Penetration Testing in Gurugram · BFSI HQ & GCC

Gurugram penetration testing is shaped by two buyer realities that no other Indian metro matches at the same density. First, the BFSI head-office cluster — private-bank HQs in DLF Phase 3, insurer HQs in Udyog Vihar and Sushant Lok, fintech in DLF Phase 5 and the Sohna belt — runs annual adversary-simulation engagements alongside the regulator-format VAPT. Second, the global-capability-centre (GCC) layer — Deloitte, Accenture, KPMG, EY, Genpact, Concentrix, plus 600+ smaller captives — runs pentest engagements that must pass a US / UK / EU parent's procurement standard, not just an Indian regulator's. Macksofy delivers both, with separate playbooks and a single Gurugram-onsite cadence.

BFSI HQ pentests in Gurugram differ from Mumbai in three ways. The platform mix is heavier on Temenos T24, TCS BaNCS, Finacle and Flexcube than on RBI legacy mainframe systems — so privilege-escalation paths often run through the application-server layer (WebLogic, WebSphere, JBoss) and the database-tier (Oracle EBS, Db2, SQL Server) rather than through the AD-and-mainframe-RACF combination. The identity story is hybrid — on-premises Active Directory federated to Azure AD via AD Connect, often with a third-party privileged-access management (BeyondTrust, CyberArk, Delinea) layer that itself becomes a target. The third difference is regulator overlap — Gurugram-HQ insurers face IRDAI plus DPDP plus US-customer-driven HIPAA expectations when the parent or the reinsurer is US-based.

Adversary-simulation scoping at Gurugram BFSI HQs typically lands on one of four objective shapes. 'Silent domain admin by D+10' is the most common — the bank wants to know if its EDR and detection content catch the kill chain before a tier-0 asset is touched. 'Reach the SWIFT gateway with the parent-control-catalogue safe-harbour intact' is second. 'Compromise the privileged-access-management vault without rotating' is third. 'Move from a Gurugram desktop to a Mumbai BCP site jump host' is fourth (cross-metro engagements are surprisingly common — the bank wants to verify segmentation between the Gurugram HQ network and the Mumbai DR estate).

EDR-and-SIEM evasion is a Gurugram speciality because almost every HQ bank runs a tier-1 EDR stack — CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Trellix — and a tier-1 SIEM (Splunk Enterprise Security, Sentinel, QRadar). Our Gurugram bench is calibrated to operate under modern EDR telemetry: AMSI patching, ETW patching, syscall direct invocation, in-process LDAP queries instead of remote AD lookups, and a deliberate slow-burn timing that gives the SOC's analytics fair warning. Every successful step is paired with the SIEM detection content the SOC would have needed to catch us.

Privileged-access-management compromise is a specific Gurugram BFSI capability. BeyondTrust, CyberArk and Delinea deployments in Gurugram-HQ banks are universally complex — credential vaults, session-recording, just-in-time elevation and break-glass workflows all worth testing. We exercise the PAM admin path, the session-replay-and-credential-extraction path, the just-in-time-bypass via approval-workflow timing, and the break-glass abuse path. PAM-vendor support contracts get notified ahead of testing per the engagement letter.

GCC pentests in Gurugram look very different. The scope is set by the US / UK / EU parent's information-security policy, not the Indian regulator's. Methodology defaults to NIST SP 800-115 v2 (US), CREST CHECK (UK) or TIBER-EU (EU) framework alignment. The report drops into the parent's third-party-risk-management tool (Archer, ServiceNow IRM, ProcessUnity) directly. Findings are written in the parent's preferred language — 'high' and 'critical' instead of 'red' and 'amber', NIST CSF references rather than RBI clauses. Most Gurugram GCCs run two pentests a year — one for the Indian regulator footprint and one for the parent's standard.

Cyber City and DLF Phase 3 procurement is unusual. Most engagements close through a CISO-and-board-cyber-committee-chair signoff with the head of internal audit copied, and a separate GC-signed engagement letter that handles trespass-and-deception, physical assessment indemnity and the parent-company-information-sharing waiver. Gurugram engagement letters typically also include a Haryana cyber-cell incident-coordination clause — if the engagement encounters genuinely actionable threat-actor activity during testing, the protocol with Haryana cyber-cell is pre-agreed. We have only triggered this clause twice in the last 24 months, but it is a Gurugram-specific requirement worth noting.

Onsite cadence is anchored from Mumbai BKC senior consultants who fly to IGI (Aerocity is the operating base for Macksofy in Delhi NCR) and drive to Gurugram in 45 minutes. Cyber City, Udyog Vihar and Golf Course Road are reachable within an hour of landing. DLF Phase 1-5, Sushant Lok and the Sohna fintech cluster are within 90 minutes. For multi-quarter engagements we maintain an embedded Gurugram lead consultant. Engagement length is typically 4-6 weeks with two onsite legs (kickoff and readout) and weekly remote stand-ups in between.