Cloud penetration testing in India
Cloud penetration testing for India. Built around CERT-In, DPDP, and RBI cloud rules.
We test your AWS, Azure, and GCP estate the way an attacker would, then map every finding to CERT-In 2022 directions, the DPDP Act, and RBI and SEBI cloud mandates, so your Indian auditors and regulators accept the report without a second round.
Four providers
AWS · Azure · GCP · Kubernetes, one method, four control planes.
Evidence
Working proof-of-exploit and code-level fix guidance on every finding.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
A single over-permissive IAM role escalates to org-wide blast radius.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Cloud depth, Indian rules.
One misconfiguration is never just one finding. It's the first step into your account.
A single over-permissive IAM role or an exposed key is rarely the whole risk. We chain those small gaps the way an attacker would, from one weak setting to real access across your account, and tie the path back to CERT-In log-retention and DPDP data-residency obligations so your India compliance team sees the business impact, not just a CVSS score.
What we test
Four cloud surfaces. One engagement.
Each provider gets a manual, threat-modelled review against its real attack surface, control plane, identity, network, and workload. Intensity tunes per scope.
Amazon AWS
IMDSv1 SSRF, IAM role chaining, public S3 enumeration, Lambda over-privilege, EKS cluster-role abuse, KMS key-policy misuse, Cognito user-pool misconfig, Secrets Manager exposure.
Microsoft Azure
Managed identity over-scope, Storage Account SAS leak, Function App env exposure, AKS pod-identity abuse, Key Vault access policy bypass, Azure AD application consent, Logic App secret reuse.
Google Cloud Platform
Workload-identity confusion, service-account impersonation, Cloud Run scope abuse, GKE node pool escape, Secret Manager IAM gaps, Cloud Storage bucket policy bypass, Cloud Functions trigger replay.
Kubernetes
Pod escape via privileged container, RBAC bypass, etcd exposure, kubelet API abuse, sidecar/init container attack paths, NetworkPolicy gaps, admission-controller bypass, ServiceAccount token theft.
CLOUD PENTEST METHODOLOGY.
Eight phases. Control plane to workload.
Threat-modelled to your control plane, identity model, and workload topology. Not a template we run against every cloud.
- 01Scope & threat-model
- 02Recon & enumeration
- 03Configuration review
- 04Identity exploitation
- 05Workload & network exploitation
- 06Vulnerability analysis
- 07Remediation guidance
- 08Patch verification
Insights
Cloud security Resources.
Cross-provider attack-path notes: AWS, Azure, GCP, written by the same reviewers who run cloud pentests.
Meet our expert
One lead across your whole cloud estate.
Nivedita Singh
Security Advisor & Engagement Lead
10+
Years in offensive security
300+
Engagements led
99.7%
On-time delivery rate
Nivedita scopes cloud-pentest engagements against your account topology, identity model, and workload boundaries. She guides the pod from kick-off through final report and re-test.
- Scopes AWS, Azure, GCP, and Kubernetes engagements against your real risk model.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
- Drives remediation review and re-test until every cloud-path finding is closed.
Ready to scope a cloud pentest? Book 30 minutes with Nivedita to walk through your topology, identity model, and timeline.
For startups
Pre-Series A? Apply for the startup program.
A single Autonomous app pentest, CREST-aligned report, engagement-lead signoff, retest included, heavily discounted for pre-Series A startups passing enterprise procurement or SOC 2 due diligence. Eligibility verified on application.
Tested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
FinTech
Cloud-native banking workloads, KMS / HSM boundaries, settlement isolation.
Retail
E-commerce on cloud, POS sync APIs, customer-PII surfaces in serverless paths.
Built for India engagements
What changes when we deliver here.
Compliance scoping
RBI April 2023 cloud guidance cited per cloud finding
Regulatory framework
MeitY data-localisation trace for every PII store
Local engagements
BFSI multi-cloud engagements across Mumbai and Bengaluru
Local pricing
INR SOW, per-account pricing, GST invoice
Compliance scoping
DPDP Section 9 breach playbook updates included
Indian cloud security questions.
Do you cover the RBI cloud guidance for BFSI workloads?
Yes. Region choice, exit plan, control plane access and shared-responsibility mapping are reviewed. The April 2023 guidance clauses cited per finding.
How is MeitY data localisation verified?
We trace each PII store and backup target. Findings flag any cross-border replication and the exact MeitY rule it breaks.
Multi-cloud in scope?
Yes. AWS, Azure, GCP and OCI in one engagement. The report tags findings by provider and by RBI clause.
What about DPDP Section 9 breach readiness?
Cloud detection gaps are mapped to the 72-hour notification clock. Playbook updates supplied for your IR runbook.
Delivery in India
RBI cloud guidance. MeitY localisation evidence.
Cloud control plane tested against the April 2023 RBI cloud guidance and MeitY data-localisation rules. Region and residency choices reviewed per workload.
- Direct line
- +91-20-71600505
- Office
- Pune, Maharashtra, India
Frameworks scoped: CERT-In · DPDP Act · RBI CSF · SEBI CSCRF · ISO/IEC 27001 · PCI DSS.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working PoC, code-level fix guidance. Sent on request after a 5-minute scoping call.