Do you include physical assessment legs in Mumbai?

Yes — where the objective demands. Badge-clone testing in the BKC tower lobby, Wi-Fi war-walking the Lower Parel rooftop and USB-drop on the Powai cafeteria floor are all in scope when the engagement letter covers them. We carry trespass-and-deception waivers and physical assessment indemnity in the master agreement.

How do you handle SOC deconfliction without telling the operations team?

A white-cell sub-team — CISO, General Counsel and audit-committee chair — knows the engagement is live. The operations SOC is kept blind for realism. A private deconfliction bridge with the SOC lead (not the analyst team) handles emergency stop or scope-bound clarification. Post-engagement, the full SOC joins the tabletop with the kill-chain replay.

Can you target the SWIFT gateway or the treasury-management system safely?

Yes. The objective is reaching the system, not exfiltrating data. Evidence is a screenshot plus a controlled-stop hash. SWIFT-CSP attestation requirements and treasury-management vendor (Calypso / Murex / FIS) safe-harbour are written into the rules-of-engagement letter before the test starts.

Do you deliver the SOC tabletop on the same engagement or as a follow-on?

Same engagement. The closing week is a paired SOC tabletop with the bank's blue-team walking each kill-chain step in operator-console order. A Macksofy detection-engineering analyst stays with the SOC the entire closing week to ship the 6-12 paired Sigma / SPL / KQL rules into production.

Is the report shared with RBI or kept private?

Private. Penetration test reports are not regulator submissions — they are audit-committee evidence. The encrypted double-key board pack goes to the CISO and the audit-committee chair only. The bank may extract a sanitised summary for the inspector if RBI asks during a thematic review; we provide a template for that.

Mumbai · Pentest

CERT-In EmpanelledMumbai

Penetration Testing in Mumbai · Scenario-led, BFSI-grade

OSCP/OSEP-led objective-based pentests for Mumbai BFSI, fintech and listed enterprises — beyond the annual VAPT scope.

Request a quote See full Pentest service

What Mumbai buyers ask us

Objective-based scoping with a single CISO-and-audit-chair-signed objective, not a fixed asset list
OSCP / OSEP / OSCE3 / CRTO-credentialed senior consultants — no subcontracted juniors
Initial access via spear-phish, watering-hole, physical tailgating and public exploit chains
ADCS ESC1-ESC8, Kerberoasting, constrained-delegation and SCCM relay paths
SWIFT, SWIFT CSP, treasury-management and OMS-to-exchange objective targeting
SOC tabletop integration with missed-alert reconciliation and paired detection content
Rules-of-engagement covering trespass-and-deception, physical assessment indemnity and production safe-harbour
Audit-committee board-pack outputs vs technical AppSec deliverables
Bombay High Court jurisdiction and Mumbai-specific counsel concerns in the engagement letter

OSCP / OSEP

Senior bench credentials

Objective-led

Not checklist-led

0-12 rules

SIEM detections per engagement

<0 hrs

MMR onsite SLA

Pentest in Mumbai

How a Macksofy pentest engagement runs in Mumbai.

Mumbai BFSI clients increasingly draw a hard line between a CERT-In format annual VAPT (a regulator-driven scope) and a true penetration test (a scenario-led adversary engagement scoped against a defined business objective). Macksofy runs both — but the Mumbai penetration testing engagement is different in three concrete ways. First, the kickoff opens with a single objective written by the CISO and the audit-committee chair: 'reach the SWIFT gateway from a guest Wi-Fi position without SOC detection by D+10', or 'mint balance in a test customer's NEFT corridor without tripping the velocity engine'. Second, scope is asset-blind — we get the objective and the rules of engagement, not a fixed asset list. Third, the success metric is not a CVSS roll-up but whether the objective was met, by what path, in how many hours, with how many missed SOC alerts.

The Macksofy Mumbai bench is OSCP and OSEP-credentialed end-to-end. Senior leads carry OSCE3 or OSEP plus at least one CRTO / Red Team Ops II. We work the BKC corridor, Lower Parel, Powai, Andheri MIDC, Goregaon SEEPZ and the Navi Mumbai BCP belt at Airoli / Ghansoli / Vashi the same way: physical assessment legs included in scope where the objective demands it (badge-clone testing in the BKC tower lobby, Wi-Fi war-walking the Lower Parel rooftop, USB-drop on the Powai cafeteria floor). Most engagements include at least one onsite leg with the white-cell coordinator in the room.

Initial-access tradecraft on a Mumbai BFSI pentest typically lands on one of four vectors. Spear-phish against treasury and trade-finance functions is the highest-yield in our experience — the email lure is calibrated against BSE / NSE clearing-cycle news so the click rate is realistic for the audit committee. Watering-hole compromises against vendor-portal logins (Tata Communications, Sify, Tata Tele, Wipro DSP) are second. Physical access via tailgating a BKC tower lobby is third. Public-facing exploit chains — most often via a misconfigured Citrix NetScaler, Pulse Secure or Fortinet appliance — are the fourth lane. Every initial-access path is reproduced into a one-page narrative for the board pack with screenshot, timeline and the operator console reference for the SOC tabletop.

Post-exploitation on a Mumbai bank is a domain-and-identity exercise. ADCS misconfiguration paths (ESC1, ESC4, ESC8) are the single most common privileged-escalation vector across our 2025 engagement set. Kerberoasting against legacy mainframe-RACF integration accounts is the second most common. Constrained-delegation abuse and SCCM relay-to-domain-admin are third. We pull BloodHound paths against the AD forest backing core banking, then map the shortest unauthenticated edge to the SWIFT gateway, the OMS, the RBI WSS connection or the treasury-management system as the objective demands. SOC deconfliction runs through a private bridge — every escalation tagged so the SOC's regression hunt is not noise.

Detection-engineering is part of every Mumbai pentest deliverable, not a follow-on retainer. Every successful step in the kill chain is paired with the Sigma rule, the Splunk SPL or the Sentinel KQL that would have caught it, and a missed-alert reconciliation against the bank's SIEM. Most Mumbai engagements close with 6-12 fresh detection content items the SOC ships into production inside two weeks. For tier-1 private banks, a paired Macksofy detection-engineering analyst sits with the SOC for the closing week of the engagement.

Mumbai listed enterprises (pharma in Powai, FMCG in Andheri, listed manufacturing) buy penetration testing for a different reason — quarterly board-pack assurance and pre-IPO / pre-M&A diligence. The same playbook applies but the executive summary lands as a quarterly trend on the audit committee deck, not a one-off binder. Pharma and IT-services parent-company control catalogues (US BSA / FCPA / SOX overlays) get crosswalked into the report so the parent's IA function has no rework.

Procurement on a Mumbai pentest closes through the CISO and the audit-committee chair, with the General Counsel signing the rules-of-engagement letter for trespass-and-deception waivers, physical assessment indemnity and the safe-harbour clause that lets us touch production. Reports are encrypted, double-key delivered (Macksofy senior + CISO), and the master is destroyed inside 30 days of closure unless the bank requests retention. Mumbai counsel typically wants a Bombay High Court jurisdiction clause and an explicit no-data-exfiltration acknowledgement — both standard in our Mumbai engagement letter.

Onsite cadence is dictated by Mumbai geography (BKC walk-in same day, Andheri MIDC and Powai inside four hours, Navi Mumbai inside six hours) and the bank's BCP site location (Mahape, Airoli, Ghansoli for most clients). Engagement length is typically 4-6 weeks — 1 week reconnaissance, 2-3 weeks active exploitation, 1 week reporting and SOC tabletop. We do not run the standard 2-week 'pentest' that other Mumbai vendors brand under the same name — it does not give the SOC enough time to react and learn.

Why Macksofy in Mumbai

01
Single-objective scoping signed by the CISO and audit-committee chair — the engagement is graded against whether the objective was met, not a CVSS roll-up.
02
Senior bench end-to-end OSCP/OSEP-credentialed; physical assessment legs (badge-clone, USB-drop, BKC tower tailgate) included in scope where the objective demands.
03
Detection content shipped as a deliverable — every kill-chain step paired with a Sigma / Splunk SPL / Sentinel KQL the SOC adopts inside two weeks.
04
Paired Macksofy detection-engineering analyst embedded with the bank SOC for the closing week — purple-team integration, not a one-shot dump.
05
Mumbai geography baked into the SoW — BKC walk-in, MMR four-hour SLA, monsoon-window scheduling and Mahape/Airoli BCP-site coordination handled directly.

More services in Mumbai

Engagement workflow

Five phases. Mumbai timeline.

Every Macksofy pentest engagement in Mumbai runs through the same phased protocol — adapted to Mumbai-specific procurement, regulator and delivery realities.

Phase 01

Objective & RoE

CISO + audit-committee chair sign a single written objective (e.g. 'reach SWIFT without SOC detection by D+10')
Rules-of-engagement letter — trespass-and-deception waiver, physical assessment indemnity, production safe-harbour, Bombay High Court jurisdiction
SOC deconfliction bridge established on a private Signal/Teams channel with the bank's SOC lead
White-cell sub-team identified (CISO + GC + audit-chair); operations team kept blind for realism

Phase 02

Recon & Initial Access

OSINT against treasury, trade-finance, dealing-room and IT-vendor staff (LinkedIn, Refinitiv, Bloomberg footprints)
Email lure calibrated to BSE / NSE clearing-cycle news for realistic spear-phish click rate
Vendor-portal watering-hole and Citrix NetScaler / Pulse / Fortinet edge enumeration
Physical leg — BKC / Lower Parel / Powai tower lobby tailgate or USB-drop where in scope

Phase 03

Privilege Escalation

ADCS ESC1 / ESC4 / ESC8 enumeration and exploitation with Certify + Certipy
Kerberoasting legacy mainframe-RACF integration accounts and constrained-delegation abuse
SCCM relay-to-domain-admin chain on the bank's software-distribution forest
BloodHound shortest-path-to-objective mapping with manual abuse-case validation

Phase 04

Objective Execution

Shortest path to SWIFT / OMS / RBI WSS / treasury-management system per the signed objective
Step-by-step operator console capture with timestamps for the post-engagement SOC tabletop
Missed-alert reconciliation against the bank's SIEM at each kill-chain step
Controlled-stop at the objective boundary — no data exfiltration; objective evidenced via screenshot + hash

Phase 05

SOC Tabletop & Detection Content

Joint SOC tabletop with the bank's blue-team walking each kill-chain step in operator-console order
Sigma / Splunk SPL / Sentinel KQL content authored per missed alert — 6-12 production-ready rules per engagement
Embedded Macksofy detection-engineering analyst with the SOC for the closing week
Encrypted, double-key board-pack delivery to CISO + audit-committee chair; master destroyed at D+30 unless retention requested

Industries served

Which Mumbai verticals we deliver Pentest for.

Private banks (Mumbai-HQ)

BKC corporate-office, Lower Parel treasury and Mahape BCP — objective-led pentest with SOC tabletop integration.

Stock brokers & MIIs

BKC / Lower Parel brokers — broker-terminal, OMS-to-exchange and Refinitiv/Bloomberg feed-handler objectives.

Payment aggregators

BKC PA-PG licensees — settlement, payout and reconciliation API objectives with RBI PA inspection-defence overlay.

Listed pharma & FMCG

Powai and Andheri MIDC HQs — quarterly board-pack pentest with US parent (SOX / FCPA) control-catalogue crosswalk.

Fintech (Series-C+)

BKC / Lower Parel fintechs — adversary emulation against fraud-stack and KYC-vendor integration objectives.

Insurance majors

Andheri / Worli insurer HQs — claims-fraud, PAS and KYC-impersonation objectives with IRDAI 2023 overlay.

What ships

The Mumbai deliverable pack.

Every Mumbai pentest engagement closes with the pack below — regulator-ready evidence, technical detail and board-readable summaries.

Objective verdict (met / partially met / not met) with timestamped operator-console replay

Kill-chain narrative as a one-page board-pack entry per phase with screenshot + timeline

6-12 production-ready SIEM detection rules (Sigma / Splunk SPL / Sentinel KQL) per engagement

Missed-alert reconciliation report mapped to the bank's current SIEM use-case catalogue

ADCS / Kerberos / SCCM / AD-forest hardening playbook tailored to the bank's domain topology

Jira / ServiceNow-importable findings CSV with severity, owner, ETA and CWE

Encrypted double-key board-pack delivery to CISO + audit-committee chair

Joint SOC tabletop session and follow-on retainer if requested

Recent Mumbai engagement

A Mumbai pentest case study.

Mumbai-headquartered Tier-1 Private Bank (BKC corporate tower)

Scope

Single-objective pentest — reach SWIFT-CSP-protected gateway from a guest Wi-Fi position by D+10 without SOC detection; 6-week engagement with one BKC and one Mahape onsite leg

Outcome

Objective met at D+7 via ADCS ESC4 path off a misconfigured vendor-portal landing; 11 missed alerts mapped to SIEM use-case gaps; 9 paired Sigma rules adopted by the SOC inside two weeks; one constrained-delegation path closed pre-disclosure that would have allowed dealing-desk-to-treasury-management-system traversal.

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Questions Mumbai buyers ask before signing.

VAPT is regulator-required, scope-defined and checklist-driven against RBI MD-ITGRC and SEBI CSCRF. A penetration test is scenario-led against a single CISO-signed objective with no fixed asset list. Same firm, separate playbooks, distinct deliverables. Most Mumbai BFSI clients run both each year — VAPT for the regulator, pentest for the audit committee.

More services in Mumbai

Other Macksofy engagements in Mumbai.

Pentest in other cities

Same engagement, other Macksofy metros.

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements