VAPT Services in Mumbai · BFSI & Fintech
CERT-In empanelled VAPT delivered from our BKC HQ for RBI-, SEBI- and IRDAI-regulated firms across Mumbai, Thane and Navi Mumbai.
How a Macksofy vapt engagement runs in Mumbai.
Macksofy's flagship VAPT practice operates out of SRA Commercial Tower in Bandra Kurla Complex (BKC), a five-minute walk from the BKC Metro and roughly 1.4 kilometres from RBI's central office at Fort. Every senior consultant on the Mumbai bench is OSCP- or OSWE-credentialed and has shipped at least one annual VAPT cycle into RBI's CSITE Cell, SEBI's Cyber Security and Cyber Resilience Cell, or IRDAI's IT-supervision wing. We do not subcontract — the consultant who scopes the engagement is the one writing the executive summary the bank's audit committee will read.
Mumbai BFSI VAPT scoping is fundamentally a money-movement exercise, not a checklist scan. On a private-bank engagement we model the transaction graph end-to-end: net-banking authentication, OTP/2FA challenge, beneficiary-add flow, IMPS/NEFT/RTGS rails, the FATCA/CRS edge, and the reconciliation layer that ties book-of-record to the SWIFT gateway. Manual abuse-case testing targets velocity-control bypass on the IMPS rail, OTP-reuse via SS7-style mobile-side weaknesses, and reconciliation gaps that allow an attacker to mint balance without minting debit. Burp Suite Pro is the workhorse; Nuclei templates, custom Python harnesses and a fork of mitmproxy handle the protocol-specific abuse.
For SEBI-regulated brokers and AMCs, the scope shifts to broker-terminal authorisation flaws, algo-API rate-limit bypass, market-data tampering on Refinitiv/Bloomberg feed-handlers, and the order-management-to-exchange (OMS-to-NSE/BSE) gateway. The same engagement also closes SEBI CSCRF Annexure-K evidence — CCI/CRMM scoring, MII-vendor-control attestation and the SAR exhibits the System Audit Report demands. IRDAI insurer engagements layer in claims-fraud paths, KYC-impersonation via OVD upload portals, and the policy-administration-system (PAS) authorisation matrix.
The deliverable is a regulator-grade binder, not a Burp HTML export. Every High or Critical finding carries a manually-validated proof-of-exploit, a CVSS v3.1 score, a Macksofy business-impact score calibrated to the bank's transaction value-at-risk, and a remediation playbook that the AppSec lead can hand to engineering without translation. The executive summary is written in the language RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023) inspectors expect — explicit clause mapping to Annex-1 of the RBI Cyber Security Framework circular DBS.CO.CSITE.BC.11/33.01.001/2015-16.
Re-testing is built into the SoW, not sold as a follow-on. Every Critical and High finding is re-validated post-fix at no extra cost inside a 60-day remediation window. If the bank's release train slips, we hold the re-test slot — we do not raise a change-order. For tier-1 private banks we also embed a Macksofy detection-engineering analyst alongside the SOC for the last week of the engagement so that every exploitable finding ships with a paired Sigma/Splunk rule the SIEM team can deploy the same week.
Mumbai BFSI procurement reality matters. Most engagements close through a CTO + Chief Risk Officer joint signoff, with the audit committee chair copied; a few cooperative banks still route through the GM-IT and the board-IT-committee secretary. We size proposals to match — a fixed-fee SoW with clear inclusion of re-testing, the empanelled-auditor letter, and the SAR/inspection-defence support that follows. Procurement at listed BFSI clients also wants the SOC 2 / ISO 27001 vendor-security questionnaire pre-answered; we attach the Macksofy ISMS pack to every Mumbai proposal so legal and infosec don't hold up the PO.
Onsite cadence is dictated by Mumbai geography, not vendor convenience. BKC and Lower Parel are walk-in same-day; Andheri MIDC, Powai, Goregaon SEEPZ, Thane and Navi Mumbai (Airoli, Vashi, Ghansoli) are reachable inside four hours including a Western Express Highway buffer. We block the Mumbai monsoon window (mid-June to mid-September) for testing-only weeks where onsite is non-critical, and front-load kickoff/exit calls for the dry months so the audit committee schedule is never held up by a flooded approach road.
For listed BFSI clients the engagement also produces the board-pack exhibits the audit committee needs at the next quarterly cyber review: a top-10 risks slide mapped to the bank's existing risk register, a trend-line vs the previous VAPT cycle, an EDR/SIEM coverage delta, and a one-page CEO note that the bank's Company Secretary can drop into the agenda pack without rewrite.
Five phases. Mumbai timeline.
Every Macksofy vapt engagement in Mumbai runs through the same phased protocol — adapted to Mumbai-specific procurement, regulator and delivery realities.
- Money-movement graph mapping with the CTO and CRO together — IMPS/NEFT/RTGS/UPI rails, SWIFT edge and reconciliation layer
- RBI/SEBI/IRDAI circular crosswalk against the existing risk register so every clause has a target finding bucket
- Rules of engagement signed by CTO, CRO and the audit-committee secretary; SOC deconfliction channel on a private Signal/Teams thread
- Asset attestation cross-checked against the CMDB and the BKC/Andheri/Powai onsite walk-through
- External attack surface mapping with Amass, Subfinder and the Macksofy passive-DNS feed against the bank's TLD set
- Authenticated and unauthenticated scans (Nessus Pro, Qualys VMDR, Nuclei) against staging and prod where RoE permits
- Broker-terminal, OMS gateway and SWIFT-edge inventory reconciliation with the IT-ops team
- Mobile-app reversing on the latest Play Store and App Store builds (Frida, MobSF, Objection)
- Burp Suite Pro abuse-case testing on net-banking transaction graph — velocity control, beneficiary-add race, OTP reuse, reconciliation drift
- Algo-API and market-data tampering tests on the OMS-to-NSE/BSE gateway
- ADCS ESC1-ESC8, Kerberoasting and BloodHound path analysis on the AD forest backing core banking
- Manual chained-exploit proofs — low + low = critical narratives tied to real money-movement impact
- Executive summary in RBI MD-ITGRC + SEBI CSCRF + IRDAI 2023 language, clause-mapped
- CVSS v3.1 plus Macksofy business-impact scoring calibrated to transaction value-at-risk
- Detection-engineering annex — paired Sigma/Splunk rules per exploitable finding
- Board-pack exhibits for the audit committee's quarterly cyber review
- 60-day re-test window covering every Critical and High at no extra cost
- CERT-In empanelled closure letter and SAR/inspection-defence support
- Risk register update synced to the bank's GRC tool (Archer, MetricStream, ServiceNow IRM)
- Carry-forward backlog grooming for the next quarter's regression-VAPT slot
Which Mumbai verticals we deliver VAPT for.
Private banks (Mumbai-HQ)
Net-banking, treasury, SWIFT edge and ATM-network VAPT with RBI MD-ITGRC + CSF Annex-1 closure binder.
NBFCs & Housing Finance
Loan-origination, partner-API and collections-app scopes; RBI Scale-Based Regulation cyber-resilience evidence.
Stock brokers & AMCs
Broker terminal, OMS-to-exchange gateway and market-data feed VAPT; SEBI CSCRF + SAR + CCI/CRMM scoring.
Payment aggregators
BKC/Lower Parel PA-PG licensees — payout, refund and settlement-reconciliation API abuse with RBI PA submission format.
Life & general insurers
Claims-fraud paths, KYC-impersonation portals and PAS authorisation; IRDAI 2023 cyber-security audit evidence.
Listed manufacturing in MMR
Powai and Andheri MIDC industrial HQs — IT-side VAPT plus segregation review against the plant OT network.
The Mumbai deliverable pack.
Every Mumbai vapt engagement closes with the pack below — regulator-ready evidence, technical detail and board-readable summaries.
- VAPT report in CERT-In empanelled submission format with RBI/SEBI/IRDAI clause crosswalk
- Manually-validated proof-of-exploit per High and Critical finding with CVSS v3.1 + business-impact score
- Detection-engineering annex — Sigma/Splunk rules paired to each exploitable finding
- Board-pack exhibits for the audit committee's quarterly cyber review
- Jira/ServiceNow-importable findings CSV with owner, severity, ETA and CWE
- Free re-test of every Critical and High inside a 60-day window
- CERT-In empanelled closure letter and SAR/RBI inspection-defence support
- Risk register update synced to the bank's GRC tool
A Mumbai vapt case study.
Annual VAPT — 38 internet-facing apps, net-banking + UPI + IMPS rails, OMS-to-NSE gateway, ADCS-backed AD forest; RBI MD-ITGRC + CSF Annex-1 closure
14 Critical and 22 High findings closed inside 41 days; first-pass RBI CSITE Cell acceptance without a clarification request; one ADCS ESC4 path that would have allowed a junior-RM-to-domain-admin escalation, closed pre-disclosure.
Rated 4.9 ★ from 612 client reviews.
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
Questions Mumbai buyers ask before signing.
Other Macksofy engagements in Mumbai.
Same engagement, other Macksofy metros.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements