Picking a VAPT vendor in India is harder than it should be. Every empanelled firm offers the same checklist of services on their homepage. Most reports follow the same template. And once you sign, the gap between a real attacker-mindset assessment and a glorified vulnerability scan only shows up after the work is done. 

This list isn’t ranked by company size, marketing budget, or how often a vendor’s name appears in directory listings. It’s ranked on the things that actually matter when you’re the one signing the contract – research depth, manual testing, breadth of coverage, regulatory acceptance, and what the team does when no one is paying them to perform. 

Whether you need a CERT-In empanelled auditor for a regulatory mandate or simply want one as a baseline of credibility, the choice still matters. Below are 10 firms worth shortlisting in 2026, with their strengths, services, and the kind of buyer each one fits best. 

Why this matters more in 2026 

A few years ago, getting a VAPT done was something most companies did once a year and forgot about. That’s changed. 

• DPDP Act, 2023: in active enforcement now, with penalties up to ₹250 crore. That’s not a typo. 

• RBI Master Directions & SEBI CSCRF: expect regulated entities to get audited by empanelled firms – annually, sometimes more. 

• Safe to Host & government tenders: you don’t get to choose. CERT-In empanelment isn’t optional, it’s the entry ticket. 

What does CERT-In empanelment actually mean? 

CERT-In sits under MeitY (Ministry of Electronics and IT). They evaluate cybersecurity firms on technical capability, methodology, and how they actually run audits in the real world. Firms that clear the bar get listed on cert-in.org.in as approved auditors. 

Worth saying clearly: empanelment is a floor, not a ceiling. It tells you a firm has met a baseline. It doesn’t tell you whether their pentest will actually catch the bug that ends up in your production environment six months later. Two empanelled firms can deliver wildly different quality of work. Treat the panel as your starting filter – then ask harder questions. 

1. Payatu 

Payatu is one of those rare Indian cybersecurity firms where the people doing your pentest are also the ones publishing CVEs, breaking devices on stage at DEF CON, and writing the open-source tools other pentesters use. 

For over a decade, the team has built a name for security research first and consulting second -which is unusual in a market where most VAPT firms run almost entirely on automated scans wrapped in pretty PDFs. Payatu is CERT-In empanelled as an Information Security Auditing Organisation, ISO 17025 accredited as a testing lab, and was named “Best Security Services Company of the Year” by the Data Security Council of India (DSCI). The credentials are useful, but they’re not the reason most clients come back. 

The reason is the report itself. A scanner-led firm hands you something that says “broken access control found at /admin.” A Payatu report walks you through how the bug was actually found, what other small flaws it chains with, what an attacker walks away with at the end of it, and what that costs your business. The fix recommendations are written for the developer who has to ship the patch on Monday – not for the auditor’s checkbox. 

Payatu also goes places most Indian VAPT firms don’t. Hardware reverse engineering on IoT devices. Firmware analysis. Adversarial testing on LLM applications and prompt injection assessments for AI products. Automotive cybersecurity work aligned to ISO 21434, UN ECE R155/R156, and NHTSA guidance. Full-blown red team engagements that look like real APT activity, not a checklist exercise. They build EXPLIoT (the open-source IoT security framework you’ve probably seen in pentester tooling). 

Their client list spans BFSI, fintech, healthcare, SaaS, telecom, and automotive in 20+ countries, and they’ve supported audits under almost every Indian regulatory framework worth naming – CERT-In, RBI, SEBI, UIDAI, DPDP. They also founded Hardwear.io and Nullcon, one of India’s longest-running and well-known information security conferences. 

If you just need a compliance audit to tick a regulatory box, you’ll be fine with most names on this list. But if you’re shipping connected devices, AI products, payment platforms, or anything a real attacker would actually study before going after – Payatu is the team that thinks like that attacker. 

Services: 

• Web, Mobile, API & Cloud VAPT 

• IoT & Embedded Security Assessment 

• AI/ML Security Audit (incl. LLM testing) 

• Automotive Cybersecurity (ISO/SAE 21434) 

• Red Team Assessment 

• Critical Infrastructure Assessment 

• Source Code Review 

• DevSecOps Consulting 

• SOC Service & Product Security 

Why teams pick them: 

• CERT-In Empanelled Information Security Auditing Organisation 

• ISO 17025 Accredited Testing Laboratory 

• DSCI “Best Security Service Company of the Year” 

• Track record of public CVEs across IoT, automotive, cloud, and AI/ML 

• Regular speakers at Black Hat, DEF CON, Nullcon, HITB, BruCON 

• Maintainers of EXPLIoT (open-source IoT security framework) 

Best suited for: BFSI and fintech, healthcare, SaaS, IoT and connected device manufacturers, automotive OEMs and tier-1 suppliers, AI/ML product teams, anyone who wants a pentest that actually finds things, not one that just produces a 200-page PDF. 

2. Network Intelligence 

NII is the kind of firm large BFSI and telecom CISOs feel comfortable handing a master security agreement to. They cover assessment, GRC, MSSP, and managed security under one roof – useful when you don’t want to manage five different vendors. 

Services: Assessment & VAPT, GRC & Compliance, MSSP, Cybersecurity Training.  

3. SISA Information Security 

SISA has spent years specialising in payment security and PCI DSS work. As a PCI QSA since 2006, they audit and certify across BFSI, payment gateways, and processors in 40+ countries. Their assessments are written for people who already know what a primary account number is. 

Services: PCI DSS Audits & QSA, Payment Security, Forensics, BFSI Compliance.  

4. SecureLayer7 

SecureLayer7 is one of the cleaner methodology-led pentest firms in India. They lean heavily on standards alignment like OWASP, NIST, PCI and their engagements come with the kind of documented trail that auditors and procurement teams ask for. A solid pick when you want a pentest report that holds up under scrutiny without endless back-and-forth. 

Services: Web & Mobile VAPT, API & Cloud Pentesting, Red Team, PTaaS. 

5. Kratikal 

Kratikal pairs penetration testing with phishing simulations, ISO/SOC 2 readiness, and v-CISO services. A practical fit for mid-market companies that need to mature on multiple fronts at once. 

Services: Web/Mobile/Network VAPT, ISO & SOC 2 Audits, Phishing Simulation, v-CISO. 

Want to see what a real pentest report looks like? Download anonymised sample reports across web, mobile, IoT, and red team directly from Payatu’s website. → Download Sample Reports from payatu.com

6. eSec Forte Technologies 

eSec Forte is a CMMi Level 3 certified consulting and IT security services company, CERT-In empanelled and PCI DSS QSA certified. They operate across India, the US, Singapore, and Sri Lanka, serving Fortune 1000 companies and government enterprises. Their service mix covers cloud security, forensics, security audits, red team assessments, and SOC operations. 

Services: VAPT, Cloud Security, Digital Forensics, PCI DSS QSA, Red Team, SOC. 

7. Astra Security 

Astra Security is CREST-accredited, CERT-In empanelled, and a PCI ASV. Their platform combines automated DAST scanning with manual penetration testing in a single dashboard, with CI/CD integrations and a publicly verifiable pentest certificate. Coverage spans web applications, APIs, mobile apps, cloud infrastructure, and networks. 

Services: Web & API Pentesting, Mobile App Pentesting, Cloud Testing, Continuous Vulnerability Scanning, PTaaS. 

8. ISECURION 

ISECURION is a Bangalore-based CERT-In empanelled cybersecurity firm offering VAPT, compliance audits, and SOC 2 services. Alongside standard application and network testing, they offer smart contract audits and crypto exchange penetration testing – areas where most Indian VAPT firms have limited coverage. 

Services: Web/Mobile VAPT, Smart Contract & Crypto Exchange Audits, Network Pentesting, SOC 2, DPDP Compliance. 

9. CyberQ Consulting 

CyberQ Consulting was founded in 1997 in New Delhi and is CERT-In empanelled, with services centred on ISO 27001 implementation, security audits, and risk assessment. Their positioning is more on the consulting and compliance side than offensive security, making them a fit for organisations focused on structured certification programs. 

Services: VAPT & Security Audits, ISO 27001 Consulting, Risk Assessment, Compliance Advisory. 

10. Net Square 

Net Square was founded in 2000 in Ahmedabad and has been CERT-In empanelled since 2013. Co-founder Saumil Shah is a regular speaker at Black Hat, RSA, and CanSecWest. Their work emphasises manual penetration testing and secure code review, with services covering application security, IoT testing, red teaming, and security training. 

Services: Application Security Testing, Secure Code Review, IoT Security, Red Teaming, Security Training. 

How to actually pick the right one :

Empanelment shrinks the list. These six questions shrink it further: 

• Check cert-in.org.in. The list updates a few times a year. Don’t take a vendor’s word – check it yourself. 

• Match the asset, not the brochure. A pentest team that’s amazing at web apps may not know an MQTT broker from a hole in the wall. Match expertise to what you’re actually testing. 

• Ask how much of the work is manual. A serious team will give you a percentage. A vague answer usually means scanner-led testing dressed up as a pentest. 

• Ask for a sample report. Read it. If the findings sound like they came out of a tool, they probably did. 

• Confirm retesting is included. Finding bugs is half the job. Verifying the fix is the other half. If retesting costs extra, factor that in. 

• Look for real research. CVEs, conference talks, open-source tools, write-ups. Optional, but a strong signal that the team actually breaks things for fun. 

Frequently asked questions 

1. So what does “CERT-In empanelled” actually mean? 

It’s a formal stamp of approval from CERT-In (under MeitY) that a firm has cleared their evaluation to conduct information security audits in India. The official list lives on cert-in.org.in. 

2. Is CERT-In empanelment mandatory for every VAPT? 

Not always. It’s mandatory for government, PSUs, regulated BFSI, Safe to Host certificates, and government tenders. For private companies, it’s strongly preferred but not legally required – though most enterprise clients will still ask. 

3. How do I verify if a company is actually empanelled? 

Check the list yourself at cert-in.org.in. The panel updates a few times a year, and a logo on a website doesn’t mean much without a name on that list. 

4. What does a CERT-In VAPT cost? 

Anywhere from ₹60,000 to ₹10,00,000+ depending on what you’re testing and how deep the work goes. A small single-app audit sits at the lower end. Multi-asset enterprise scopes – web, mobile, API, cloud – push you toward the upper end. 

5. How long does it take? 

About 2 to 4 weeks for a single app or scope, including testing, reporting, and one retest. Bigger engagements run 6 to 10 weeks. 

6. What’s the difference between a CERT-In audit and a regular pentest? 

Technically, almost nothing. Same testing, same techniques. The difference is who signs the report and which regulators accept it. For government, BFSI, and Safe to Host work, only an empanelled firm’s report counts. 

7. Do I need a CERT-In audit for DPDP Act compliance? 

The DPDP Act doesn’t specifically demand CERT-In empanelment. But if you ever have to demonstrate “reasonable security safeguards” to the Data Protection Board, a CERT-In audit is the strongest piece of evidence you can put on the table. 

Looking for a CERT-In empanelled VAPT partner? Payatu is CERT-In empanelled, ISO 17025 accredited, and trusted by teams across BFSI, fintech, healthcare, SaaS, IoT, automotive, and AI/ML. Whatever the scope, the approach stays the same – research-led, manually driven, and built to be useful long after the report lands in your inbox. 

Talk to Payatu about your VAPT scope at payatu.com/contact-us