CERT-In empanelled VAPT

An empanelled report your regulator and your customers accept.

SecureLayer7 is empanelled by CERT-In, India's national cyber agency. Independent VAPT for RBI, SEBI, IRDAI, MeitY, and procurement-driven mandates. The empanelment ledger entry ships with every report.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by regulated entities across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

An empanelled report carries weight. A self-attestation does not.

  • Regulators (RBI, SEBI, IRDAI, MeitY) explicitly accept CERT-In empanelled findings. Non-empanelled reports get bounced.

  • Banks and PSUs filter procurement at the vendor stage. RFPs require empanelment listing.

  • Self-attested or scanner-only reports do not meet the bar. The empanelment ledger entry is the proof.

Here is what we ship.

Why teams pick us

Empanelled, and the report shows it.

  • Empanelled by CERT-In

    The empanelment number ships on every report. Regulators verify against the public CERT-In ledger.

  • Regulator-mapped findings

    RBI cyber security framework, SEBI cybersecurity framework, IRDAI guidelines, MeitY VAPT scope. Findings tagged to controls.

  • Procurement-ready

    Bid documents accept the empanelment ledger entry. We share SLAs, SOWs, and attestations procurement asks for.

How it works

From intro to empanelled report in two weeks.

  1. Scope per the mandate

    Tell us which regulator (RBI, SEBI, IRDAI, MeitY) and which assets. We map to the empanelment scope on the call.

  2. Empanelled pentesters test

    CREST plus CERT-In researchers test web, mobile, API, network, and cloud per the mandate.

  3. Report with the ledger entry

    Findings tagged to regulator controls. Empanelment number on the cover. Re-test included.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your CERT-In empanelled VAPT.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What regulated entities ask before they sign.

What does CERT-In empanelment cover?
Web, mobile, API, network, infrastructure, and cloud. The full mandate scope.
Is the report accepted by RBI and SEBI?
Yes. Empanelled-vendor VAPT is explicitly named in the RBI cyber security framework and SEBI cybersecurity guidelines.
How long does it take?
Two to three weeks per asset. Multi-asset engagements scoped together.
Where is the empanelment number?
On the cover of the report and in your vendor file. Verifiable against the CERT-In public ledger.
Do you handle BFSI procurement docs?
Yes. We share the SLAs, SOWs, and ISO 27001 and SOC 2 attestations procurement teams ask for.

Ready to get a CERT-In empanelled report?

20-minute scoping call with our empanelled pentest team. The empanelment number ships on every report.

CERT-In · CREST · SOC 2 · ISO 27001