CERT-In Empanelled · ISO 27001:2022

The compliance auditors
India's safest companies
actually trust.

SOC 2, ISO 27001, DPDP, SEBI CSCRF, UAE VASP — delivered by a Bengaluru-based team that keeps every byte of your evidence resident in Bharat. Eleven years. Three hundred and forty audits. Zero data offshored.

Start your SOC 2 → Explore services

340+

audits delivered

11yrs

in Indian InfoSec

100%

India-resident audit data

findings escalated to clients post-attestation

CERT-In EmpanelledISO/IEC 27001:2022SOC 2 · AICPAPCI-DSS QSA-readyDPDP Act · 2023SEBI CSCRFNIST CSF 2.0CSA STAROWASP MASVSCERT-In EmpanelledISO/IEC 27001:2022SOC 2 · AICPAPCI-DSS QSA-readyDPDP Act · 2023SEBI CSCRFNIST CSF 2.0CSA STAROWASP MASVS

SOC 2 · Type I & Type II

Get audit-ready in twelve weeks.
Stay audit-ready forever.

We run readiness, evidence collection and the observation window in parallel where the framework allows. You get a partner-led engagement, a fixed price in INR, and a final report that lands in your buyer's inbox without a single follow-up email.

All five Trust Service Criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy
Continuous evidence collection — drift detected before audit windows close
AICPA-aligned reports authored in-house, never sub-contracted

See the SOC 2 process →

SOC 2 Type II · Active

REPORT NO.

SOC2-IN-2026-0418

Service Organization
Control 2 — Type II

Security

Availability

Confidentiality

Processing Integrity

Privacy

128 controls

tested · 0 exceptions

Vulnerability Assessment & Penetration Testing

Find what attackers find — before they do.

Manual-led, tool-augmented testing across infrastructure, applications, APIs and cloud. Every finding is reproducible, prioritised by exploitability, and accompanied by a fix — not just a screenshot.

CERT-In empanelled · safe to attach to government and BFSI tenders
Network, web, mobile, API, cloud, and Active Directory scope in one engagement
Retest cycles included until findings are closed — no separate SOW

Request a VAPT scope →

scan@api4soc2 ~ recon

$ isec scan --target prod.acme.in

↳ enumerating · 247 hosts · 6 perimeters

CRIT CVE-2024-3094 · openssh-9.2 · 2 hosts

HIGH exposed .git directory · web-03

MED tls-1.0 supported · gateway-01

LOW server banner disclosure · 14 hosts

OK 1,438 controls passed

───────────────────────────────────

› generating evidence pack █

Web Application Security

Application-layer attacks need application-layer auditors.

OWASP Top-10 is table stakes. We test business logic, race conditions, IDORs across tenancy boundaries, and the integration seams between your auth, payments and admin surfaces — the places automated scanners can't reach.

OWASP ASVS L1–L3, OWASP API Top 10, GraphQL-specific test plans
Threat-modelled test cases authored against your sequence diagrams
Findings filed directly into Jira — with severity, CVSS, and remediation owner

Talk to an auditor →

app.client.com/checkout

A01

Broken Access Control

A02

Cryptographic Failures

A03

Injection

A04

Insecure Design

A05

Security Misconfig

A06

Vulnerable Components

A07

Auth Failures

A08

Data Integrity

A09

Logging Failures

A10

SSRF

Mobile Application Security

iOS and Android, audited end-to-end.

MASVS-aligned reviews of the binary, the runtime, the API gateway and the backend services behind it. Side-channel, tamper-resistance, jailbreak and root detection — and how they all degrade under a real on-device attacker.

MASVS L1 & L2, MASTG techniques, OWASP Mobile Top 10
Both static (IPA / APK reverse) and dynamic (Frida, Objection) analysis
Backend & API tested as part of scope — most firms charge separately

Talk to an auditor →

iOS

acme-pay.ipa

v3.4.1 · 84 MB

SSL pinning

Jailbreak detection

Insecure storage · 2

Reverse engineering · 1

API auth · OAuth2

MASVS · 72/100

Crypto Exchange Penetration Testing

Wallet to API to smart contract — every layer in the trade.

Hot and cold wallet flows, custody segregation, smart contract review, withdrawal logic, KYC/AML pipelines and the trading APIs your market makers connect to. Designed for VARA, FIU-IND and SEC-regulated exchanges.

Smart contract review · Solidity / Vyper · with Slither + manual
On-chain forensics · address risk scoring · sanctions list checks
Pre-listing due-diligence packs trusted by Indian exchanges

Talk to an auditor →

BTC / INR

₹ 84,21,400 +1.84%

Wallet Audit · Live

HOT WALLET

94 audited

SMART CONTRACTS

12 verified

API ENDPOINTS

38 hardened

Cloud Security Assessment

AWS, Azure, GCP — posture, not just config.

We treat cloud as a control plane: who can do what to which account, under what conditions. Misconfigurations get found by scanners; lateral movement paths require auditors who've seen them succeed.

CIS AWS / Azure / GCP benchmarks, NIST 800-53 mappings
IAM graph analysis · privilege escalation paths · key rotation hygiene
Cloud-native control mapping for SOC 2 and ISO 27017

Talk to an auditor →

AWS

14regions

318controls

Azure

A−

9regions

212controls

GCP

B+

7regions

186controls

CIS · NIST · ISO 27017 · CSA STAR

vCISO Services

The strategic security office, on retainer.

Board pack every quarter. Risk register every month. Slack-channel access every week. Ideal for Series-A through Series-D companies that need executive-level security ownership but aren't ready for a 1.4 cr full-time hire.

Quarterly board reporting · risk register · roadmap maintenance
Customer trust pages, SOC 2 / ISO readiness ownership
Vendor and acquirer security questionnaire response

Talk to an auditor →

Strategic CISO Office

On retainer · weekly cadence

ACTIVE

Risk register · Board pack

✓

ISO 27001 readiness

✓

SOC 2 Type II audit

●

DPDP rollout · DPIA

○

14 policies

3 audits/yr

24×7 advisory

DPDP · Digital Personal Data Protection Act, 2023

India's privacy law, made operational.

The DPDP Act is enforceable. We handle the gap analysis against your current practice, the data principal rights workflow, the consent manager integration, the DPIA, and the ongoing audit obligation for Significant Data Fiduciaries.

Data inventory, lawful-basis mapping, retention schedules
DPIA templates and SDF audit programs
Consent manager evaluation · Sahamati / DigiLocker / your build

Talk to an auditor →

Digital Personal Data
Protection Act, 2023

भारत सरकार · Government of India

Notice & consent

Data principal rights

Significant data fiduciary

Cross-border transfer

Breach notification

DPIA & audits

Incident Response & Digital Forensics

When the breach is happening, minutes matter.

A 24×7 retainer with a sub-15-minute median MTTR. We arrive with imaging tools, an evidence chain-of-custody, and the partner authority to make containment calls. Court-admissible forensics — not a slide deck after the fact.

Sub-15-minute median time to first responder on retainer
Forensic imaging, malware reverse engineering, threat actor attribution
CERT-In incident reporting handled on your behalf

Talk to an auditor →

Detect

00:04

Contain

00:18

Eradicate

01:42

Recover

04:20

Lessons

—

<15m MTTR target

24×7 retainer

Phishing Simulation

Train your people on the attacks your people will see.

India-context payloads — UPI, payroll, WhatsApp pretexts, Aadhaar phishing — not generic Microsoft-365 templates. Quarterly campaigns, role-segmented metrics, and just-in-time training that fires the moment someone clicks.

Localised payloads in English, Hindi, and major regional languages
Click-rate, credential-submit and report-rate trended over time
Just-in-time micro-training delivered on click — not on a Friday LMS

Talk to an auditor →

⚠ payroll-update@hr-acme-portal.in

Action required: Verify your salary credit

Dear Employee, please verify your bank details before 6 PM today to avoid delay in salary credit…

412

delivered

clicked

credentials

Delta vs. last quarter: −68%

Market SOC Audit · SEBI CSCRF

Built for India's regulated capital markets.

Stock brokers, AMCs, RTAs, mutual funds, depositories — all squarely inside SEBI's Cybersecurity & Cyber Resilience Framework. We run readiness, gap remediation, and the audit — and our reports have been accepted across SEBI's three exchanges.

Aligned to SEBI CSCRF · NIST CSF 2.0 · CERT-In directions
Quarterly VAPT, half-yearly audit, annual cyber-resilience drill
Filed reports for 40+ market participants since 2018

Talk to an auditor →

SEBI CSCRF

Cybersecurity & Cyber Resilience Framework

Identify

Protect

Detect

Respond

Recover

Govern

Audit readiness · 82%

UAE VASP Compliance

Cross-border VARA advisory, run from Bengaluru.

For Indian exchanges, custodians and broker-dealers operating into the UAE under VARA. License preparation, ongoing supervision response, suspicious-activity reporting, and the technology controls VARA actually inspects.

VARA license categories I–IV · readiness and submission
Custody, exchange, broker-dealer and advisory playbooks
Operationally delivered from India · all data resident in Bharat

Talk to an auditor →

REGULATOR

VARA · Dubai

LICENSE TYPE

VASP Category II

STATUS

Advisory engaged

Why API4SOC2

Indian compliance, the way it should have always worked.

We started this firm because we kept watching Indian companies pay first-world rates for second-world execution — and ship their evidence to S3 buckets they couldn't legally inspect. Eleven years later, every artifact still lives in India. Every audit is still partner-led.

100% India-resident audit team. Every byte of evidence stays in Bharat.
CERT-In Empanelled. ISO 27001:2022 certified ourselves.
Partner-led, never staffed to a graduate consultant pool.
Fixed-price engagements priced in INR. No surprise invoices.

Talk to an auditor →

11yrs

defending Indian enterprises

340+

audits delivered

CERT-In

empanelled

ISO
27001:2022

certified ourselves

data ever offshored

100%

India-based audit team · all data resident in Bharat

How we engage

One scoping doc. One fixed price. One accountable partner.

Every engagement, regardless of framework, follows the same four-step rhythm. You always know which step you're in, what's being produced this week, and who is accountable for it.

Week 0 · Discovery, asset map, threat model, written scope
Weeks 1–6 · Testing, control walkthroughs, evidence collection
Weeks 7–10 · Findings, remediation guidance, retest cycles
Weeks 11–12 · Final report, attestation, board pack

Talk to an auditor →

Scope

Discovery, asset map, threat model

Assess

Tests, control walkthrough, evidence

Remediate

Findings, fixes, retest

Certify

Report, attestation, board pack

“

They closed our SOC 2 Type II in eleven weeks — including a control-gap remediation that two larger firms had quoted six months for. The audit pack was delivered in Bengaluru, reviewed by a partner who actually answered Slack on weekends, and didn't once ask us to export logs to a US S3 bucket.

Pranav Iyer

Co-founder & CTO · Series-B fintech, Bengaluru

SOC 2 · Type II · 2025

Common questions

Things teams ask before signing.

Compliance procurement is fraught. Here's what most CISOs, CFOs and founders need to know in the first call. If your question isn't here, write to the partners directly.

partners@api4soc2.com →

Same frameworks, same rigour, fundamentally different economics. We are CERT-In empanelled and ISO 27001:2022 certified ourselves — we eat our own audit. Engagements are led by partners (not staffed to graduate consultants), priced in INR, and every artifact stays inside India.

For audit-ready teams, yes. We run readiness, evidence collection, control walkthroughs and the observation window in parallel where the framework allows. For greenfield engagements expect 6–9 months — we publish the timeline before we sign.

AWS Mumbai (ap-south-1) and on-prem Bengaluru. Nothing is replicated outside Indian jurisdiction. We sign a data-residency clause into every MSA. Clients with stricter requirements get a dedicated VPC.

No. Around a third of our clients are India-incorporated subsidiaries of US/EU parents. We also handle UAE VASP and cross-border DPDP advisory. Every engagement is delivered from India.

Weekly partner sync, asynchronous Slack channel, Jira-tracked findings, and a single shared dashboard with control status. Board pack is generated automatically every quarter — you don’t have to ask for it.

One conversation. One scoping doc. One fixed price.

Start with a thirty-minute
scoping call.

Tell us your framework, your stack, and the deadline you've signed up to. You'll leave the call with a written scope, a fixed price, and a calendar invite for kick-off.

Book scoping call → Download capabilities deck

Bengaluru · HQ · Indiranagar 100 ft Rd

Mumbai · BKC · Bandra Kurla Complex

+91 80 4690 4200

The compliance auditors India's safest companies actually trust.

Everything an Indian compliancefunction actually needs.

Get audit-ready in twelve weeks.Stay audit-ready forever.

Find what attackers find — before they do.

Application-layer attacks need application-layer auditors.

iOS and Android, audited end-to-end.

Wallet to API to smart contract — every layer in the trade.

AWS, Azure, GCP — posture, not just config.

The strategic security office, on retainer.

India's privacy law, made operational.

When the breach is happening, minutes matter.

Train your people on the attacks your people will see.

Built for India's regulated capital markets.

Cross-border VARA advisory, run from Bengaluru.

Indian compliance, the way it should have always worked.

One scoping doc. One fixed price. One accountable partner.

Things teams ask before signing.

Start with a thirty-minutescoping call.

The compliance auditors
India's safest companies
actually trust.

Everything an Indian compliance
function actually needs.

Get audit-ready in twelve weeks.
Stay audit-ready forever.

Start with a thirty-minute
scoping call.