RBI and SEBI VAPT

VAPT regulators accept, empanelled and sector-mapped.

CERT-In empanelled and CREST-accredited researchers run VAPT mapped to the RBI cyber security framework, SEBI cybersecurity guidelines, NPCI UPI sandbox requirements, and PCI DSS v4. Empanelment ledger entry on every report.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

An empanelled report mapped to your regulator is the bar. Most reports are neither.

  • Non-empanelled VAPT reports get bounced at RBI and SEBI review. Empanelment is the floor, not a bonus.

  • Empanelled-but-generic reports without RBI cyber security framework or SEBI cybersecurity mapping force ISMS teams to remap by hand.

  • NPCI UPI sandbox onboarding and partner-bank InfoSec reviews require sector-mapped evidence, not a generic VAPT PDF.

Here is what we ship.

Why teams pick us

Empanelled, and the report shows it.

  • Empanelled by CERT-In

    The empanelment number ships on every report. Regulators verify against the public CERT-In ledger.

  • RBI and SEBI mapped

    Findings tagged to RBI cyber security framework, SEBI cybersecurity guidelines, NPCI sandbox, and PCI DSS v4 where applicable.

  • Partner-bank-ready

    Banks and PSUs accept the empanelment ledger entry. We share SLAs, SOWs, and attestations procurement asks for.

How it works

From intro to empanelled report in two to three weeks.

  1. Scope per regulator

    Tell us RBI, SEBI, NPCI, or PCI DSS scope and the assets. Mapped to empanelment scope on the call.

  2. Empanelled researchers test

    CREST plus CERT-In researchers test web, mobile, API, network, and cloud per the mandate.

  3. Report with ledger entry

    Findings tagged to regulator controls. Empanelment number on the cover. Re-test included.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Does this satisfy the RBI cyber security framework?
Yes. Empanelled-vendor VAPT is explicitly named in the RBI cyber security framework for banks, NBFCs, payment system operators, and Urban Cooperative Banks.
Does it satisfy SEBI cybersecurity guidelines?
Yes. SEBI guidelines for stock exchanges, depositories, brokers, and mutual funds require independent VAPT by a CERT-In empanelled vendor.
NPCI UPI sandbox onboarding?
Yes. NPCI sandbox onboarding accepts CERT-In empanelled VAPT reports as the security review evidence.
Will you sign the regulator submission letter?
Yes. One-line letter on letterhead plus the empanelment ledger entry.
Re-test included?
Yes. Criticals re-tested inside the same engagement.

Ready to ship the regulator-accepted VAPT report?

20-minute scoping call with our empanelled pentest team. RBI, SEBI, NPCI, and the regulator-shaped report.

CERT-In · CREST · SOC 2 · ISO 27001 · PCI DSS v4