API4SOC2 is not a CERT-In empanelled audit firm and we do not perform audit fieldwork. For the audit fieldwork required by SOC 2, ISO 27001, RBI Master Directions, SEBI CSCRF, DPDP, and CERT-In Direction 20(3)/2022, we partner with the CERT-In empanelled audit firms in our network. The platform's auditor portal connects directly into their workflow.
The platform produces the evidence; an audit firm in our partner network examines it; you get one accountable lead per engagement. The auditor portal is included in every tier — see the pricing page.
Cloud accounts, identity providers, source control, ticketing, HR systems. The platform pulls daily snapshots into Bharat-resident storage (AWS Mumbai). Continuous evidence collection begins on Day 1.
One control change updates evidence across every framework that touches it. SOC 2 CC6.1 and ISO 27001 A.5.15 share the access-management evidence base; DPDP and SEBI CSCRF share the data-handling evidence base. No duplicate evidence collection.
Or bring your own. The platform supports any CERT-In empanelled audit firm; the directory below lists the firms that have integrated with our auditor portal. The audit firm signs the engagement letter directly with you — not with us.
Read-only access scoped to the engagement. The audit firm samples evidence directly from the platform; you don't email PDF screenshots back and forth. Sample requests are tracked in the portal.
The audit firm — not API4SOC2 — issues the SOC 2 attestation, ISO 27001 certificate, or regulator-specific report. The platform retains the evidence, the report, and the audit-trail for renewal cycles.
Auditor independence is a regulatory requirement under AICPA standards (SOC 2), ISO accreditation rules (ISO 27001), and CERT-In empanelment terms. A platform vendor cannot also be the audit firm for the same engagement without breaking independence. We chose to be the platform — the part that compounds across customers — and partner with the audit firms doing the fieldwork.
Partner audit firms with active CERT-In empanelment that have integrated with our auditor portal or signalled intent to do so by GA. Always confirm empanelment number, category coverage, and validity period against the live cert-in.org.in/auditors page before engaging.
| Audit firm | HQ region | Most-cited service categories | Public verification |
|---|---|---|---|
| VISTA InfoSec | Mumbai · also US, SG | Information Security Audit · PCI DSS · ISO 27001 · SOC 2 · GDPR | Verify ↗ |
| SISA Information Security | Bengaluru | PCI DSS QSA · Information Security Audit · Forensics · VAPT | Verify ↗ |
| Kratikal Tech | Noida (Delhi-NCR) | VAPT · Application Security · Mobile · Network | Verify ↗ |
| Astra Security | Bengaluru | VAPT · Web/Mobile/API · CREST-aligned | Verify ↗ |
| Indusface (AppTrana) | Vadodara · Bengaluru | Application Security · WAF · VAPT | Verify ↗ |
| ValueMentor | Kochi · Bengaluru | Information Security Audit · VAPT · SOC | Verify ↗ |
| ANA Cyber Forensics | Pune | Forensics · VAPT · Information Security Audit | Verify ↗ |
| IARM Information Security | Chennai | VAPT · Application Security · ISO 27001 | Verify ↗ |
| eSec Forte Technologies | Gurugram | VAPT · ICT Audit · SOC | Verify ↗ |
| ISECURION Technologies | Bengaluru | VAPT · Application Security | Verify ↗ |
| Qualysec | Bhubaneswar · Bengaluru | VAPT · API · Cloud · Mobile | Verify ↗ |
| WeSecureApp | Hyderabad · Texas | VAPT · Application Security | Verify ↗ |
| CyberNX Technologies | Mumbai · Bengaluru | VAPT · ISO 27001 · SOC | Verify ↗ |
| Lumiverse Solutions | Pune | VAPT · Information Security Audit | Verify ↗ |
| Hicube Infosec | Pune | VAPT · Mobile · Cloud | Verify ↗ |
We are growing the auditor partner network through 2026. If your firm holds active CERT-In empanelment for VAPT, Information Security Audit, ISO 27001 implementation, or related categories and you would like your audit teams to work in the API4SOC2 portal, drop us a note via the contact form. We do not charge audit firms to be in the network — the incentive is straightforward: your customers' evidence is in our platform, the workflow is friction-free, your engagements close faster.
Visit cert-in.org.in and navigate to the auditors directory. The list is structured by service category; check that the firm you are considering is empanelled for the category your engagement requires (Penetration Testing and Vulnerability Assessment / Information Security Audit / Application Security Audit / etc). Also see our CERT-In empanelment guide for the verification walk-through.
Yes. The platform supports any audit firm via the auditor portal. The directory above lists the firms we have integrated with most often; it is not an exclusive list. If your firm of choice has not used the API4SOC2 portal before, we'll do a 30-minute walk-through with their team before the engagement starts.
No. The audit firm signs the SOC 2 report, the ISO 27001 certificate, the SEBI CSCRF audit findings, the CERT-In incident-response audit. We are the platform; they are the auditor.
No. The audit firms in our partner network are listed because they have integrated with the auditor portal or signalled intent to do so. We don't charge them and they don't charge us. The audit firm bills you directly for the audit fieldwork — that's the firm's engagement letter, not ours.
API4SOC2 covers: continuous evidence collection, control mapping, gap detection, vendor risk, trust center artefacts, the auditor portal. The audit firm covers: management interviews, sample testing, walk-throughs, control-testing, the report drafting, the partner sign-off. One contract per engagement (yours with the audit firm), one platform subscription (yours with us). Two separate commercial relationships.
Yes — the audit firms in our network operate independently. If you don't use API4SOC2, the audit firm runs its standard engagement (typically with email + spreadsheets + their own evidence tooling). The platform's value is the continuous evidence collection and one-control-many-frameworks mapping; the audit firm's value is the empanelled signature on the report.
India regulators as first-class frameworks. Bharat-resident evidence. Pricing locked in INR for the first 12 months. We are onboarding ten design partners through Q2-Q3 2026 ahead of general availability.