Skip to content
Service · Technical

VAPT scoped around what actually moves money.

Generic VAPT scopes miss the systems that matter most in BFSI. We scope around core banking, payment switches, and customer-facing channels first.

What's in scope

  • External and internal network penetration testing
  • Web application testing (OWASP Top 10 + business-logic abuse cases specific to banking workflows)
  • Mobile application testing — Android/iOS banking and wallet apps
  • API security testing for payment switches, UPI integrations and partner APIs
  • Configuration review of core banking and SIEM/SOAR tooling

What you get

  • Findings mapped to CVSS and to the relevant RBI CSF / CERT-In clause
  • A retest cycle included, not billed separately
  • A board-readable executive summary, separate from the technical report
  • Remediation guidance sequenced by exploitability and business impact, not just severity score
Process

How an engagement runs

Scoping

We confirm in-scope assets, testing windows, and rules of engagement that respect production banking hours.

Testing

Manual-led testing supplemented by tooling — we don't ship an unreviewed scanner report.

Validation

Every critical and high finding is manually verified before it reaches the report.

Reporting & retest

Executive summary, technical report, and one included retest once fixes are deployed.