We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Cybersecurity blog

CERT-In Empanelled vs Non-Empanelled Auditors: Why It Matters for Your VAPT

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

CERT-In Empanelled vs Non-Empanelled Auditors: Why It Matters for Your VAPT

A CISO once handed me a glossy VAPT report at a bank tender review. Forty pages, colour-coded severity charts, a CVSS score against every finding. It looked immaculate. Then the RBI examiner asked one question: is the auditor CERT-In empanelled? The answer was no. The report was set aside on the spot, and the bank had to redo the entire assessment three weeks before go-live.

That is the part nobody tells you when you go shopping on price. A vulnerability assessment and penetration test (VAPT) from a non-empanelled firm can be technically excellent and still be worthless for the one thing you actually needed it for: getting past a regulator, a customer's procurement team, or an insurer. This article is about the difference between an auditor whose signature carries regulatory weight and one whose signature does not, and how to tell them apart before you sign the purchase order.

What CERT-In empanelment actually is (and is not)

CERT-In, the Indian Computer Emergency Response Team, is the national nodal agency for cybersecurity under the Ministry of Electronics and Information Technology (MeitY). It runs a formal empanelment programme for information security auditing organisations. An empanelled auditor is a firm that has been vetted by CERT-In on technical capability, methodology, team qualifications and process maturity, and placed on a published list that regulators and government departments recognise.

Here is what empanelment is not. It is not a certification of any single tester. It is not a per-report stamp that CERT-In reviews. And it is not permanent. Empanelment is granted to the organisation for a fixed term, and firms must re-apply and re-qualify when it lapses. So a firm that was empanelled two years ago may not be empanelled today. That distinction matters more than most buyers realise, and we will come back to it.

The empanelment covers a defined scope of services, typically network and application VAPT, configuration and compliance audits, source code review, and related security assessments. A firm is empanelled to perform those audits, and its report can then be submitted as evidence to bodies that ask for a CERT-In empanelled assessment. That phrase, CERT-In empanelled, is what your regulator, your bank's tender clause, or your cyber-insurer is actually looking for.

Where the empanelled requirement is not optional

For a large class of Indian organisations, a CERT-In empanelled VAPT is not a nice-to-have. It is written into the rules. If you are in any of the situations below, a non-empanelled report will not clear the bar, no matter how good the pentest was.

Regulator or contextWhat the mandate effectively requiresTypical trigger
RBI (banks, NBFCs, payment operators)Independent VAPT and IS audit by a CERT-In empanelled auditor for critical and internet-facing systemsCyber Security Framework, master directions on IT governance, annual audit cycle
SEBI (stock brokers, depositories, MIIs)VAPT by a CERT-In empanelled organisation, findings closed and re-testedCyber Security and Cyber Resilience Framework (CSCRF)
IRDAI (insurers, intermediaries)Independent security audit and VAPT aligned to the IRDAI information and cyber security guidelinesAnnual audit and board reporting
UIDAI (Aadhaar ecosystem, AUAs/KUAs)Audit and VAPT by CERT-In empanelled auditor before and during Aadhaar integrationAUA/KUA onboarding and periodic audit
Government tenders and empanelment (GeM, PSUs)Security audit certificate from a CERT-In empanelled auditor before go-liveApplication hosting on NIC/government infrastructure, tender clauses
NPCI (UPI, IMPS participants)Security assessment by empanelled auditor for payment applicationsOnboarding and periodic re-certification

Notice a pattern. The financial and identity ecosystems, the ones handling money and personal data at scale, are precisely where empanelment is enforced hardest. If a bank has to pick between two vendors and one produced a report from a non-empanelled firm, that vendor is out. It is not a judgement on quality. It is a compliance gate.

DPDP and the direction of travel

The Digital Personal Data Protection Act (DPDP) 2023 does not, in its text, name CERT-In empanelment. But it raises the stakes on demonstrable security safeguards, and the practical way organisations evidence reasonable security is through independent, credible assessment. When a Data Protection Board asks how you tested your systems after a breach, an empanelled auditor's report is a materially stronger answer than an internal scan or a report from a firm nobody in the regulatory world recognises. The direction of travel across Indian regulation is towards recognised, independent assurance, not away from it.

What actually changes in the audit room

People assume the difference is only paperwork. It is not. There are real differences in how an empanelled engagement runs, because the firm is operating under obligations it cannot walk away from.

  • Methodology discipline. Empanelled firms are assessed against a defined methodology and must follow it consistently. You get repeatable coverage, not whatever the individual tester felt like running that week.
  • Scope integrity. The scope is documented, agreed, and defensible. When an examiner asks why a particular internet-facing asset was excluded, there is a written rationale, not a shrug.
  • Retest as standard. A credible empanelled VAPT closes the loop: findings are remediated by your team and re-tested, and the final report shows the closure state. Regulators want the closure evidence, not just the open-findings list.
  • Report defensibility. The report is written knowing it will be read by a regulator. Severity ratings are justified, evidence is attached, and the executive summary can survive an examiner reading it line by line.
  • Confidentiality and handling obligations. Empanelled firms operate under CERT-In's expectations on data handling and reporting, which matters when your test data includes real customer records.

Here is a scene that plays out more often than it should. A fintech engages a cheap non-empanelled vendor for its UPI application VAPT to save roughly forty percent on cost. The pentest runs, a clean report lands, everyone relaxes. Then NPCI onboarding asks for the empanelled auditor certificate. The fintech now has to commission a second, empanelled VAPT from scratch, pay again, wait through the testing and remediation cycle again, and explain the six-week slip to its board. The cheap report did not save money. It doubled the cost and cost them a quarter.

The verification most buyers skip

This is the section that will save you the most pain, so read it carefully. A depressing number of organisations take empanelment on trust. A vendor says we are CERT-In empanelled, it goes into the contract, and nobody checks. Then the report reaches a regulator who does check, and the whole thing unravels.

Verify empanelment yourself, before you sign, using these steps.

  • Go to the source. CERT-In publishes the official list of empanelled information security auditing organisations on its website (cert-in.org.in). Confirm the firm's exact legal name appears on the current list, not a cached PDF from three years ago.
  • Check the validity dates. Empanelment is for a fixed term. Confirm the firm's empanelment is valid on the date your audit will be performed and on the date you will submit the report, not just today.
  • Match the legal entity. Group companies play games here. The empanelment belongs to a specific registered entity. Make sure the entity on your contract and on the report letterhead is the same one that is empanelled.
  • Confirm the report will carry the empanelment reference. Ask, in writing, that the final report state the CERT-In empanelment status and reference. If they hesitate, that tells you something.
  • Ask who signs. Understand which named senior auditor owns and signs the report. Empanelment sits with the firm, but a report signed by a qualified, accountable lead auditor is what stands up under scrutiny.
Claim you hearWhat to actually checkRed flag if
We are CERT-In empanelledExact legal name on the current published CERT-In listName is close but not exact, or only a parent brand appears
Our team is CERT-In certifiedThere is no such thing as a certified individual; empanelment is organisationalVendor conflates individual certs with empanelment
We were empanelled last yearValidity dates cover your audit and submission windowEmpanelment lapsed and re-application is pending
We partner with an empanelled firmWho signs the report and under whose empanelment it is issuedYour vendor tests, a shell partner signs, accountability is blurred

Non-empanelled work is not useless, it is just for a different job

Let me be fair to the non-empanelled world, because the choice is not always empanelled or nothing. A skilled independent tester or a boutique firm can do genuinely excellent offensive work. There are legitimate reasons to use them.

Use caseEmpanelled auditorNon-empanelled tester
Regulatory submission (RBI/SEBI/IRDAI/UIDAI)RequiredNot accepted
Government tender / go-live certificateRequiredNot accepted
Cyber-insurance evidence of due diligenceStrongly preferredSometimes accepted, weaker
Internal security hardening between auditsFineFine, often faster and cheaper
Red team / adversary simulationEitherOften specialised and excellent
Bug bounty style continuous testingNot the modelIdeal

The mistake is not using a non-empanelled firm. The mistake is using one for a job that legally requires empanelment, and discovering it at the worst possible moment. Use continuous and internal testing to stay sharp between cycles. Use an empanelled auditor for the assessment that has to satisfy a regulator or a customer's procurement gate.

What an empanelled VAPT actually costs and how long it takes

Buyers underprice this in their heads and then feel gouged. Here are realistic ranges for the Indian market. Treat them as directional; scope drives everything.

EngagementTypical INR rangeTypical duration
Web application VAPT (single app, moderate complexity)INR 1,00,000 to 3,50,0001 to 2 weeks testing
Mobile application VAPT (Android + iOS)INR 1,50,000 to 4,00,0001 to 2 weeks
Network / infrastructure VAPT (per defined IP scope)INR 1,50,000 to 6,00,0001 to 3 weeks
API VAPT (documented endpoints)INR 1,00,000 to 3,00,0001 to 2 weeks
Full regulatory VAPT bundle (apps + infra + config, with retest)INR 5,00,000 to 20,00,000+4 to 8 weeks end to end

Two things buyers forget. First, remediation and retest are part of the timeline, not an afterthought; regulators want the closed-findings report, so budget the weeks your own developers need to fix and the auditor needs to re-verify. Second, the empanelled premium over a cut-price non-empanelled quote is usually in the range of twenty to forty percent, which is small money against the cost of a rejected submission and a delayed launch.

The fix-it checklist before you commission a VAPT

Run this list before you sign anything. It takes an afternoon and it prevents the three-weeks-before-go-live disaster.

  • Confirm whether your specific obligation (RBI, SEBI, IRDAI, UIDAI, NPCI, government tender) requires a CERT-In empanelled auditor. If unsure, assume it does.
  • Verify the vendor's exact legal name on the current CERT-In published list yourself. Do not take the claim on trust.
  • Check that empanelment validity covers both your testing dates and your submission date.
  • Agree the scope in writing, including every internet-facing asset and a documented rationale for anything excluded.
  • Require retest of high and critical findings to be included, not billed as an extra later.
  • Require the final report to state the CERT-In empanelment status and reference, and to name the signing lead auditor.
  • Align the report format with what your regulator or customer expects to receive, so you are not reformatting under deadline.
  • Build the remediation window into your project plan; a clean report with unclosed criticals is not a passing report.
  • Keep the report, evidence and closure records for your audit trail; regulators and insurers ask for the whole file, not the summary.

The one-line version

Come back to that bank tender room. The report was excellent. It just could not do the one job it was bought for, because the signature at the bottom carried no regulatory weight. Empanelment is not about who runs the better nmap scan. It is about whether the assurance you paid for is accepted by the people you are trying to convince. If a regulator, a bank, an insurer or a government department is on the other side of your report, empanelment is not a preference. It is the whole point.

At CyberSigma we are CERT-In empanelled auditors and we run these engagements hands-on, from scoping through remediation and retest, so the report you submit holds up when an examiner reads it line by line. If you want a straight answer on whether your next VAPT needs to be empanelled, we are happy to tell you plainly, even when the answer is that you do not need us.

FAQs

Is a CERT-In empanelled VAPT legally mandatory for every company?

No. It is mandatory in specific regulated contexts, principally RBI-regulated entities, SEBI market participants, IRDAI-regulated insurers, UIDAI Aadhaar integrations, NPCI payment participants and many government tenders. A general SaaS company with no such obligation can use any competent tester, though empanelled work still carries more weight with customers and insurers.

Does empanelment apply to the auditor or to the individual pentester?

To the organisation. CERT-In empanels firms, not people. There is no such thing as a CERT-In certified individual, so treat any vendor who claims their engineer is CERT-In certified with caution, because they are misdescribing how the scheme works.

How do I verify a firm is genuinely empanelled?

Check the official empanelled auditor list published by CERT-In on cert-in.org.in against the vendor's exact legal entity name, and confirm the empanelment is valid on both your testing date and your report submission date. Do not rely on a logo on a website or a claim in a proposal.

My vendor was empanelled last year. Is last year's report still fine?

For the period it covered, potentially yes, but a fresh submission needs an auditor empanelled at the time of testing. Empanelment is granted for a fixed term and must be renewed, so a firm empanelled last year may not be empanelled now. Always verify current validity.

Can I use a cheaper non-empanelled firm and get it validated later?

That rarely works and usually costs more. Regulators want an empanelled auditor to perform the assessment, not merely to rubber-stamp someone else's report. In practice you end up commissioning the empanelled VAPT from scratch, paying twice and losing weeks. If empanelment is required, start with an empanelled firm.

What is the difference in cost between empanelled and non-empanelled VAPT?

Typically a twenty to forty percent premium for empanelled work, driven by methodology discipline, mandatory retest and report defensibility. Against the cost of a rejected regulatory submission and a delayed launch, that premium is minor. The expensive option is the report you cannot use.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205