Twelve in-depth pieces on web, network, mobile and API pen testing, OWASP Top 10s, Indian regulatory frameworks (RBI, SEBI, DPDP, ISO 27001), and the real bugs we keep finding. Written for security leaders, CTOs and engineering managers in India.
The honest line-by-line on what drives Indian VAPT pricing — scope, depth, retest, compliance overlay — with real ranges across web, network, mobile and API engagements.
Pricing opacity is the #1 reason Indian businesses get burned by their first VAPT vendor. After 500+ engagements we have the data to be specific — and we are.
The three terms get treated as synonyms in Indian RFPs. They are not. Here is what each one means, when each one is right, and how to write a VAPT scope that actually gets you what you need.
The 2025 list is shifting under your feet. Broken Access Control still leads. Server-Side Request Forgery just climbed three spots. Here is each category, with the Indian-context exploits we keep seeing.
This is the test plan our engineers run on every web app engagement — auth, session, IDOR, business logic, file upload, SSRF, race conditions. Copy it, run it against your own app.
The API Top 10 (2023) is wildly different from the web list — and most Indian fintechs we test fail on the same three items. BOLA, broken authentication, unrestricted resource consumption. Walk-throughs inside.
MASVS-L1, L2, and MASTG. Static and dynamic analysis on real devices, root/jailbreak detection bypass, runtime instrumentation with Frida. Every test mapped to the standard.
Annex A.8.8 and A.8.29 don't say "do a pen test". They imply it. Here is how Stage 2 auditors actually interpret the controls — and the four documents that satisfy them.
The RBI's Cyber Security Framework, Master Direction on Digital Payment Security and the Master Direction on Outsourcing of IT services all require VAPT — but at different cadences. We map every requirement.
The SEBI CSCRF (2024) and earlier CSCF circulars define a precise VAPT cadence for brokers, depositories and AMCs. Quarterly, half-yearly, annually — by control. Mapped to engagement scopes.
The Digital Personal Data Protection Act doesn't mention pen testing by name. The implementing rules and the Data Auditor profession make it a de-facto requirement. Here is the technical interpretation.
External tests model the internet attacker. Internal tests model the compromised laptop. They find totally different bugs. Here is the criteria we use for scoping each, with sample findings.
A red team is not a "deeper pen test". They have different goals, different rules of engagement, different deliverables. If your CISO is asking for one when they need the other, here is how to tell.
It is the most common critical bug in every Indian fintech and SaaS we audit. Here is what it looks like at the request level, why ORMs make it worse, and the three patches that actually work.