VAPT Services · CERT-In Empanelled
VAPT Services in India. CERT-In Empanelled. ISO 27001:2022 Certified.
Vulnerability Assessment & Penetration Testing for RBI, SEBI, IRDAI, DPDPA and CERT-In regulated entities. OSCP-led engineers, board-ready reports, retest included.
CERT-In Empanelled
Govt of India
ISO 27001:2022
Certified
ISO 27701:2019
Privacy
SOC 2
Aligned
200+
Pentests delivered
50+
Enterprise clients
9+ yrs
OSCP-led offensive ops
2
Offices · Surat + Mumbai
What is VAPT?
Vulnerability Assessment & Penetration Testing (VAPT) combines automated scanning with hands-on exploitation by certified offensive engineers. Assessment finds vulnerabilities at scale; penetration testing proves which ones an attacker would actually weaponise against your business. Certbar runs VAPT for RBI / SEBI / IRDAI / DPDPA regulated entities and ships every report with the CERT-In Empanelled auditor sign-off your regulator expects.
Why CISOs in India pick Certbar for VAPT
CERT-In Empanelled auditor — sign-off accepted by RBI, SEBI, IRDAI, NPCI, and the Ministry of Electronics & IT.
ISO 27001:2022 + ISO 27701:2019 + SOC 2 aligned — your evidence package is ready when the report ships.
OSCP, OSCE, CRTO-certified offensive engineers — no juniors-only teams, zero outsourcing.
MITRE ATT&CK-mapped findings, retest included in scope, no surprise change-orders.
Two India offices (Surat HQ + Mumbai) — on-site engagements and weekly cadence calls in your timezone.
Trusted by Paytm, Kia, Meesho, Zapier, IBM, PayPal, Semrush, Opera, Dhiwise — Indian brand-name proof.
Trusted by enterprises across India
What we test
Eight pentest disciplines under one engagement
Web Application Pentest
OWASP Top 10, ASVS, business logic, auth, session, file upload chains.
Mobile App Pentest
iOS + Android, MASVS Level 2, IPC, keychain, biometric, root/jailbreak bypass.
API / REST + GraphQL
OWASP API Top 10, broken auth, BOLA, mass assignment, GraphQL-specific abuse.
Network Pentest
External + internal, perimeter, lateral movement, privilege escalation.
AWS / Azure / GCP
Cloud configuration audit + identity attack-path testing across providers.
Active Directory
Kerberoasting, ASREP-roast, ACL abuse, BloodHound-driven path analysis.
IoT Device Pentest
Firmware reverse, protocol analysis, hardware interface attack.
Thick-Client Pentest
Binary reverse, IPC, local privilege, broken crypto, hardcoded secrets.
Methodology
Six steps from scoping to sign-off
01
Scoping & Threat Model
We document assets, user roles, abuse cases, data classifications, and the framework you report against. Output: signed SoW, no surprise change-orders.
02
Reconnaissance & Mapping
Attack-surface enumeration: subdomains, services, exposed endpoints, third-party integrations, leaked credentials, OSINT.
03
Vulnerability Discovery
Hybrid automated + manual probing across OWASP / MASVS / API Top 10 / MITRE ATT&CK. Findings triaged for false positives before exploitation.
04
Exploitation & Lateral Movement
Hands-on exploitation by OSCP-led engineers. Chain weaknesses to demonstrate the business impact a real attacker would achieve.
05
Reporting & Board Brief
Two artefacts: a board-ready brief in business language and a technical report mapped to OWASP, CWE, MITRE ATT&CK + your compliance framework.
06
Retest & Sign-off
One free retest included. Updated report reflecting closed findings, signed off by the testing lead.
Compliance
VAPT mapped to the framework you report against
Indian regulated entities don't need a generic pentest report — they need evidence aligned to RBI Cyber Security Framework, SEBI CSCRF, IRDAI cyber regulations, DPDPA, and CERT-In's audit format. Tell us which applies and the deliverable is shaped to it.
RBI Cyber Security Framework
Annual VAPT for banks/NBFCs/PPIs, mapped to RBI's master direction.
SEBI CSCRF
Cybersecurity & Cyber Resilience Framework for MIIs, brokers, exchanges.
IRDAI Cyber Regulations
Quarterly VAPT for insurers, with attested CERT-In Empanelled auditor sign-off.
DPDPA 2023
Data fiduciary security audit evidence + DPIA support.
ISO 27001:2022
A.8.29 (security testing) evidence package and risk-treatment narrative.
SOC 2 Type II
Penetration test letter + Common Criteria CC7.1/CC8.1 mapping.
Industries served
Delivered for regulated and unregulated sectors alike
Frequently asked
Questions buyers ask before signing
Is CERT-In Empanelment mandatory for Indian VAPT?+
For government, PSU, RBI, SEBI, IRDAI, NPCI, and CERT-In-regulated entities, yes — empanelled auditor sign-off is required or strongly expected. For consumer SaaS startups not in regulated sectors, empanelment is a positive trust signal but not a strict requirement. Certbar is empanelled, so the audit evidence is regulator-accepted by default.
How long does a CERT-In compliant VAPT take?+
10–20 working days end-to-end: scoping, access provisioning, testing, draft report, walkthrough, final report, and retest. Expediting under 10 days is possible but usually compromises manual depth.
How often should we commission a VAPT?+
Annually at minimum for compliance-driven buyers (RBI / SEBI / DPDPA). Quarterly or continuous (PTaaS) for organisations with rapid release cycles or critical exposure. After any major architecture change is non-negotiable.
Is a retest included in CERT-In VAPT scope?+
Yes — one free retest per engagement once you remediate, with an updated report. Reports are issued with CERT-In Empanelled auditor sign-off accepted by RBI, SEBI, IRDAI, and Ministry of Electronics & IT.
Do you serve regulated entities (banks, NBFCs, insurers, brokers)?+
Yes — our VAPT delivery is shaped for RBI Cyber Security Framework, SEBI CSCRF, IRDAI cyber regulations, and DPDPA 2023. Past delivery includes fintech, payments, BFSI, healthtech, and SaaS.
What's a realistic VAPT budget for an Indian fintech's first year?+
A Series-A fintech with web + iOS + Android + cloud + APIs typically budgets ₹15–25 lakh for the year, covering one comprehensive VAPT, two follow-up retests, and a SOC 2-aligned cloud security review. Engagement-based pricing, no surprise change-orders.
Can the same firm do my SOC 2 audit and CERT-In VAPT?+
SOC 2 attestation must be performed by an independent CPA firm — CERT-In empanelment doesn't substitute. They are separate engagements, often complementary. Certbar's CERT-In VAPT report doubles as your SOC 2 pen-test evidence (CC7.1 / CC8.1) when scoped accordingly.
Where will my report data be stored?+
By default on Certbar India infrastructure. DPDPA-aligned data-handling is baked in. For multinational entities we offer region-local storage on request.
Are findings mapped to MITRE ATT&CK and OWASP?+
Yes. Every finding maps to OWASP Top 10 (or ASVS where appropriate), CWE, and MITRE ATT&CK technique IDs.
Ready to scope a pentest?
One call, signed SoW in 48 hours, draft report inside 5–7 business days for standard scope. No surprise change-orders.