Free VAPT & Penetration Testing
Qualified Indian enterprises get a full Vulnerability Assessment and Penetration Test at no cost. CERT-In aligned methodology, DPDP Act 2023-compliant reporting, delivered from our Bangalore and Chennai security teams. 30-minute scoping call, 7 business days to report.
Who qualifies
Established Indian enterprises with 100+ employees operating on AWS, Azure, or GCP. Priority for BFSI, fintech (SEBI CSCRF regulated), and healthcare organisations with CERT-In reporting obligations or DPDP Act compliance deadlines. One free engagement per company per financial year.
Day 1-3
1. Apply & scoping call
Submit the application. We review within 2 business days and schedule a 30-minute scoping call where we confirm eligibility, agree scope, and execute a mutual NDA plus Letter of Authorisation. Contracts under Indian law or Swedish parent entity (your choice).
Day 4-9
2. VAPT execution
Our Bangalore security team runs CERT-In-aligned VAPT against your cloud environment: IAM and KMS review, S3/Blob exposure audit, CIS AWS/Azure Foundations Benchmark, OWASP Top 10 on one public web app, and external network scan. Active hours cleared with your ops team.
Day 10-12
3. Report & debrief
PDF report aligned to CERT-In Cybersecurity Audit Policy Guidelines, SEBI CSCRF where applicable, and DPDP Act 2023 data-processor obligations. 45-minute debrief with a senior engineer. Remediation is separately priced and optional.
What's included
- AWS or Azure cloud configuration review (IAM, S3/Blob, KMS, security groups)
- External perimeter scan of public-facing services
- OWASP Top 10 VAPT of one web application (up to 20 pages)
- Exposed-secrets check (GitHub, public endpoints)
- CIS Benchmark gap analysis (AWS or Azure foundations)
- PDF report aligned to CERT-In, DPDP Act, SEBI CSCRF (if applicable)
- 45-min debrief with a senior engineer (CEH / CISSP / AWS Security Specialty)
What's not included
- Social engineering or physical security testing
- On-premise infrastructure (cloud workloads only)
- Mobile app binary analysis
- Full-scope red-team engagement
- CERT-In empanelment certification for your organisation (that is a separate process)
- Remediation (offered separately on a paid basis after the free VAPT)
Report aligned to your compliance framework
CERT-In Cybersecurity Audit Policy
Aligned with CERT-In Technical Guidelines for Cybersecurity Audit 2022.
DPDP Act 2023
Data Processor obligations, breach notification preparedness, consent framework evidence.
SEBI CSCRF
Cybersecurity and Cyber Resilience Framework for SEBI-regulated entities (MIIs, MFs, AIFs).
RBI Cyber Security Framework
For banks and NBFCs — network, application, and cloud security controls.
ISO/IEC 27001:2022
A.8.29 Security testing during development and acceptance.
PCI DSS 4.0
Requirement 11.4 penetration testing — accepted by Indian fintech auditors.
Who runs the test
Frequently asked questions
Is Opsio CERT-In empanelled?
We operate with CERT-In-aligned methodology and our report format matches CERT-In Cybersecurity Audit Policy Guidelines. Opsio India Private Limited has CERT-In empanelment for security audit services. If your procurement specifically requires CERT-In empanelled vendor certification, we confirm our current status during the scoping call along with the relevant reference numbers.
What happens with my data during the VAPT?
All findings and evidence remain inside India throughout the engagement. Testing is performed from our Bangalore office. Report is delivered via encrypted channel; any sensitive extracts are redacted in the shared copy. Under DPDP Act, Opsio acts as your Data Processor. We sign a DPA that mirrors your existing data protection agreements.
Is this really free — what is the commercial model?
Genuinely free for the initial VAPT. Our expectation is that a subset of customers will engage us for paid remediation, ongoing managed security services, or broader cloud operations. Roughly 40% of Indian free-VAPT recipients become paid customers within 12 months. No hidden fees, no invoice for the pentest itself.
Do you work with startups under 100 employees?
Rarely for the free program. High-growth Series A+ fintech with imminent SEBI CSCRF or RBI submissions occasionally qualify as exceptions. For earlier-stage startups we recommend starting with Opsio's AWS Well-Architected Review (also free) which surfaces the most impactful security gaps before a full VAPT is warranted.
Is the testing legally authorised under Indian law?
Yes. We sign a Letter of Authorisation (LoA) before any testing begins, executed by authorised signatories on both sides. Unauthorised intrusion under Information Technology Act, 2000 §43 and §66 carries criminal liability — we do not operate outside explicit written scope.
Can the contract be signed under Swedish law?
Yes. Opsio's structure lets Indian customers choose: MSA under Indian law with Opsio India Private Limited, or under Swedish law with Opsio AB (our EU parent). International customers often prefer the Swedish contract; domestic Indian customers typically prefer the Indian contract for jurisdiction ease. Payment in INR or USD, your choice.
What if you discover a critical finding during testing?
Immediate notification by encrypted email within 4 business hours, followed by a call with the engagement lead. The full report is delivered at the end; critical findings get same-day disclosure so you can decide on emergency remediation steps.
Will the VAPT report satisfy my RBI or SEBI auditor?
In most cases, yes. Our reports follow the format prescribed by CERT-In and are accepted by major Indian audit firms for SEBI CSCRF and RBI submissions. If your specific auditor requires additional artefacts or a specific scoping addendum, we adjust during the scoping call.