Choosing a VAPT Vendor for RBI-Regulated Entities — A Checklist

Published May 3, 2026 · 14 min read

For an RBI-regulated entity — a scheduled commercial bank, regional rural bank, small finance bank, urban cooperative bank, NBFC, payment system operator, or credit information company — a VAPT vendor decision is also a regulator decision. The wrong vendor leaves observable gaps in your next RBI inspection, your CERT-In incident-readiness review, or your NCIIPC sectoral coordination. This checklist distils 25 questions that should be answered yes (or with a documented exception) before the contract is signed. It is built around the obligations in the RBI Master Direction on Cyber Security Framework in Banks (2 June 2016), the CERT-In April 2022 directive on six-hour incident reporting, and the NCIIPC reporting requirements under Section 70A of the IT Act. Background on the framework itself sits in our RBI cyber framework compliance checklist.

Why does the choice of VAPT vendor matter to RBI?

RBI inspectors do not formally certify VAPT vendors, but they do test the credibility of the testing programme. The artefacts they sample — scope letter, methodology, executor profile, finding severity, retest evidence, and remediation timeline — only land well when the vendor produces regulator-fluent material. A vendor optimised for SaaS startup procurement can produce technically valid findings that your RBI inspector still flags as insufficient because the report does not map to the master-direction Annex, does not address NCIIPC categorisation, and does not demonstrate executor seniority. This checklist is built to remove that risk.

The 25-question vendor checklist

The questions are grouped into six themes: empanelment and provenance, methodology, executor profile, scope coverage, deliverable fit, and contractual fit.

Empanelment and provenance (Q1–Q5)

1. Is the vendor empanelled by CERT-In as an Information Security Auditor? CERT-In maintains the public empanelment list. Empanelment is the floor of regulator acceptability for a VAPT vendor in India.
2. Is the methodology aligned with CREST or comparable international standard? CREST alignment (whether through firm membership or operators-following-the-framework) is increasingly expected by audit committees. AxVeil follows CREST-aligned methodology.
3. Does the firm have an India-resident legal entity with a GSTIN? RBI's data-localisation guidance and the inspectors' preference for India-resident reporting both push toward a domestic legal entity.
4. How long has the firm been delivering BFSI VAPT? Less than two years and you are paying for the firm's learning curve. Three-plus years with named regulated clients is the safer floor.
5. Will the firm extend audit rights to your bank and to RBI? The master direction requires flow-down audit rights. The contract should explicitly grant inspection rights to RBI and to your internal audit team.

Methodology (Q6–Q9)

6. Which methodology framework does the firm follow? Acceptable answers: OWASP, OSSTMM, PTES, NIST SP 800-115, CREST. Look for at least three of these named in the proposal.
7. Is testing mapped to MITRE ATT&CK at the report level? RBI guidance on adversary simulation has tilted toward MITRE-aligned reporting. Banks designated as CII face the same expectation from NCIIPC.
8. Does the methodology include both authenticated and unauthenticated testing on every in-scope asset? Anonymous-only testing on a customer-facing banking app is a fail in inspection.
9. Is mobile testing aligned to OWASP MASVS? Mobile banking and the underlying API are the most-attacked surface in Indian retail banking. MASVS-aligned testing is the floor.

Executor profile (Q10–Q13)

10. Who, by name, will run the engagement? Ask for the lead operator's CV. OSCP plus a vendor-specific senior credential (CRTO, OSEP, GPEN, GXPN, CREST CRT) is the credible floor for BFSI work.
11. Is the lead operator a full-time employee? Subcontracted-on-demand operators raise a control question for your auditor. Full-time staff makes the file easier to defend.
12. Will the same operator run the retest? Operator continuity across testing and retest avoids re-explaining context and improves remediation verification.
13. What background-verification did the firm run on the operator? RBI inspectors look at vendor-side personnel screening for any party that touches production-adjacent systems.

Scope coverage (Q14–Q17)

14. Does the scope include every internet-facing system that processes payment instructions? Master direction requires VAPT for all internet-facing systems and any system on the payment path.
15. Are mobile banking apps and the underlying API in scope? A common inspection finding is mobile being scoped without the API, or vice versa. Both must be in.
16. Is internal-network and Active-Directory testing in scope where the framework requires it? Critical-system designation under NCIIPC typically pulls AD and core internal estate into scope.
17. Are third-party integrations on the payment path tested? Vendor APIs that touch RTGS / NEFT / UPI / card-network channels are part of the bank's VAPT obligation.

Deliverable fit (Q18–Q21)

18. Does the report map findings to the master-direction Annex (Baseline Cyber Security and Resilience Requirements)? The mapping must be explicit, not implied.
19. Is each finding scored using CVSS v3.1 or v4.0 with a documented vector? The vector matters — a base score without the vector cannot be challenged or recalculated.
20. Does the report include a six-hour CERT-In reporting trigger analysis? Findings that would, in production, qualify as reportable incidents need to be flagged so your IR runbook can be tested against them.
21. Is there a regulator-ready summary suitable for RBI inspection without further redaction? Inspectors want a clean executive summary that does not require legal review before sharing.

Contractual fit (Q22–Q25)

22. Is data residency in India for all engagement artefacts? RBI's data-localisation guidance requires Indian residence for payment data and is best applied to all engagement evidence.
23. Are findings, evidence, and report retained for at least five years and available on RBI demand? Five-year retention is the inspection-safe minimum.
24. Is retest included for every finding within 30 days? Retest cadence and inclusion should be in the SoW, not extra-line-item.
25. Is the firm's professional indemnity cover sufficient for your scope? ₹5Cr ($600k) is a sensible floor for BFSI engagements; large banks negotiate higher.

Quick scoring matrix — how to use the checklist

Score each question 0 (no), 1 (partial / undocumented), or 2 (yes, in writing). Total possible: 50.

CERT-In six-hour reporting alignment

The CERT-In April 2022 directive requires every body corporate to report defined cybersecurity incidents within six hours of notice. Your VAPT vendor should be aligned with this in two ways. First, any finding that resembles a reportable incident class — unauthorised access, data leak, identity-theft path, denial-of-service trigger, attack on critical infrastructure — should be tagged in the report so your IR runbook can be exercised against it. Second, if the vendor identifies an in-flight intrusion during testing (rare but real), the contract must specify the six-hour clock and a named delegate on the vendor side empowered to support the filing inside the window.

NCIIPC alignment for designated CII

For systems designated Critical Information Infrastructure under Section 70A of the IT Act — core banking, RTGS / NEFT, SWIFT gateways, card-network interfaces — NCIIPC reporting runs in parallel to CERT-In and to RBI. The vendor should know this matrix, scope its testing accordingly, and produce a section in the report addressed to the NCIIPC-aligned cadence.

What about urban cooperative banks and NBFCs?

UCBs follow the December 2019 RBI cyber security framework circular with a graded approach by deposit size. NBFCs, payment system operators, and credit information companies fall under the 2023 Master Direction on Information Technology Governance. The vendor checklist applies in full — a different entity classification does not lower the bar on testing depth or report fit. If anything, NBFCs face additional pressure because their inspectors are increasingly aligned with the banking benchmark.

How long should the procurement take?

For a regulated bank, the realistic procurement timeline from RFP to signed engagement is six to ten weeks. The cycle: scoping conversation (week 1), vendor RFP issued to a shortlist of three to five vendors (week 2), vendor responses with sample reports under NDA (weeks 3–4), technical conversations with the named lead operators (weeks 4–5), commercial negotiation including audit rights flow-down and data-residency clauses (weeks 5–7), legal sign-off and contract signature (weeks 7–10). Compressing this to under four weeks is possible only if you have an existing empanelled-vendor relationship and renew rather than reselect. Over-compressing is how banks end up signing contracts that fail the RBI inspection two years later.

Sample-report review — what to actually look for

The single best procurement test is asking each shortlisted vendor for a sample anonymised report under NDA, then reviewing it against five criteria: clarity of executive summary (can a board director understand the risk picture in one page?), depth of technical findings (does the proof-of-concept chain together steps a defender can replay?), CVSS rigor (is the vector documented for every finding, not only the base score?), framework mapping (are findings mapped to the master-direction Annex, OWASP, and MITRE ATT&CK explicitly?), and remediation guidance (is the fix described at code or configuration level, not at policy level?). A sample report that scores strongly on all five is from a vendor that will produce work suitable for RBI inspection.

Common procurement mistakes

• Buying on price alone. The lowest quote in BFSI procurement is almost always the highest-risk option in inspection.
• Accepting an unnamed engagement team. "Our team of senior consultants" is not the same as a named operator with a CV.
• Skipping the retest line item. Retest is where remediation gets verified; without it your auditor cannot close the loop.
• Letting the vendor scope themselves. The bank's CISO office should produce the scope; the vendor refines it. Vendor-led scoping leaves blind spots.
• Annual cadence as the ceiling. Master direction requires VAPT on every significant change, not only annually. Build the change-trigger into the contract.

Why AxVeil isn't on this list (and how we still help)

A candid disclosure since this article walks RBI-regulated buyers through vendor selection. AxVeil LLP is not currently CERT-In empanelled — and would therefore fail Q1 of the checklist above. Buyers who must engage a CERT-In empanelled prime for the regulator-facing audit submission should treat that as disqualifying for AxVeil-as-prime, today. We say so up front because RBI inspectors and audit committees have heard every fudge of this question, and the credibility tax is real.

The mechanical reason: CERT-In auditor empanelment requires three years of operating history with audited financials, ISO 27001 firm-level certification, at least five full-time qualified information-security auditors on rolls, a service-revenue floor over the prior three financial years (often quoted at the ₹2 Cr level), and a CERT-In technical evaluation. AxVeil meets the technical evaluation bar today on operator credentials, methodology, tooling and delivered engagement history (founder OSCP + CEHv12, 80+ engagements pre-AxVeil including 1000+ server enterprise estates and 100+ application portfolios for tier-one MENA banks, 4+ years of frontline delivery experience). What AxVeil does not yet meet is the operating-history bar — AxVeil LLP was registered in late 2025 / 2026, and the third audited financial year closes 31 March 2029. No combination of capital or hiring shortens that gate. We are on track to file in the 2027 cycle and expect empanelment in 2028. Until that letter lands, the empanelment list is honest about the list.

That does not lock RBI-regulated buyers out of working with AxVeil today. There are two ways AxVeil helps RBI-regulated buyers right now:

1. Pre-audit readiness — find what an empanelled audit would find, fix it before they look.The same OWASP / CREST / NIST SP 800-115 methodology, the same CVSS rigor, the same MITRE ATT&CK mapping, the same retest discipline that an empanelled auditor would bring — delivered ahead of the formal audit window so critical and high findings are remediated before the empanelled prime walks in. The buyer's formal RBI submission goes in clean, the audit-committee minute reads well, and the inspection follow-up is shorter. AxVeil contracts directly because pre-audit readiness is not the regulator-facing submission. Pricing and timing are the same as a Professional or Enterprise VAPT — the difference is the calendar position: ahead of the empanelled audit, not in place of it.
2. Subcontract delivery under a CERT-In empanelled prime — AxVeil operators run the engagement, prime signs the report.Many empanelled firms have more regulator-driven demand than delivery capacity, especially during the Sep / Mar audit compression cycles. AxVeil delivers the operator-led VAPT, internal AD review, mobile + API testing and report drafting under the prime's methodology and quality wrap; the empanelled prime co-reviews, signs the regulator-facing report, holds the buyer contract and carries the regulatory accountability. The buyer gets a compliant empanelled-firm-signed RBI submission and AxVeil's operator depth. Pricing reflects the partner-share split (typically the empanelled firm retains 55–65% of the engagement value as the contracting party). See /partners for the empanelled partner roster and the subcontract economics in detail.

We expect to be empanelled by 2028. Until then this is the model — pre-audit readiness on AxVeil paper, regulator-facing submissions through an empanelled partner. The technical work is identical across both paths; only the contracting path and the cover signature differ. RBI-regulated buyers who want operator-led depth without the empanelment fudge get exactly that, with the contracting path stated up front in the proposal. Read the MENA banking VAPT case study for an anonymised account of the operator depth, and the BFSI industry page for the full direct-vs-subcontract framing.

Frequently asked questions