verification" is a different vendor. Push past the certifications page.

3. Sample reports — recent. Request two anonymised reports from engagements completed in the last 6 months. Look for: actual exploit chains documented (not just CVE references), business impact quantified per finding, and remediation guidance that a developer can act on. PDFs that look like CVSS-score spreadsheets in disguise are a leading indicator of automated-tool resale.

4. Manual versus automated split. The honest answer is "both, but here's how." Automated tools do the breadth (Nessus, Burp, Acunetix, ZAP). Manual testing does the depth (business logic, IDOR, broken auth flows, race conditions). Vendors who can't articulate the split are usually selling scanner output.

5. Engineer-to-engagement ratio. A boutique with 8 senior engineers running 20 concurrent engagements is doing junior-led work no matter what their pitch says. Ask for the named engineers who will be on your engagement, their certifications, and their utilisation.

6. Engagement model. A good engagement has a kick-off call, mid-engagement findings preview, draft-report walkthrough, and 90-day remediation support window. A bad engagement is one PDF dropped 14 days after access was granted.

7. Compliance reporting coverage. Ask whether the report can be produced in formats your auditor needs — RBI annexures, SEBI CSCRF mappings, ISO 27001 control mapping, SOC 2 evidence packages. Reformatting after delivery is painful.

8. Disclosure ethics. How does the firm handle vulnerabilities discovered in third-party software? Coordinated disclosure programs (and CVEs issued under their name) are a strong positive signal about technical depth.

These are realistic 2026 ranges for engagements with established CERT-In empanelled firms. They assume English deliverables, India-based teams, and standard NDA terms. Specialist sectors (banking, healthcare under ABDM, critical infrastructure) typically sit at the upper end.

Service	Typical range (INR)	Drivers of cost
Web application VAPT	₹1.5L – ₹6L	Number of roles tested, authenticated user journeys, API surface, business logic complexity
Mobile application VAPT (single platform)	₹1.5L – ₹4.5L	Static + dynamic + reverse engineering depth, OS versions covered
API security testing (standalone)	₹1L – ₹4L	Endpoint count, authentication patterns, GraphQL vs REST
Network and infrastructure VAPT	₹2L – ₹10L	IP count, internal vs external, segmentation testing scope
Cloud security audit (AWS / Azure / GCP)	₹3L – ₹12L	Account count, IaC scope, IAM permissions review depth
Source code review	₹2L – ₹15L+	Lines of code, languages, scope of business logic review
Red team engagement	₹8L – ₹35L	Initial access vector breadth, duration, physical / social engineering scope
Continuous PTaaS (annual)	₹6L – ₹40L+	Asset scope, retest frequency, dashboard / reporting tier

Three things that will move you outside these ranges:

• Rush timelines (under 10 working days for a web app) typically add 25–40%.
• Heavily regulated sectors with audit-firm-as-buyer pricing dynamics (large banks, public listed companies) sit 30–60% above midpoint.
• Long-term retainers and PTaaS arrangements typically reduce per-engagement cost by 15–30% versus one-off engagements.

Anyone quoting under these floors should be asked, politely, what they're not doing.

1. "We use only automated tools — Nessus, Burp Pro, Acunetix." Empanelled or not, scanner-only engagements miss everything that makes a pentest a pentest: business logic flaws, chained vulnerabilities, IDOR, broken access control beyond simple horizontals, race conditions, and modern injection variants. If a vendor can't explain what they do manually, you're buying ScanReport-as-a-Service.

2. No retest in the engagement. Findings without retest are bug reports, not assurance. The contract should include verification of fixes within 30–60 days of report delivery — included, not as a paid upsell.

3. PDF-only delivery, no remediation call. Reports are the artefact. The remediation call is where engineers actually fix things. Vendors who deliver PDFs and disappear are optimising for engagement count, not customer outcomes.

4. Empanelled but no recent CVEs or published research. Empanelment is a license; CVEs and research are evidence of practising. A team publishing CVEs in current software is actively doing the work; a team without any in three years has stopped.

5. "Yes, we cover everything" with no scoping conversation. Real pentesters scope. A vendor who quotes a number before understanding asset count, authenticated roles, environment access, and tech stack is either misquoting (you'll be re-scoped after PO) or doing a shallow engagement.

6. Subcontracting without disclosure. Some empanelled organizations subcontract to smaller firms or freelancers. That can be fine — if disclosed and the named engineers are credentialed. Hidden subcontracting is the most common reason "the engagement felt different from the pitch."

When you send your RFP, ask each vendor for written responses to these. The answers, side by side, will sort the empanelled list faster than any sales call.

1. Current CERT-In empanelment validity (start date, expiry).
2. Empanelment categories your engagement falls under.
3. Named engineers proposed for the engagement, with certifications and last three relevant engagements.
4. Methodologies referenced, with brief mapping (e.g., "OWASP ASVS L2 + PTES + custom business-logic kit").
5. Sample report from a similar engagement in the last 6 months (under NDA if needed).
6. Engagement timeline with named milestones — kick-off, mid-review, draft, final, retest.
7. Retest scope and turnaround included in price.
8. Remediation support model post-report (calls, Slack, ticket review).
9. Compliance reporting formats included (RBI, SEBI CSCRF, ISO 27001, SOC 2, PCI DSS).
10. Data handling — where audit artefacts are stored, retention, destruction.
11. Liability and insurance coverage.
12. Three references from similarly-sized engagements in your sector.

Need a ready-to-send version? Download the PDF checklist + RFP scope template.

Is CERT-In empanelment mandatory for all pentests in India?
Not literally. It is mandatory or strongly expected for: government and PSU procurement, banks and NBFCs under RBI cyber framework, SEBI-regulated entities under CSCRF, critical-information-infrastructure operators, and most data fiduciaries needing DPDP-grade audit evidence. For consumer SaaS startups not in regulated sectors, empanelment is a strong positive signal but not a strict requirement.

How long does a CERT-In compliant web application pentest take?
Most engagements run 10–20 working days end-to-end: scoping → access provisioning → testing → draft report → walkthrough → final report → retest. Expediting under 10 days is possible but usually compromises manual depth.

How often should we commission a VAPT?
Annually at minimum for compliance-driven buyers. Quarterly or continuous (PTaaS) for organizations with rapid release cycles or critical exposure. After any major architecture change is non-negotiable.

Can the same firm do my SOC 2 audit and my CERT-In VAPT?
SOC 2 attestation must be performed by an independent CPA firm — CERT-In empanellment doesn't substitute. They are separate engagements, often complementary. A good CERT-In auditor will produce the SOC 2 evidence package alongside the VAPT report.

Is offshore (non-Indian) audit acceptable for Indian regulators?
For RBI / SEBI / CERT-In-mandated audits: no. The audit must be from a CERT-In empanelled organization, which by definition is India-based. For voluntary security improvement work, offshore is fine.

What's a realistic budget for a small fintech's first year?
A realistic 2026 budget for a Series-A fintech with web + iOS + Android + cloud + APIs: ₹15–25 lakh for the year, covering one comprehensive VAPT, two follow-up retests, and a SOC 2-aligned cloud security review.

The empanelled list is your starting point, not your shortlist. Filter aggressively on sectoral fit, methodology depth, and engineer quality — then move fast, because compliance windows close on calendar deadlines, not on procurement cycles.

If you're early in this evaluation and want a 30-minute scoping conversation — no obligation, just clarity on what your engagement should actually contain — book a slot with our team. We'll either be the right fit or tell you who is.