How do you handle hybrid AD + Entra ID environments?

Hybrid is the norm in India. We enumerate the sync boundary (AAD Connect / Cloud Sync), find privilege leaks across it (e.g., on-prem admin → cloud Global Admin), and design tier-0 isolation on both sides.

Can you map findings to RBI / SEBI / DPDP?

Yes. Every finding is mapped to RBI Cyber Security Framework, SEBI CSCRF authentication controls, DPDP §8 reasonable-security-practices, and ISO 27001:2022 A.5.15 / A.5.16 / A.5.17 / A.8.5.

What's the typical timeline?

8–12 weeks for assessment + Zero Trust roadmap on a ~5,000-identity estate. PAM-only tightening: 4–6 weeks. Full multi-year ZT execution is a retainer model.

Do you do phishing-resistant MFA rollout?

Yes — FIDO2 / passkey / certificate-based MFA design and phased rollout, including the awkward bits (legacy MFA, helpdesk reset paths, contractor access, third-party vendor identities).

IAM · PAM · SSO · Zero Trust Architecture

Identity Security & Zero Trust

End-to-end identity security: IAM topology review, privileged-access (PAM) tightening, SSO / OIDC / SAML hardening, conditional-access design and a phased Zero Trust roadmap mapped to NIST SP 800-207 and India's CERT-In + DPDP authentication expectations.

Request a quote See methodology

Download sample pentest report

CERT-In format · anonymised

Engagement at a glance

Quote SLA48 hours
Typical engagement5–15 working days
RetestFree within 30 days
Reporting formatCERT-In + ISO + SOC 2 ready
Team100% in-house · OSCP / OSWE / OSEP

What this actually looks like

A Identity & ZT engagement, in plain language.

Most Indian enterprises run a sprawl of identity systems — on-prem Active Directory still authoritative, Entra ID syncing a partial estate, Okta or Azure AD federating SaaS, three separate PAM tools owned by three different teams, and ~40% of admin accounts shared. Macksofy enumerates every authentication boundary, maps lateral-movement paths from a phished user to crown jewels, and ships a 90-day plan that closes the worst paths first — phishing-resistant MFA on tier-0, JIT for break-glass, RBAC consolidation, and a measured Zero Trust rollout that survives contact with the change-advisory-board.

Business impact

Phishing-resistant MFA on tier-0 and admin populations
Cut blast radius — kill standing privilege, enforce JIT/JEA
Pass RBI / SEBI / DPDP authentication evidence asks on first pass
Reduce identity-related audit findings to near-zero within one cycle
Cost-rationalise overlapping IAM/PAM tooling

Methodology

Phased delivery — every step documented.

Interactive walkthrough of how we run a Identity & ZT engagement — tap a phase to expand its activities.

Phase 01 / 5

20% complete

1 · Identity inventory

01
Enumerate every IdP, directory, federation and break-glass account
02
Crowdsource shadow-IAM via SaaS SSO logs + finance procurement data
03
Tier-0 / Tier-1 / Tier-2 classification of human + service identities
04
Privileged-account census — domain, cloud, app and DB admins

Tooling

Industry-standard + custom.

We use the same tooling top BFSI red teams operate — combined with Macksofy in-house extensions and proprietary scripts where commercial tools fall short.

Tools we operate

BloodHound CE / EnterprisePingCastleROADreconMicrosoft Entra ID / Azure ADOktaPing IdentityCyberArkDelinea Secret ServerHashiCorp VaultSailpointSaviynt

Industries served

Sectors we operate in

BFSI (RBI / SEBI / IRDAI authentication evidence)Fintech, payment aggregators (RBI PA-PG)SaaS / product (SOC 2 CC6 controls)Healthcare (ADHICS / HIPAA access control)Manufacturing / OT (IEC 62443 SR 1.1–1.13 identification & authentication)Government / PSU (CERT-In RBAC + privileged-access audit)

Deliverables

What you get

Identity inventory + tiering memo
Attack-path map with prioritised closure backlog
Zero Trust target-state architecture diagram + 12-month roadmap
PAM tightening plan with vault-by-vault remediation tasks
Phishing-resistant MFA rollout playbook for tier-0
Regulator-mapped authentication evidence pack

Case studies

Anonymized engagement snapshots.

Listed Bank

Scope · Tier-0 path mapping + PAM consolidation

Finding: Kerberoastable tier-0 service account + dormant CyberArk safes with 100+ unused admins

Standing privilege cut 78% in 60 days; clean RBI inspection

Risk severity · Critical

LMHC

B2B SaaS

Scope · Zero Trust architecture for SOC 2 + EU customers

Finding: Public-app to admin-app lateral path via shared OAuth client

Split-tenant identity model shipped pre-Series-C diligence

Risk severity · High

LMHC

Pharma manufacturer

Scope · IT-OT identity boundary for IEC 62443

Finding: OT engineering laptops domain-joined to IT AD; flat trust

Dedicated OT realm + jump-host model; USFDA-PAI ready

Risk severity · High

LMHC

Indicative pricing · INR

Transparent tiers. No surprises at quote time.

Indicative price ranges based on typical Indian engagements. Final fixed-price quote within 72 hours of the discovery call.

Free 30-day retest · CERT-In format reports

Tier 01

Build

₹4L–₹8L

Initial setup · single SOC tier

Tooling (Wazuh / ELK / Splunk) implementation
Baseline detection rules
Runbook authoring

Request a fixed-price quote

Tier 02

Operate

₹10L–₹20L

L1 + L2 with retainer

Everything in Build
24×7 monitoring across business hours
Monthly threat-hunt + posture reviews

Request a fixed-price quote

Tier 03

Resilience

Starts at ₹24L

Full 24×7 SOC + threat intel

Everything in Operate
L3 threat hunters + IR retainer
Annual table-top + DR drill

Request a fixed-price quote

Note · Indicative pricing in INR. Setup + 12-month operate is the most-asked combination. Custom blends available.

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

Both — we start with assessment + architecture (no tool bias), then optionally help implement. Macksofy is vendor-neutral; CyberArk, Delinea, HashiCorp Vault, Sailpoint and Saviynt are all in our delivery toolkit.

Related services

Often paired with this engagement.

Digital Forensics & Incident Response (DFIR)

When the worst happens, every minute matters.

Learn more

Malware Analysis & Reverse Engineering

Decode what hit you. Detect the next variant.

Learn more

Network Security Architecture & Segmentation

Stop east-west blast radius before the next ransomware does.

Learn more

Delivery footprint

Where Macksofy delivers Identity & ZT.

On-site engagements across India's BFSI, fintech, government and SaaS metros plus the UAE. Senior consultants fly from Mumbai BKC for kickoff, key reviews and exit briefings; remote weeks run through the rest of the engagement.

Identity & ZT · Mumbai Identity & ZT · Delhi NCR Identity & ZT · Bengaluru Identity & ZT · Hyderabad Identity & ZT · Chennai Identity & ZT · Pune Identity & ZT · Noida Identity & ZT · Gurugram

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements