Will the IT-services delivery-centre AppSec drop directly into our customer's TPRM tool?

Yes — engagement aligns to the customer's third-party-AppSec standard (NIST CSF / CIS Controls / parent-specific / CREST CHECK / TIBER-EU per customer). Report drops directly into the customer's TPRM tool (Archer, ServiceNow IRM, ProcessUnity) in the customer's preferred template. The customer's third-party-risk function typically signs off inside the same quarter with no rework.

Do you handle connected-vehicle customer-app AppSec under ISO/SAE 21434?

Yes — connected-vehicle customer-app AppSec is a 2026 capability for our Pune bench. Test surface covers rider / driver authentication, fraud-stack integration, payment-flow abuse, telematics-platform-API consumption, customer-data isolation, and (where applicable) AI-trip-recommendation LLM surface. Findings map onto ISO/SAE 21434 customer-facing-surface controls and UN R155 / R156 customer-data-protection clauses.

Can you produce CERT-In-aligned reporting alongside SOC 2 CC7 for our Indian-enterprise customer base?

Yes — Pune SaaS clients often have a mixed Indian-enterprise + international customer base. We ship dual-format reporting from one engagement — CERT-In-aligned for the Indian-enterprise customer's procurement, SOC 2 CC + (where applicable) parent-specific for the international customer's procurement. No second engagement required.

How fast can you mobilise to Hinjewadi / Magarpatta / Kharadi?

Mumbai BKC → Pune is a 3-hour drive or a 30-minute flight. Same-day onsite arrival is normal for kickoff at any Pune client site. For sustained programmes with weekly release trains we offer continuous-AppSec retainers with a Pune-resident lead consultant.

Pune · Web App Pentest

CERT-In EmpanelledPune

Web Application Security in Pune · IT Services & Edtech

OWASP ASVS L3 AppSec for Pune IT-services delivery, Magarpatta edtech, Kharadi SaaS and connected-vehicle customer apps — parent-standard + DPDP overlay.

Request a quote See full Web App Pentest service

What Pune buyers ask us

OWASP ASVS Level 3 + API Top 10 (2023) + LLM Top 10 (2025) as default methodology
IT-services delivery-centre customer's third-party-AppSec standard (NIST CSF / CIS / CREST / TIBER)
Edtech student-data isolation, age-gating, parent / guardian authorisation, content-DRM bypass resistance
DPDP minor-consent + (where applicable) FERPA / COPPA for edtech with US-bound student data
Connected-vehicle customer-app authorisation, fraud-stack integration, telematics-API consumption
ISO/SAE 21434 customer-facing-surface + UN R155 / R156 customer-data-protection clauses
AI-tutor / AI-trip-recommendation / AI-customer-service-assistant LLM surface testing
CERT-In-aligned reporting alongside SOC 2 CC7 for Indian-enterprise-customer scopes
Parent TPRM tool drop-in (Archer / ServiceNow IRM / ProcessUnity) for IT-services delivery work

Three playbooks

IT-services + edtech + connected-vehicle

ASVS L0

Default methodology

LLM Top 0

AI surface coverage

0-5 wks

Typical engagement

Web App Pentest in Pune

How a Macksofy web app pentest engagement runs in Pune.

Pune web-application-security demand is overwhelmingly driven by three buyer segments — IT-services delivery centres in Hinjewadi Phase II / III, edtech and SaaS unicorns in Magarpatta and Kharadi, and connected-vehicle customer apps for Pune-based auto OEMs running connected-car back-ends. Each has a distinct application surface, distinct regulator / parent / customer profile, and demands a distinct methodology stack. Macksofy's Pune AppSec practice runs one bench, three sub-playbooks, with senior consultants flying or driving from Mumbai BKC for kickoff and major reviews — 3 hours by car or 30 minutes by flight.

IT-services delivery-centre AppSec is the volume segment. Hinjewadi Phase II / III delivery centres for Infosys, TCS, Wipro, Cognizant, Capgemini, IBM India, Accenture, Deloitte and the smaller IT-services firms test customer-facing applications they build for US / UK / EU customers. The AppSec engagement closes the customer's third-party-AppSec standard — the US customer's preferred control catalogue (NIST CSF, CIS Controls, parent-specific), the UK customer's CREST CHECK-aligned methodology, the EU customer's TIBER-EU / GDPR overlay. The report drops into the customer's TPRM tool with no rework. For the IT-services major's own internal portal-and-tools estate (HR portal, project-management portal, customer-collaboration portal), OWASP ASVS L3 + ISO 27001:2022 Annex A is the default catalogue.

Magarpatta edtech AppSec is the second sub-playbook. Magarpatta and Kharadi host several edtech unicorns and product-led-growth edtech operators. Test surface covers student-data isolation (the critical authz boundary in any edtech application), age-gating / KYC controls (DPDP minor-consent provisions apply where students are under 18), parent / guardian authorisation flows (consent-to-parent vs consent-from-student), payment-flow abuse paths (subscription fraud, refund-race, payment-intent manipulation), content-delivery DRM bypass and screen-record-resistance, and the AI-tutor LLM surface that increasingly anchors edtech AI products. OWASP ASVS L3 + DPDP overlay + (where applicable) FERPA / COPPA for US-bound student data.

Connected-vehicle customer-app AppSec is the auto-OEM 2026 specialty. Auto OEMs and shared-mobility operators (Pune hosts several connected-car back-ends and shared-mobility apps) need AppSec coverage on the rider-app, the driver-app, the fleet-management portal and the customer-account portal. Test surface includes rider / driver authentication, fraud-stack integration (the rider-side fraud surface is significant in shared-mobility), payment-flow abuse paths, telematics-platform-API consumption controls, customer-data isolation, and (where applicable) the AI-trip-recommendation LLM surface. Findings map onto ISO/SAE 21434 customer-facing-surface controls and (where European customers are in scope) GDPR + UN R155 / R156 customer-data-protection clauses.

Magarpatta / Kharadi SaaS AppSec follows the Bengaluru pattern at platform-level — OWASP ASVS Level 3, multi-tenant authz, identity federation, cloud-native testing, LLM-application surface — with a more Indian-enterprise-customer profile and stronger DPDP overlay than Bengaluru's predominantly US-customer profile. Indian enterprise customers (BFSI, manufacturing, government) tend to ask for CERT-In-aligned reporting alongside SOC 2 CC7 evidence, so we ship both formats from a single engagement.

AI / LLM application security is a Pune 2026 differentiator. OWASP Top 10 for LLM Applications (2025) is the default catalogue for any AI surface in scope across all three sub-playbooks. AI-tutor LLM surfaces for edtech, AI-trip-recommendation LLM surfaces for connected-vehicle / shared-mobility, AI-customer-service-assistant LLM surfaces for SaaS — all are tested with direct + indirect prompt-injection, tool-use-abuse on agent reasoning, training-data exfiltration and the domain-specific impersonation paths each surface exposes.

Procurement reality matters. IT-services delivery-centre AppSec engagements close through the Indian CISO with the US / UK / EU customer's regional security function copied. Edtech AppSec closes through the CTO and AppSec lead, often with the product head copied for consent-flow and parent-authorisation review. SaaS AppSec closes through the CTO and head of customer security. Connected-vehicle customer-app AppSec closes through the IT head and (for OEM scopes) the head of vehicle cyber-security and the customer's regional cyber-security function. Engagement letters align to the customer's third-party-AppSec standard for IT-services delivery work.

Onsite cadence — Mumbai BKC senior consultants drive 3 hours over the Expressway for kickoff and major reviews or fly Mumbai → Pune (30 minutes). Same-day onsite arrival is normal for kickoff at Hinjewadi / Magarpatta / Kharadi. Engagement length is typically 3-4 weeks for SaaS / edtech, 4-5 weeks for IT-services delivery-centre and connected-vehicle customer-app scope. For sustained programmes with weekly release trains, we offer continuous-AppSec retainers with a Pune-resident lead consultant.

Why Macksofy in Pune

01
Three sub-playbooks under one bench — IT-services delivery customer-facing apps, edtech consent-flow-and-content, connected-vehicle customer-app — selected per scope at kickoff.
02
Edtech-specific findings (DPDP minor-consent, parent / guardian authorisation, content-DRM bypass resistance) that generic AppSec vendors do not test.
03
Connected-vehicle customer-app AppSec mapped onto ISO/SAE 21434 + UN R155 / R156 customer-data-protection clauses for European-customer compliance.
04
AI / LLM application security covered as base content across all three playbooks — OWASP LLM Top 10 (2025) default catalogue.
05
Dual-format reporting — CERT-In-aligned for Indian-enterprise customers + SOC 2 CC + parent-specific for international customers — from one engagement.

More services in Pune

Engagement workflow

Five phases. Pune timeline.

Every Macksofy web app pentest engagement in Pune runs through the same phased protocol — adapted to Pune-specific procurement, regulator and delivery realities.

Phase 01

Sub-Playbook Selection

Joint kickoff with CTO + AppSec lead (edtech / SaaS) or Indian CISO + customer's regional security function (IT-services delivery)
Application inventory with authorisation-matrix and data-flow mapping per scope
OWASP ASVS L3 + (edtech: DPDP minor) + (connected-vehicle: ISO 21434) + (LLM: Top 10 2025) catalogue selected
Parent / customer third-party-AppSec standard alignment for IT-services delivery scope

Phase 02

Recon & Surface Map

Authenticated and unauthenticated surface mapping with Burp Pro, Caido and Nuclei against staging and controlled prod
Authorisation-matrix discovery role-by-role (student / parent / teacher / admin for edtech; rider / driver / fleet-admin for connected-vehicle)
Identity-federation footprint enumeration — SAML, OIDC, OAuth, JWT
AI surface inventory — AI-tutor, AI-trip-recommendation, AI-customer-service-assistant

Phase 03

Manual Exploitation

Edtech — student-data isolation, age-gating bypass, parent / guardian consent-flow integrity, content-DRM bypass
Connected-vehicle — rider / driver authentication, fraud-stack integration, payment-flow abuse, telematics-API consumption
IT-services delivery customer apps — customer's third-party-AppSec-standard-aligned objectives
SaaS — multi-tenant authz, identity federation, cloud-native paths, AI-customer-service-assistant LLM

Phase 04

Dual-Format Reporting

IT-services delivery — report in customer's preferred template (NIST CSF / CIS / parent-specific) for TPRM drop-in
Edtech — DPDP + FERPA / COPPA + reproducible exploit code per High and Critical
Connected-vehicle — ISO/SAE 21434 + UN R155 / R156 customer-data-protection clauses
SaaS — SOC 2 CC + CERT-In format for Indian-enterprise customers + LLM Top 10 (2025) crosswalk

Phase 05

Closure & Re-test

Free re-test of every Critical and High inside the parent / regulator / audit-window remediation period
Joint readout with the engineering team at Hinjewadi / Magarpatta / Kharadi office
Findings exported to Linear / Jira / GitHub Issues with owner, severity, CWE and ETA
Continuous-AppSec retainer offer for clients with weekly release trains

Industries served

Which Pune verticals we deliver Web App Pentest for.

IT-services delivery centres

Hinjewadi Phase II / III IT-services majors — customer-facing-application AppSec with TPRM drop-in.

Magarpatta edtech

Magarpatta and Kharadi edtech unicorns — student-data isolation, consent-flow, content-DRM, AI-tutor LLM.

Connected-vehicle customer apps

Auto OEM rider / driver / fleet-management apps — ISO/SAE 21434 + UN R155 / R156 customer-data clauses.

Magarpatta / Kharadi SaaS

Magarpatta and Kharadi product companies — OWASP ASVS L3 + multi-tenant authz + LLM surface coverage.

Auto OEM customer portals

Chakan / Talegaon auto OEM dealer-portal, customer-engagement-portal AppSec.

BPO / KPO customer apps

Magarpatta BPO/KPO customer-facing apps — DPDP §16 + customer-third-party-AppSec-standard overlay.

What ships

The Pune deliverable pack.

Every Pune web app pentest engagement closes with the pack below — regulator-ready evidence, technical detail and board-readable summaries.

OWASP ASVS L3 AppSec report with reproducible exploit code per High and Critical

Edtech DPDP minor + FERPA / COPPA evidence pack where applicable

Connected-vehicle ISO/SAE 21434 + UN R155 / R156 customer-data-protection clause coverage

IT-services delivery customer's third-party-AppSec-standard-aligned report for TPRM drop-in

SaaS SOC 2 CC + CERT-In format + LLM Top 10 (2025) crosswalk for Indian-enterprise customers

Reproducible exploit code (curl / Burp .req / Python) per High and Critical

Customer-procurement vendor-pack annex for IT-services majors selling internationally

Free re-test of every Critical and High inside the regulator / audit-window remediation period

Recent Pune engagement

A Pune web app pentest case study.

Magarpatta-headquartered Edtech Unicorn (15 million students, parent-pay-and-child-learn model, AI-tutor LLM feature)

Scope

4-week OWASP ASVS L3 + DPDP minor-consent + LLM Top 10 (2025) AppSec — 9 services in the platform (student app, parent-portal, teacher-app, content-DRM platform, payment-flow service, AI-tutor RAG-backed inference service), AWS multi-account topology, Okta IDP federation, Indian-domestic-payment integration

Outcome

Two age-gating bypass paths on the student-signup flow closed pre-disclosure; one parent-to-student consent-propagation gap closed and the DPDP minor-consent evidence pack updated; one content-DRM bypass-via-screen-record path closed with the screen-record-resistance control redesigned; one indirect-prompt-injection-via-RAG path on the AI-tutor that allowed cross-student topic-history leak closed and corpus-isolation control redesigned; SOC 2 Type II audit cleared with zero AppSec findings carried forward.

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Questions Pune buyers ask before signing.

Yes — edtech scope covers DPDP minor-consent provisions where students are under 18 (parent / guardian authorisation flows, consent-to-parent vs consent-from-student, consent-withdrawal propagation), and (where US-bound student data is in scope) FERPA + COPPA evidence requirements. The deliverable is dual-format — DPDP for Indian users, FERPA / COPPA for US users.

More services in Pune

Other Macksofy engagements in Pune.

Web App Pentest in other cities

Same engagement, other Macksofy metros.

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements