CERT-In Empanelled vs Non-Empanelled Auditors: Why It Matters for Your VAPT
A CISO once handed me a glossy VAPT report at a bank tender review. Forty pages, colour-coded severity charts, a CVSS score against every finding. It looked immaculate. Then the RBI examiner asked one question: is the auditor CERT-In empanelled? The answer was no. The report was set aside on the spot, and the bank had to redo the entire assessment three weeks before go-live.
That is the part nobody tells you when you go shopping on price. A vulnerability assessment and penetration test (VAPT) from a non-empanelled firm can be technically excellent and still be worthless for the one thing you actually needed it for: getting past a regulator, a customer's procurement team, or an insurer. This article is about the difference between an auditor whose signature carries regulatory weight and one whose signature does not, and how to tell them apart before you sign the purchase order.
What CERT-In empanelment actually is (and is not)
CERT-In, the Indian Computer Emergency Response Team, is the national nodal agency for cybersecurity under the Ministry of Electronics and Information Technology (MeitY). It runs a formal empanelment programme for information security auditing organisations. An empanelled auditor is a firm that has been vetted by CERT-In on technical capability, methodology, team qualifications and process maturity, and placed on a published list that regulators and government departments recognise.
Here is what empanelment is not. It is not a certification of any single tester. It is not a per-report stamp that CERT-In reviews. And it is not permanent. Empanelment is granted to the organisation for a fixed term, and firms must re-apply and re-qualify when it lapses. So a firm that was empanelled two years ago may not be empanelled today. That distinction matters more than most buyers realise, and we will come back to it.
The empanelment covers a defined scope of services, typically network and application VAPT, configuration and compliance audits, source code review, and related security assessments. A firm is empanelled to perform those audits, and its report can then be submitted as evidence to bodies that ask for a CERT-In empanelled assessment. That phrase, CERT-In empanelled, is what your regulator, your bank's tender clause, or your cyber-insurer is actually looking for.
Where the empanelled requirement is not optional
For a large class of Indian organisations, a CERT-In empanelled VAPT is not a nice-to-have. It is written into the rules. If you are in any of the situations below, a non-empanelled report will not clear the bar, no matter how good the pentest was.
| Regulator or context | What the mandate effectively requires | Typical trigger |
|---|---|---|
| RBI (banks, NBFCs, payment operators) | Independent VAPT and IS audit by a CERT-In empanelled auditor for critical and internet-facing systems | Cyber Security Framework, master directions on IT governance, annual audit cycle |
| SEBI (stock brokers, depositories, MIIs) | VAPT by a CERT-In empanelled organisation, findings closed and re-tested | Cyber Security and Cyber Resilience Framework (CSCRF) |
| IRDAI (insurers, intermediaries) | Independent security audit and VAPT aligned to the IRDAI information and cyber security guidelines | Annual audit and board reporting |
| UIDAI (Aadhaar ecosystem, AUAs/KUAs) | Audit and VAPT by CERT-In empanelled auditor before and during Aadhaar integration | AUA/KUA onboarding and periodic audit |
| Government tenders and empanelment (GeM, PSUs) | Security audit certificate from a CERT-In empanelled auditor before go-live | Application hosting on NIC/government infrastructure, tender clauses |
| NPCI (UPI, IMPS participants) | Security assessment by empanelled auditor for payment applications | Onboarding and periodic re-certification |
Notice a pattern. The financial and identity ecosystems, the ones handling money and personal data at scale, are precisely where empanelment is enforced hardest. If a bank has to pick between two vendors and one produced a report from a non-empanelled firm, that vendor is out. It is not a judgement on quality. It is a compliance gate.
DPDP and the direction of travel
The Digital Personal Data Protection Act (DPDP) 2023 does not, in its text, name CERT-In empanelment. But it raises the stakes on demonstrable security safeguards, and the practical way organisations evidence reasonable security is through independent, credible assessment. When a Data Protection Board asks how you tested your systems after a breach, an empanelled auditor's report is a materially stronger answer than an internal scan or a report from a firm nobody in the regulatory world recognises. The direction of travel across Indian regulation is towards recognised, independent assurance, not away from it.
What actually changes in the audit room
People assume the difference is only paperwork. It is not. There are real differences in how an empanelled engagement runs, because the firm is operating under obligations it cannot walk away from.
- Methodology discipline. Empanelled firms are assessed against a defined methodology and must follow it consistently. You get repeatable coverage, not whatever the individual tester felt like running that week.
- Scope integrity. The scope is documented, agreed, and defensible. When an examiner asks why a particular internet-facing asset was excluded, there is a written rationale, not a shrug.
- Retest as standard. A credible empanelled VAPT closes the loop: findings are remediated by your team and re-tested, and the final report shows the closure state. Regulators want the closure evidence, not just the open-findings list.
- Report defensibility. The report is written knowing it will be read by a regulator. Severity ratings are justified, evidence is attached, and the executive summary can survive an examiner reading it line by line.
- Confidentiality and handling obligations. Empanelled firms operate under CERT-In's expectations on data handling and reporting, which matters when your test data includes real customer records.
Here is a scene that plays out more often than it should. A fintech engages a cheap non-empanelled vendor for its UPI application VAPT to save roughly forty percent on cost. The pentest runs, a clean report lands, everyone relaxes. Then NPCI onboarding asks for the empanelled auditor certificate. The fintech now has to commission a second, empanelled VAPT from scratch, pay again, wait through the testing and remediation cycle again, and explain the six-week slip to its board. The cheap report did not save money. It doubled the cost and cost them a quarter.
The verification most buyers skip
This is the section that will save you the most pain, so read it carefully. A depressing number of organisations take empanelment on trust. A vendor says we are CERT-In empanelled, it goes into the contract, and nobody checks. Then the report reaches a regulator who does check, and the whole thing unravels.
Verify empanelment yourself, before you sign, using these steps.
- Go to the source. CERT-In publishes the official list of empanelled information security auditing organisations on its website (cert-in.org.in). Confirm the firm's exact legal name appears on the current list, not a cached PDF from three years ago.
- Check the validity dates. Empanelment is for a fixed term. Confirm the firm's empanelment is valid on the date your audit will be performed and on the date you will submit the report, not just today.
- Match the legal entity. Group companies play games here. The empanelment belongs to a specific registered entity. Make sure the entity on your contract and on the report letterhead is the same one that is empanelled.
- Confirm the report will carry the empanelment reference. Ask, in writing, that the final report state the CERT-In empanelment status and reference. If they hesitate, that tells you something.
- Ask who signs. Understand which named senior auditor owns and signs the report. Empanelment sits with the firm, but a report signed by a qualified, accountable lead auditor is what stands up under scrutiny.
| Claim you hear | What to actually check | Red flag if |
|---|---|---|
| We are CERT-In empanelled | Exact legal name on the current published CERT-In list | Name is close but not exact, or only a parent brand appears |
| Our team is CERT-In certified | There is no such thing as a certified individual; empanelment is organisational | Vendor conflates individual certs with empanelment |
| We were empanelled last year | Validity dates cover your audit and submission window | Empanelment lapsed and re-application is pending |
| We partner with an empanelled firm | Who signs the report and under whose empanelment it is issued | Your vendor tests, a shell partner signs, accountability is blurred |
Non-empanelled work is not useless, it is just for a different job
Let me be fair to the non-empanelled world, because the choice is not always empanelled or nothing. A skilled independent tester or a boutique firm can do genuinely excellent offensive work. There are legitimate reasons to use them.
| Use case | Empanelled auditor | Non-empanelled tester |
|---|---|---|
| Regulatory submission (RBI/SEBI/IRDAI/UIDAI) | Required | Not accepted |
| Government tender / go-live certificate | Required | Not accepted |
| Cyber-insurance evidence of due diligence | Strongly preferred | Sometimes accepted, weaker |
| Internal security hardening between audits | Fine | Fine, often faster and cheaper |
| Red team / adversary simulation | Either | Often specialised and excellent |
| Bug bounty style continuous testing | Not the model | Ideal |
The mistake is not using a non-empanelled firm. The mistake is using one for a job that legally requires empanelment, and discovering it at the worst possible moment. Use continuous and internal testing to stay sharp between cycles. Use an empanelled auditor for the assessment that has to satisfy a regulator or a customer's procurement gate.
What an empanelled VAPT actually costs and how long it takes
Buyers underprice this in their heads and then feel gouged. Here are realistic ranges for the Indian market. Treat them as directional; scope drives everything.
| Engagement | Typical INR range | Typical duration |
|---|---|---|
| Web application VAPT (single app, moderate complexity) | INR 1,00,000 to 3,50,000 | 1 to 2 weeks testing |
| Mobile application VAPT (Android + iOS) | INR 1,50,000 to 4,00,000 | 1 to 2 weeks |
| Network / infrastructure VAPT (per defined IP scope) | INR 1,50,000 to 6,00,000 | 1 to 3 weeks |
| API VAPT (documented endpoints) | INR 1,00,000 to 3,00,000 | 1 to 2 weeks |
| Full regulatory VAPT bundle (apps + infra + config, with retest) | INR 5,00,000 to 20,00,000+ | 4 to 8 weeks end to end |
Two things buyers forget. First, remediation and retest are part of the timeline, not an afterthought; regulators want the closed-findings report, so budget the weeks your own developers need to fix and the auditor needs to re-verify. Second, the empanelled premium over a cut-price non-empanelled quote is usually in the range of twenty to forty percent, which is small money against the cost of a rejected submission and a delayed launch.
The fix-it checklist before you commission a VAPT
Run this list before you sign anything. It takes an afternoon and it prevents the three-weeks-before-go-live disaster.
- Confirm whether your specific obligation (RBI, SEBI, IRDAI, UIDAI, NPCI, government tender) requires a CERT-In empanelled auditor. If unsure, assume it does.
- Verify the vendor's exact legal name on the current CERT-In published list yourself. Do not take the claim on trust.
- Check that empanelment validity covers both your testing dates and your submission date.
- Agree the scope in writing, including every internet-facing asset and a documented rationale for anything excluded.
- Require retest of high and critical findings to be included, not billed as an extra later.
- Require the final report to state the CERT-In empanelment status and reference, and to name the signing lead auditor.
- Align the report format with what your regulator or customer expects to receive, so you are not reformatting under deadline.
- Build the remediation window into your project plan; a clean report with unclosed criticals is not a passing report.
- Keep the report, evidence and closure records for your audit trail; regulators and insurers ask for the whole file, not the summary.
The one-line version
Come back to that bank tender room. The report was excellent. It just could not do the one job it was bought for, because the signature at the bottom carried no regulatory weight. Empanelment is not about who runs the better nmap scan. It is about whether the assurance you paid for is accepted by the people you are trying to convince. If a regulator, a bank, an insurer or a government department is on the other side of your report, empanelment is not a preference. It is the whole point.
At CyberSigma we are CERT-In empanelled auditors and we run these engagements hands-on, from scoping through remediation and retest, so the report you submit holds up when an examiner reads it line by line. If you want a straight answer on whether your next VAPT needs to be empanelled, we are happy to tell you plainly, even when the answer is that you do not need us.
FAQs
Is a CERT-In empanelled VAPT legally mandatory for every company?
No. It is mandatory in specific regulated contexts, principally RBI-regulated entities, SEBI market participants, IRDAI-regulated insurers, UIDAI Aadhaar integrations, NPCI payment participants and many government tenders. A general SaaS company with no such obligation can use any competent tester, though empanelled work still carries more weight with customers and insurers.
Does empanelment apply to the auditor or to the individual pentester?
To the organisation. CERT-In empanels firms, not people. There is no such thing as a CERT-In certified individual, so treat any vendor who claims their engineer is CERT-In certified with caution, because they are misdescribing how the scheme works.
How do I verify a firm is genuinely empanelled?
Check the official empanelled auditor list published by CERT-In on cert-in.org.in against the vendor's exact legal entity name, and confirm the empanelment is valid on both your testing date and your report submission date. Do not rely on a logo on a website or a claim in a proposal.
My vendor was empanelled last year. Is last year's report still fine?
For the period it covered, potentially yes, but a fresh submission needs an auditor empanelled at the time of testing. Empanelment is granted for a fixed term and must be renewed, so a firm empanelled last year may not be empanelled now. Always verify current validity.
Can I use a cheaper non-empanelled firm and get it validated later?
That rarely works and usually costs more. Regulators want an empanelled auditor to perform the assessment, not merely to rubber-stamp someone else's report. In practice you end up commissioning the empanelled VAPT from scratch, paying twice and losing weeks. If empanelment is required, start with an empanelled firm.
What is the difference in cost between empanelled and non-empanelled VAPT?
Typically a twenty to forty percent premium for empanelled work, driven by methodology discipline, mandatory retest and report defensibility. Against the cost of a rejected regulatory submission and a delayed launch, that premium is minor. The expensive option is the report you cannot use.
Liked the post? Share on:





Leave A Comment