Service · Technical
VAPT scoped around what actually moves money.
Generic VAPT scopes miss the systems that matter most in BFSI. We scope around core banking, payment switches, and customer-facing channels first.
What's in scope
- External and internal network penetration testing
- Web application testing (OWASP Top 10 + business-logic abuse cases specific to banking workflows)
- Mobile application testing — Android/iOS banking and wallet apps
- API security testing for payment switches, UPI integrations and partner APIs
- Configuration review of core banking and SIEM/SOAR tooling
What you get
- Findings mapped to CVSS and to the relevant RBI CSF / CERT-In clause
- A retest cycle included, not billed separately
- A board-readable executive summary, separate from the technical report
- Remediation guidance sequenced by exploitability and business impact, not just severity score
Process
How an engagement runs
Scoping
We confirm in-scope assets, testing windows, and rules of engagement that respect production banking hours.
Testing
Manual-led testing supplemented by tooling — we don't ship an unreviewed scanner report.
Validation
Every critical and high finding is manually verified before it reaches the report.
Reporting & retest
Executive summary, technical report, and one included retest once fixes are deployed.