Is PraxisQ CERT-In empanelled?

Yes. PraxisQ (a Techtweek Infotech company) is a CERT-In empanelled Information Security Auditing Organization authorized by the Government of India (MeitY). Our VAPT and IS audit reports are accepted by RBI, SEBI, IRDAI and all Indian regulators.

How long does ISO 27001 certification take with PraxisQ?

Most ISO 27001 certifications are audit-ready in 4-8 weeks. Our CERT-In empanelled, CISA-certified team handles gap assessment, documentation and audit readiness end-to-end.

Which countries does PraxisQ serve?

PraxisQ serves clients in India, USA, UK, UAE, Australia, Canada, Germany, South Africa, Kenya, Mauritius, New Zealand and across Europe — fully remote delivery.

Does PraxisQ handle DPDP Act compliance?

Yes. PraxisQ delivers end-to-end DPDP Act 2023 compliance consulting including data mapping, consent management, DPO advisory and security assessments aligned with MeitY guidelines.

What is the difference between VAPT and penetration testing?

VAPT (Vulnerability Assessment and Penetration Testing) combines automated scanning with manual expert testing. PraxisQ is CERT-In empanelled — our VAPT reports satisfy RBI, PCI DSS, ISO 27001 and government tender requirements.

CERT-In VAPT for SEBI Regulated Entities: Cybersecurity Circular Guide

Sahil Dubey

Cloud DevOps & Compliance Architect · CISA #232322528, CDPSE, ISO 27001 LA

Published 19 June 2026

Understanding CERT-In VAPT Requirements for SEBI Regulated Entities

SEBI-regulated financial entities operating in India must comply with CERT-In (Indian Computer Emergency Response Team) mandated vulnerability assessment and penetration testing (VAPT) standards under the cybersecurity circular framework. As a CISA-certified compliance architect, I explain that CERT-In VAPT is not optional—it's a regulatory obligation enforced through RBI and SEBI directives. Within the first 60 days of financial year, entities must conduct authenticated and unauthenticated vulnerability scans, followed by penetration testing to identify exploitable weaknesses. Non-compliance attracts penalties under the Information Technology Act and impacts your regulatory standing.

CERT-In VAPT Mandate: What SEBI Entities Must Know

Regulatory Framework & Applicability

RBI Master Circular on Cybersecurity: Mandates VAPT for all payment systems, core banking, and financial technology platforms
SEBI Circular on Cybersecurity Risk Management: Requires broker, custodian, and trading platform operators to conduct bi-annual VAPT assessments
DPDP Act Alignment: Personal data protection mandates technical audits including VAPT as a foundational security control
CERT-In Guidelines: Defines scope—network infrastructure, web applications, APIs, and third-party integrations must be tested
Scope Expansion: Cloud environments, mobile banking apps, and hybrid architectures now fall under mandatory VAPT scope

Key VAPT Testing Components Required by CERT-In

Vulnerability Assessment (VA): Automated and manual scanning for CVEs, misconfigurations, weak authentication, unpatched systems, and protocol weaknesses
Penetration Testing (PT): Simulated attacks mimicking real threat actors—testing firewall bypass, privilege escalation, lateral movement, and data exfiltration
Web Application Security Testing: OWASP Top 10 coverage including SQL injection, XSS, CSRF, broken access control, and insecure deserialization
API Security Testing: OAuth/JWT validation, rate limiting, input validation, and data leakage prevention in REST/GraphQL endpoints
Network Penetration Testing: Segment testing, VPN/remote access security, wireless network assessment, and external perimeter hardening
Third-Party Risk Assessment: Vendor and fintech partner security posture evaluation

RBI & SEBI Cybersecurity Circular: Timeline & Compliance Deadlines

Annual Compliance Calendar for SEBI Entities

Q1 (April-June): First VAPT cycle—comprehensive assessment of all critical systems before financial year peak trading period
Q2-Q3: Remediation and re-testing of identified vulnerabilities; gap closure with CAPs (Corrective Action Plans)
Q3 (September-November): Second VAPT cycle (for high-risk entities)—focus on newly deployed systems and seasonal trading platform enhancements
Q4 (December-March): Compliance documentation, auditor sign-off, and board reporting; evidence submission to SEBI/RBI
Incident-Driven Testing: Immediate VAPT re-scan within 30 days post-breach or major infrastructure change per CERT-In advisory

Common Compliance Gaps & How Praxis-Q Closes Them Fast

Scope Creep: Entities often miss APIs, microservices, and cloud workloads—we map 100% of attack surface within week 1
Remediation Delays: Critical vulnerabilities remain unpatched for months—our fast-track re-testing cycles accelerate closure to 15 days
Non-Certified Assessors: SEBI requires CISA/CISM-certified auditors; internal teams often lack credentials—Praxis-Q deploys certified assessors (CISA #232322528 + team) within days
Documentation Deficiency: Regulators reject incomplete reports—we deliver RBI/SEBI-compliant reports with evidence matrices and remediation roadmaps in weeks, not months
Third-Party Neglect: Fintech partners and cloud providers aren't tested—we extend VAPT to full vendor ecosystem per SEBI Circular 2021 guidance

Praxis-Q's Fast-Track VAPT Delivery Model for SEBI Compliance

Why Weeks, Not Months?

Pre-Scoping Efficiency: CISA-certified architects complete network mapping and tool calibration within 3 days; competitors spend 2-3 weeks
Parallel Testing: Vulnerability scanning, penetration testing, and application security assessment run concurrently—sequential approaches add 4-6 weeks
Automated Reporting: Our proprietary vulnerability management platform auto-generates SEBI/RBI-format reports with live remediation tracking—no manual compilation delays
Dedicated VAPT Team: Assigned pen testers and VA specialists focus exclusively on your engagement; no resource contention with other clients
24/7 Re-Testing Cycles: Vulnerabilities patched by your team? We validate fixes within 48 hours, not 2 weeks—critical for financial sector uptime SLAs

Compliance-Ready Deliverables

Executive summary aligned with SEBI Circular reporting expectations
Detailed vulnerability matrix (CVSS 3.1 scoring) with business context
Penetration test narrative—simulated attack paths and exploitability evidence
Remediation roadmap with priority tiers and risk quantification
Board-ready compliance certification confirming CERT-In framework adherence
Auditor workpaper pack for external statutory auditor coordination

FAQ: CERT-In VAPT & SEBI Cybersecurity Compliance

Q: Does our SEBI-regulated fintech require annual or bi-annual VAPT?

SEBI mandates bi-annual VAPT for trading platforms, brokers, and custodians. High-risk entities handling payment systems face quarterly requirements per RBI Master Circular. Praxis-Q schedules compliance cycles aligned with your regulatory category—we track SEBI notification updates to ensure your timeline never slips.

Q: Can internal IT teams conduct CERT-In VAPT, or must it be third-party?

Regulators prefer third-party certified assessors (CISA/CISM minimum) for independence and audit trail credibility. Internal VAPT lacks regulatory weight in SEBI inspections. Praxis-Q's ISO 27001 Lead Auditor team provides independent certification—critical for passing SEBI surprise audits. Hybrid model (internal + external validation) is cost-optimal.

Q: What happens if vulnerabilities aren't fixed before the next VAPT cycle?

Unresolved critical/high vulnerabilities trigger regulatory escalation—SEBI demands root cause analysis and explains-or-comply letters. Repeat non-closure attracts penalties and impacts your license renewal. We maintain live vulnerability tracking and conduct interim re-scans post-patch, ensuring compliance readiness.

Q: Are cloud and SaaS platforms covered under SEBI VAPT requirements?

Yes. SEBI Circular 2021 explicitly mandates third-party cloud/SaaS security assessment. AWS, Azure, and fintech partner APIs must be included in your VAPT scope. Many entities miss this—resulting in compliance gaps. Praxis-Q extends testing to cloud workloads and provides shared responsibility model evidence.

Q: What's the cost and timeline for a typical SEBI entity VAPT?

Scope-dependent: SME fintech platforms (50-100 systems) complete in 4-6 weeks; large brokerages (500+ systems) in 8-12 weeks. Praxis-Q's fast-track model compresses this by 40% through parallel testing and pre-built SEBI report templates. Costs range from ₹2-10 lakhs depending on infrastructure size—transparent upfront pricing.

Conclusion: Regulatory Readiness Through Certified VAPT

CERT-In VAPT compliance is non-negotiable for SEBI-regulated entities. Regulatory circulars now explicitly require third-party certified assessments, bi-annual cycles, and documented remediation—gaps expose your organization to penalties, license suspension, and reputational damage. As a CISA-certified compliance architect, I've seen financial entities struggle with outdated vulnerability assessment approaches and missed API/cloud scopes, leading to regulatory findings.

Praxis-Q accelerates your compliance timeline through certified assessors (CISA, CISM, ISO 27001 Lead Auditor), parallel testing workflows, and pre-formatted SEBI/RBI reporting—delivering fast-track VAPT in weeks instead of months. Our cloud-native approach captures modern fintech risks (microservices, APIs, SaaS integrations) that legacy penetration testers miss. Combined with DPDP Act alignment and vendor risk extension, our VAPT service ensures full regulatory coverage and audit readiness.

Ready to close VAPT compliance gaps and pass your next SEBI inspection? Engage Praxis-Q's certified VAPT team today—we'll scope your assessment within 48 hours and deliver compliance-ready findings in weeks. Your regulatory standing depends on it.

Free Consultation

Ready to Get Compliant?

ISO 27001, PCI DSS, HIPAA, SOC 2 & more — fast-track in a few weeks.

Book Free Audit →