Do you work with a specific firewall vendor?

No — vendor neutral. We hold delivery experience across Palo Alto, Check Point, Fortinet, Cisco ASA / FTD, Juniper SRX, and the native cloud security groups (AWS, Azure, GCP).

Can you handle OT segmentation?

Yes — IEC 62443-3-2 zones & conduits, plus the practical realities of Indian manufacturing (legacy PLCs, vendor-mandated flat networks, engineering laptop hygiene). We've delivered this for pharma, automotive and process industries.

What's the typical engagement size?

Rule-base review only: 3–4 weeks. Full segmentation architecture for a ~3,000-host estate: 8–10 weeks. Microsegmentation pilot + 12-month rollout plan: 12 weeks for design, then a retainer.

Do you stay through implementation?

Optional. We can hand-over to your network engineering team, or stay as architecture advisors during a phased rollout. We do not resell firewall licences — neutrality matters.

Segmentation · Firewall Review · SASE · Microsegmentation

Network Security Architecture & Segmentation

Defensive network engineering — segmentation strategy, firewall rule-base reviews, SASE / ZTNA design, OT-IT boundary architecture and microsegmentation roadmaps that survive procurement and the change-advisory-board. Distinct from our network-pentesting service: this is design and review, not exploitation.

Request a quote See methodology

Download sample pentest report

CERT-In format · anonymised

Engagement at a glance

Quote SLA48 hours
Typical engagement5–15 working days
RetestFree within 30 days
Reporting formatCERT-In + ISO + SOC 2 ready
Team100% in-house · OSCP / OSWE / OSEP

What this actually looks like

A Network Security engagement, in plain language.

Indian enterprise networks accrete. Two acquisitions later, the firewall rule base has 12,000 rules, half of them ANY-ANY-ANY, with comments like 'temporary - 2018'. A typical Macksofy engagement starts with a rule-base cleanup that drops 35–50% of dead rules without breaking a single application, then layers segmentation by trust zone — corporate, OT, DMZ, PCI, tier-0 — with documented exceptions. We close with a microsegmentation roadmap (NSX / Illumio / Cisco ACI / native cloud) that gives the SOC a fighting chance during the next ransomware blast.

Business impact

Eliminate flat-network lateral movement during incidents
Pass RBI / SEBI / ISO / PCI segmentation evidence asks
Cut firewall change-failure rate; recover engineering velocity
Reduce attack surface visible to compromised endpoints
Future-proof against board-level ransomware scenario asks

Methodology

Phased delivery — every step documented.

Interactive walkthrough of how we run a Network Security engagement — tap a phase to expand its activities.

Network Security · Start

Phase 01
1 · Topology + asset discovery
- Passive discovery (NetFlow, sFlow, span ports) — no agents required
- Active discovery where allowed (Nmap, Forescout, native cloud)
- Trust-zone classification — tier-0 / OT / PCI / DMZ / corporate
- Crown-jewel mapping with business + data-flow owners
01
Station 01
01
Phase 01
1 · Topology + asset discovery
- Passive discovery (NetFlow, sFlow, span ports) — no agents required
- Active discovery where allowed (Nmap, Forescout, native cloud)
- Trust-zone classification — tier-0 / OT / PCI / DMZ / corporate
- Crown-jewel mapping with business + data-flow owners
Phase 02
2 · Firewall + rule-base review
- Multi-vendor rule analysis (Palo Alto, Check Point, Fortinet, Cisco, Juniper)
- Dead rule + shadowed rule + overly-permissive rule identification
- Object cleanup + zone-based rebase plan
- Risk-ranked rule-by-rule remediation with rollback windows
02
Station 02
02
Phase 02
2 · Firewall + rule-base review
- Multi-vendor rule analysis (Palo Alto, Check Point, Fortinet, Cisco, Juniper)
- Dead rule + shadowed rule + overly-permissive rule identification
- Object cleanup + zone-based rebase plan
- Risk-ranked rule-by-rule remediation with rollback windows
Phase 03
3 · Segmentation strategy
- Target-state segmentation map per trust zone
- OT / ICS demarcation per IEC 62443-3-2 zones & conduits
- PCI cardholder-data-environment boundary memo
- Vendor-network and BYOD isolation design
03
Station 03
03
Phase 03
3 · Segmentation strategy
- Target-state segmentation map per trust zone
- OT / ICS demarcation per IEC 62443-3-2 zones & conduits
- PCI cardholder-data-environment boundary memo
- Vendor-network and BYOD isolation design
Phase 04
4 · SASE / ZTNA / microsegmentation
- SASE vendor short-list (Zscaler, Netskope, Cisco, Palo Alto Prisma)
- ZTNA design for remote + branch + third-party
- Microsegmentation tool short-list (Illumio, Akamai Guardicore, NSX, native cloud)
- Phased rollout plan that survives a 12-month CAB calendar
04
Station 04
04
Phase 04
4 · SASE / ZTNA / microsegmentation
- SASE vendor short-list (Zscaler, Netskope, Cisco, Palo Alto Prisma)
- ZTNA design for remote + branch + third-party
- Microsegmentation tool short-list (Illumio, Akamai Guardicore, NSX, native cloud)
- Phased rollout plan that survives a 12-month CAB calendar
Phase 05
5 · Evidence + handover
- Regulator-mapped segmentation evidence pack (RBI / SEBI / ISO / PCI)
- Network architecture diagram suite — current vs target
- Change-management playbook + rollback-tested templates
- Optional 90-day quarterly drift audit (retainer)
05
Station 05
05
Phase 05
5 · Evidence + handover
- Regulator-mapped segmentation evidence pack (RBI / SEBI / ISO / PCI)
- Network architecture diagram suite — current vs target
- Change-management playbook + rollback-tested templates
- Optional 90-day quarterly drift audit (retainer)

Closure + retest

Tooling

Industry-standard + custom.

We use the same tooling top BFSI red teams operate — combined with Macksofy in-house extensions and proprietary scripts where commercial tools fall short.

Tools we operate

NmapForescoutTufinAlgoSecFireMonSkyboxCisco DNA / ACIPalo Alto PanoramaVMware NSXIllumioAkamai GuardicoreZscaler / Netskope

Industries served

Sectors we operate in

BFSI (RBI Cyber Security Framework network controls)Manufacturing / OT (IEC 62443 zones & conduits)Healthcare (ADHICS / HIPAA network safeguards)Payment processors (PCI-DSS 1.x scoping)SaaS / data-centre tenants (multi-tenant isolation)Government / PSU (CERT-In network architecture audit)

Deliverables

What you get

Network topology + trust-zone map (current state)
Firewall rule-base cleanup plan with risk-ranked actions
Target-state segmentation architecture + diagrams
SASE / ZTNA / microsegmentation vendor short-list memo
12-month phased rollout plan with CAB-aware change windows
Regulator-mapped segmentation evidence pack

Case studies

Anonymized engagement snapshots.

Multinational Bank

Scope · 12,000-rule firewall cleanup + zone rebase

Finding: 47% rules dead or shadowed; tier-0 reachable from BYOD VLAN

Rule count to 6,400 with zero outage; RBI inspection clean

Risk severity · Critical

LMHC

Pharma manufacturer (USFDA-regulated)

Scope · IT-OT segmentation per IEC 62443

Finding: Engineering workstation in same VLAN as plant historian

Zone & conduit redesign; USFDA pre-approval inspection ready

Risk severity · Critical

LMHC

Payment aggregator

Scope · PCI-DSS 1.x CDE scoping + microsegmentation pilot

Finding: CDE not properly isolated; sandbox env reachable from CDE

CDE blast radius reduced 80%; QSA pass on first attempt

Risk severity · Critical

LMHC

Indicative pricing · INR

Transparent tiers. No surprises at quote time.

Indicative price ranges based on typical Indian engagements. Final fixed-price quote within 72 hours of the discovery call.

Free 30-day retest · CERT-In format reports

Tier 01

Build

₹4L–₹8L

Initial setup · single SOC tier

Tooling (Wazuh / ELK / Splunk) implementation
Baseline detection rules
Runbook authoring

Request a fixed-price quote

Tier 02

Operate

₹10L–₹20L

L1 + L2 with retainer

Everything in Build
24×7 monitoring across business hours
Monthly threat-hunt + posture reviews

Request a fixed-price quote

Tier 03

Resilience

Starts at ₹24L

Full 24×7 SOC + threat intel

Everything in Operate
L3 threat hunters + IR retainer
Annual table-top + DR drill

Request a fixed-price quote

Note · Indicative pricing in INR. Setup + 12-month operate is the most-asked combination. Custom blends available.

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

Network-pentesting is offensive — we attack your existing network and report findings. This service is defensive — we design segmentation, review firewall rule bases, and roadmap microsegmentation. Many clients buy both; the pentest validates the architecture work.

Related services

Often paired with this engagement.

Digital Forensics & Incident Response (DFIR)

When the worst happens, every minute matters.

Learn more

Malware Analysis & Reverse Engineering

Decode what hit you. Detect the next variant.

Learn more

Identity Security & Zero Trust

Identity is the new perimeter. Audit it like one.

Learn more

Delivery footprint

Where Macksofy delivers Network Security.

On-site engagements across India's BFSI, fintech, government and SaaS metros plus the UAE. Senior consultants fly from Mumbai BKC for kickoff, key reviews and exit briefings; remote weeks run through the rest of the engagement.

Network Security · Mumbai Network Security · Delhi NCR Network Security · Bengaluru Network Security · Hyderabad Network Security · Chennai Network Security · Pune Network Security · Noida Network Security · Gurugram

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements

Network Security Architecture & Segmentation

A Network Security engagement, in plain language.

Phased delivery — every step documented.

1 · Topology + asset discovery

1 · Topology + asset discovery

2 · Firewall + rule-base review

2 · Firewall + rule-base review

3 · Segmentation strategy

3 · Segmentation strategy

4 · SASE / ZTNA / microsegmentation

4 · SASE / ZTNA / microsegmentation

5 · Evidence + handover

5 · Evidence + handover

Industry-standard + custom.

Sectors we operate in

What you get

Anonymized engagement snapshots.

Scope · 12,000-rule firewall cleanup + zone rebase

Scope · IT-OT segmentation per IEC 62443

Scope · PCI-DSS 1.x CDE scoping + microsegmentation pilot

Transparent tiers. No surprises at quote time.

Build

Operate

Resilience

Rated 4.9 ★ from 612 client reviews.

Things people ask before signing.

Often paired with this engagement.

Digital Forensics & Incident Response (DFIR)

Malware Analysis & Reverse Engineering

Identity Security & Zero Trust

Where Macksofy delivers Network Security.

Get a fixed-price proposal in 48 hours.