VAPT Services in Pune · Auto, IT & OT

Pune VAPT splits across three distinct geographies and three distinct buyer profiles. Hinjewadi Phase I, II and III host the IT-services majors and the GCC delivery centres — Infosys, Tata Technologies, Cognizant, Wipro, Capgemini and a long tail of mid-size product companies. Magarpatta and Kharadi host the BPO / GCC ecosystem with a strong US and European parent footprint. The Chakan, Talegaon and Ranjangaon belt — and the older Pimpri-Chinchwad PCMC industrial corridor — hosts the auto OEMs, Tier-1 suppliers and the OT-heavy manufacturing scope that diverges hardest from the rest of Macksofy's India practice. Connected-vehicle telematics, OEM-to-Tier-1 supplier networks and live shopfloor OT exposure are real engagement scope here, not buzzwords.

For auto OEMs in Chakan (Mercedes-Benz, Volkswagen, Mahindra, Tata Motors) and Tier-1 suppliers in Talegaon and Ranjangaon (Bosch, Magneti Marelli, Continental, Bharat Forge), we run IEC-62443 LSL-3 aligned OT segmentation reviews alongside the IT-side VAPT. The test boundary is explicit: business IT (corporate ERP, MES gateways, engineering EDA workstations), the IT-OT DMZ (Purdue Level 3.5), MES and SCADA at Purdue Levels 3 and 2, and PLC / DCS field devices at Levels 1 and 0. The supplier-VPN attack surface — the inbound connectivity Tier-1 and Tier-2 suppliers have into the OEM corporate segment — has become the favourite ransomware entry path for ALPHV/BlackCat, LockBit and Cl0p affiliates targeting the Indian auto industry; we test that path explicitly with attention to the legacy IPSec site-to-site tunnels still in production.

Manual abuse-case testing on the OT side never runs against live PLCs without explicit HSE clearance. We use passive listening (Wireshark with the OT protocol dissectors — Modbus, EtherNet/IP, Profinet, OPC UA), Nessus Pro with OT-safe scan policies, the Macksofy fork of conpot for PLC fingerprinting in a staging environment, and BloodHound on the engineering-station AD forest. Findings on the OT side are categorised by remediation window — which can close in the next planned maintenance window (a Saturday changeover), which need a longer change-management cycle through the OEM's MES-validation process, and which require a Tier-1-supplier contract renegotiation because the exposure is contractual.

For Hinjewadi IT-services and Magarpatta GCC clients, scopes look more like the Bengaluru SaaS pattern — multi-tenant authz, vendor APIs, SOC 2 Type II evidence — with a strong overlay of client-imposed cyber-control catalogues passed down from US automotive and EU automotive parents (Volkswagen Group's audit catalogue, BMW's information-security requirements, Mercedes-Benz's Group Information Security policy). The same VAPT produces a CERT-In format report plus a TISAX (Trusted Information Security Assessment Exchange) Level 2 or Level 3 readiness pack which is the parent-control-catalogue most German and EU OEMs actually require from their Pune partners.

Senior consultants drive from Mumbai BKC — three hours on the Mumbai-Pune Expressway with same-day arrival the norm. OT scopes always include at least one full day onsite walking the shopfloor with the plant HSE manager and the IT-OT convergence lead. For Chakan, Talegaon and Ranjangaon plants we plan the onsite block around shift changeover so testing weeks do not collide with production peaks. Hinjewadi engagements are easier — onsite at the client campus same-day, remote testing through the rest of the engagement.

Procurement at Pune auto OEMs is unusual: the plant IT head proposes the SoW, the head of QA validates against TISAX or VDA-ISA, and the head of plant operations or HSE signs off if any OT-touching work is in scope. Tier-1 suppliers add their OEM customer's compliance team to the loop because the supplier's audit cycle has to satisfy the OEM. We size proposals to match — fixed-fee SoW with explicit HSE blackout windows around critical production lines, no ad-hoc probes near live PLCs, no scans during shift changeover. The report calls out which findings can be remediated in the next maintenance window and which need a longer change-management cycle.

Pune IT-services procurement closes through the delivery-centre head and the client-account lead, sometimes with the US/EU client's CISO copied for the larger accounts. We sync the VAPT report to the next client-questionnaire cycle and ship a sanitised vendor pack — typically SIG Lite, CAIQ Lite and (for automotive clients) TISAX Level 2 readiness — alongside the technical findings. Where the client also has an Indian regulator overlay (BFSI captive ops in Magarpatta, for example), we add an RBI MD-ITGRC crosswalk to the same evidence base.

For listed Pune-headquartered manufacturers — auto-component listed entities and pharma R&D campuses — the engagement also produces SEBI listing-obligation cyber-security disclosure evidence that the company secretary needs for the next annual report. SEBI's Listing Obligations and Disclosure Requirements (LODR) Schedule II Part B now requires explicit board-level cyber oversight disclosure, and the VAPT report's executive summary is shaped to feed that disclosure rather than require a separate write-up.