Do you run internal-network tests across DLF Cyber City multi-tenant offices safely?

Yes. We split findings into 'bank perimeter' and 'DLF building backbone' categories explicitly. The bank gets remediation on its own segment; the DLF facilities team gets a memo for the building-services contract. The audit committee gets a clean line.

How do you handle the Tuesday-Indian-board / Thursday-parent-committee briefing cadence?

Pre-read packs are built into the SoW. The Tuesday pack is sized for the audit committee chair and the Indian CRO. The Thursday pack is sized for the parent's group-cyber committee with NIST 800-53 references. The CISO does not have to rebuild slides.

Can you test the privilege path from a Gurugram GCC laptop to our offshore production AWS organisation?

Yes. This is one of the highest-frequency scopes we run for Cyberhub and Udyog Vihar GCCs. We test the BloodHound shortest-path from a developer laptop through the India-side AD to the CI/CD trust chain and into the parent's offshore AWS organisation, including ADCS template abuse and GitHub Actions OIDC misconfigurations.

Will the same VAPT feed our parent's TIBER-style red-team RFP next year?

Yes. We structure the evidence base to be portable to the next TIBER-style engagement — threat-intel pack, asset inventory and the detection-engineering annex are formatted so the next red-team vendor can run against the same baseline rather than starting from scratch.

Do you support PCI-DSS v4.0.1 scope reduction alongside the VAPT?

Yes. Where the card environment is in play we layer in segmentation validation against the CDE, tokenisation-vault separation testing and the segmentation controls that justify a SAQ-D-Service-Provider vs SAQ-D-Merchant differentiation. The annual PCI-DSS assessment cost typically drops in the following year.

Gurugram · VAPT

CERT-In EmpanelledGurugram

VAPT Services in Gurugram · BFSI HQs & GCCs

CERT-In empanelled VAPT for private-bank HQs, insurer GCCs and IT-services delivery centres across Cyber City, Cyberhub and Udyog Vihar.

Request a quote See full VAPT service

Gurugram engagements

Next-day

BOM-DEL onsite

GCCs in coverage area

Dual-fwk

RBI + NIST binders

VAPT in Gurugram

How a Macksofy vapt engagement runs in Gurugram.

Gurugram is the corporate headquarters city for India's largest private banks, every major insurer, the biggest fintechs (Paytm, PolicyBazaar, MakeMyTrip-group), and more than six hundred global capability centres anchored in DLF Cyber City Phase 1-5, DLF Cyberhub, Udyog Vihar, Sohna Road and Golf Course Road. The VAPT buyer is almost always a CISO sitting in a DLF Cyber City Phase 3 tower or a Golf Course Road HQ, answering simultaneously to an Indian regulator and an overseas parent's group cyber-risk function. Scopes have to satisfy both audiences in one report cycle or the engagement gets re-run six months later.

On private-bank HQ scopes we deliver VAPT on net-banking, treasury, payment-gateway, partner-API and core-banking estates with the same regulator-grade rigour we use in Mumbai BKC, plus parallel evidence packs aligned to NIST 800-53 rev 5, PCI-DSS v4.0.1, and the parent group's internal cyber-control catalogue (typically a derivative of ISO 27002 with the FFIEC Cyber Assessment Tool layered on top). RBI Master Direction on IT Governance (November 2023) and the RBI Cyber Security Framework Annex-1 close the regulator side; the parent group sees a NIST-CSF mapped crosswalk produced from the same evidence base.

For insurer HQs on Sohna Road and in DLF Cyber City — life, general and health — IRDAI Information & Cyber Security guidelines (April 2023) drive scope: claims-fraud paths, KYC-impersonation portals, agent-onboarding flows, the PAS authorisation matrix and the bancassurance API edge that sits between the insurer and its private-bank partners. Most Gurugram insurers also operate a parent-mandated GRC stack (Archer or MetricStream) and expect evidence drops into that platform on a defined cadence; we ship findings as both a regulator binder and an Archer-importable CSV.

For GCCs in Udyog Vihar, Sector 44, Sector 32 and Golf Course Road, scopes blend an internal-network pentest with a cloud-control review on the parent's AWS or Azure tenant. Most GCC production infrastructure sits offshore but the India-based engineering staff own build, release and break-glass admin access — so the privilege-path between Gurugram engineers and offshore production is the high-value attack surface. We test the BloodHound shortest-path from a Gurugram developer laptop to the parent's production AWS organisation, the ADCS template configuration (ESC1-ESC8) in the India-side AD, and the CI/CD trust chain (GitHub Actions OIDC, Azure DevOps service connections) between Gurugram repos and offshore deploy targets.

Internal-network testing in Gurugram has to account for DLF Cyber City's multi-tenant office reality. 'Corporate LAN' frequently means a shared building backbone with cross-tenant L2 visibility that the bank's network team did not architect for. We run LLMNR/NBT-NS poisoning, IPv6 mitm6, SMB relay and ADCS-misconfig chains against the corporate segment, then explicitly document which findings sit inside the bank's perimeter and which are DLF-backbone artefacts the building-management contract has to resolve. That distinction matters because the audit committee will ask.

Onsite kickoff in Gurugram is next-day from Mumbai BKC — the BOM-DEL morning flight plus the Aerocity-to-Cyber-City drive lands the senior consultant at the client by 11am. For engagements that run beyond two weeks we stage a Delhi-resident lead consultant for the duration so onsite cadence is tight and the bank does not pay flight overhead on every sprint review. Procurement at Gurugram private banks usually runs through the CISO, the CRO and a board-level Cyber Risk Sub-Committee; the audit committee chair signs off on the SoW. Fintechs close faster — CTO + CFO is typical.

Most Gurugram private-bank engagements need stakeholder briefings across two time zones in the same week — the Indian board on Tuesday and the overseas parent's risk committee on Thursday. We build the engagement plan around that cadence and provide pre-read packs the CISO can forward without rework. The same VAPT also routinely feeds a TIBER-EU-style RFP cycle that the parent's group-cyber team is running for the next year's red team, so the evidence base is structured to be portable to that next engagement rather than locked in a one-off PDF.

Where the bank or insurer operates a PCI-DSS scope (card-personalisation, payment-gateway, hosted card-network connectivity), we layer in scope-reduction testing — segmentation validation against the CDE, tokenisation-vault separation and the network controls that justify a SAQ-D-Service-Provider vs SAQ-D-Merchant differentiation. The output reduces the recurring assessment cost in subsequent years, which the CFO notices more than the CISO does.

Why Macksofy in Gurugram

01
Dual-framework reporting — single VAPT produces an RBI MD-ITGRC + IRDAI evidence binder and a NIST 800-53 rev 5 + parent-control-catalogue crosswalk in the same cycle, not as a billable rework.
02
Internal-network testing tailored to multi-tenant DLF Cyber City and Cyberhub office layouts — explicit findings split between bank perimeter and DLF building backbone so the audit committee gets a clean picture.
03
Same-day arrival from Mumbai BKC; Delhi-resident lead consultant staged for engagements beyond two weeks so the bank does not pay flight overhead on every sprint review.
04
Two-time-zone engagement plan baked in — pre-read packs sized for the Indian audit committee and the overseas parent's group-cyber committee without the CISO rebuilding decks.
05
PCI-DSS scope-reduction testing that compounds in CFO-visible savings on subsequent annual assessments.

More services in Gurugram

Engagement workflow

Five phases. Gurugram timeline.

Every Macksofy vapt engagement in Gurugram runs through the same phased protocol — adapted to Gurugram-specific procurement, regulator and delivery realities.

Phase 01

Dual-Framework Scope

Crosswalk RBI MD-ITGRC / IRDAI / SEBI clauses against the parent's NIST 800-53 rev 5 control set
Onsite kickoff at DLF Cyber City Phase 3 or Golf Course Road; two-time-zone stakeholder calendar locked
PCI-DSS scope inventory if card-environment is in play — segmentation map and tokenisation-vault boundary
Archer / MetricStream evidence-drop schema agreed with the bank's GRC team

Phase 02

External & Recon

External attack surface mapping against the bank's TLD set plus the parent group's vanity domains
Credential-leak harvesting against the bank's known SSO domains and DLF Cyber City vendor footprint
Public-cloud account fingerprinting (AWS Mumbai/Singapore, Azure India South/Central, GCP asia-south1)
Mobile-app reversing on the latest Play Store and App Store consumer builds

Phase 03

Internal & AD

LLMNR/NBT-NS poisoning, mitm6 IPv6 takeover and SMB relay on the corporate segment
ADCS ESC1-ESC8 template enumeration with Certipy; BloodHound shortest-path to Domain Admin
Kerberoasting, AS-REP roasting and Kerberos delegation (RBCD, S4U2Self/S4U2Proxy) abuse
Privilege-path testing from Gurugram engineer laptops to offshore production AWS/Azure tenants

Phase 04

App, API & Partner Edge

Net-banking, broker-terminal and PAS authorisation testing on the customer-facing edge
Partner-API, open-banking and bancassurance authorisation matrix exercised role-by-role
Payment-gateway and card-network connectivity testing if PCI-DSS is in scope
CI/CD trust-chain abuse (GitHub Actions OIDC, Azure DevOps service connections)

Phase 05

Dual Reporting

RBI MD-ITGRC + IRDAI evidence binder formatted for the Indian regulator
NIST 800-53 rev 5 + parent-control-catalogue crosswalk for the overseas group cyber committee
Archer / MetricStream evidence drop and Jira-importable findings CSV
Two-time-zone pre-read packs — Indian audit committee Tuesday, parent committee Thursday

Industries served

Which Gurugram verticals we deliver VAPT for.

Private-bank HQs

DLF Cyber City and Golf Course Road head offices — net-banking, treasury and partner-API VAPT with RBI + parent NIST crosswalk.

Insurer HQs

Life, general and health insurers on Sohna Road / DLF — IRDAI 2023 evidence plus parent-group control catalogue.

Fortune-500 GCCs

Udyog Vihar and Sector 44 GCCs — internal network + cloud-control review with privilege-path testing to offshore prod.

Fintech & lending HQs

Cyber City and Cyberhub fintechs — RBI PA-PG, loan-origination and partner-fintech API VAPT.

Big-4 & consulting

Gurugram consulting firms — DLF Cyber City delivery-centre VAPT with client-confidentiality control validation.

Travel & e-commerce HQs

MakeMyTrip-group, Goibibo and Cyber City e-commerce HQs — payment, loyalty and partner-merchant abuse paths.

What ships

The Gurugram deliverable pack.

Every Gurugram vapt engagement closes with the pack below — regulator-ready evidence, technical detail and board-readable summaries.

VAPT report in CERT-In empanelled submission format with RBI/IRDAI clause crosswalk

Parallel NIST 800-53 rev 5 + parent-control-catalogue crosswalk binder for the overseas group cyber committee

PCI-DSS scope-reduction memo with segmentation validation evidence where card-environment is in play

Archer / MetricStream evidence drop in the bank's GRC schema

Jira / ServiceNow-importable findings CSV with severity, CWE, CVSS and ETA

Two-time-zone pre-read packs sized for the Indian audit committee and the overseas parent committee

Free re-test of every Critical and High inside a 60-day window

CERT-In empanelled closure letter and RBI / IRDAI inspection-defence support

Recent Gurugram engagement

A Gurugram vapt case study.

Gurugram-headquartered Private Bank (DLF Cyber City Phase 3)

Scope

Annual VAPT on 28 internet-facing apps, treasury and SWIFT edge, AD forest with ADCS, partner-API estate; dual binder for RBI CSITE Cell and a London-based parent risk committee

Outcome

First-pass RBI acceptance; 9 Critical and 17 High closed in 52 days; one ADCS ESC4 path from a junior risk-analyst account to the fraud-rules engine, closed pre-disclosure; parent's group-cyber committee adopted the Macksofy detection-engineering annex as the new TIBER-style baseline for the next year's red team.

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Questions Gurugram buyers ask before signing.

Yes. Every Gurugram private-bank engagement ships parallel binders sourced from the same evidence base — an RBI MD-ITGRC + CSF Annex-1 closure binder for the Indian regulator and a NIST 800-53 rev 5 crosswalk for the parent's group-cyber committee. There is no rework or duplicate testing.

More services in Gurugram

Other Macksofy engagements in Gurugram.

VAPT in other cities

Same engagement, other Macksofy metros.

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements