Most SaaS startups in India do not need a CERT-In empanelled pentest vendor. Empanelment is a credential designed for cybersecurity firms that audit government departments, public sector undertakings, Critical Information Infrastructure operators, and specifically named regulated entities (banks, NBFCs, certain SEBI-regulated intermediaries, insurers, telecom). If you are a B2B SaaS company, an early-stage fintech app that is not itself an RBI-regulated entity, an e-commerce platform, an EdTech, or a HealthTech product not operating at clinical-grade, CERT-In empanelment is not a requirement for your pentest. Paying the empanelment premium when your buyer or regulator does not ask for it is wasted spend.
This article exists because we keep seeing the same scenario. A founder gets told by an auditor, a customer questionnaire, or a sales call that they need a CERT-In empanelled vendor. They are about to spend 2 to 3 times more than necessary. Before that happens, the right question is: who specifically requires this, and where is that written down?
We are not CERT-In empanelled, and we are upfront about why. Cybersecify serves the segment where empanelment is not required, deliberately. For buyers who genuinely need an empanelled vendor (and a smaller number do), we point them to the right path. The point of this post is to help you figure out which group you are in before you sign anything.
What CERT-In Empanelment Actually Is
CERT-In is the Indian Computer Emergency Response Team, the national nodal agency under the Ministry of Electronics and Information Technology (MeitY). It handles cybersecurity incident response, issues advisories, runs the 6-hour incident reporting rule, and maintains a panel of empanelled information security auditing organisations.
Empanelment is a formal credentialing program. Cybersecurity firms apply, submit evidence of past audit engagements, team certifications, methodology documentation, ISO 27001 status for the firm itself, financial thresholds, and audited references. CERT-In evaluates the application. If approved, the firm is added to the official CERT-In empanelled auditor list for a fixed validity period (typically 2 to 3 years), after which they re-apply.
As of the latest published list, approximately 237 firms are CERT-In empanelled. The panel grew from 150 firms in 2022, a 58% increase. CERT-In is not gatekeeping entry. Empanelment is achievable. It is also entirely optional for firms that do not serve the segments that require it.
What empanelment confers: the authority to audit central and state government departments, PSUs, designated Critical Information Infrastructure operators, and any client where a sectoral regulator (RBI, SEBI, IRDAI, TRAI, CEA) explicitly mandates a CERT-In empanelled auditor.
What empanelment does not do: it does not stop non-empanelled firms from delivering qualified penetration tests to private companies, foreign clients, or sectors where empanelment is not required. It is a market-access credential for a specific segment, not a competence floor.
When CERT-In Empanelment IS Required
If any of the following applies to your company or your buyer, empanelment becomes relevant. The decision tree here is binary. Read each item against your actual context.
1. You are a designated Critical Information Infrastructure operator. The National Critical Information Infrastructure Protection Centre (NCIIPC) designates specific organisations in power, telecom backbone, banking, transport, and government services as CII operators. Designation comes by formal notification, not by self-classification. If you have received an NCIIPC designation letter, empanelled auditors are mandatory for your security assessments.
2. You are a bank, NBFC, payment aggregator, or specific category of fintech under RBI directives. RBI master directions on cyber security and the cyber resilience framework reference CERT-In empanelled auditors for certain assessments. The exact requirement varies by entity type and the specific assessment (VAPT, information system audit, cyber resilience review). Read the master direction that applies to your category. Urban Cooperative Banks at Level 2 and above have specific RBI directives that name CERT-In empanelment.
3. You are a SEBI-regulated market intermediary subject to the cyber resilience framework. Stock exchanges, depositories, brokers, asset management companies, and certain other categories have SEBI circulars that reference CERT-In empanelled auditors for periodic audits. The most recent version of the SEBI cyber resilience and cyber security framework applies.
4. You are an insurer or insurance intermediary under IRDAI cyber guidelines. IRDAI has issued guidelines that point to CERT-In empanelled firms for specific assessments.
5. You are a telecom service provider or licensed entity under DoT and TRAI requirements. Telecom compliance regimes reference empanelled auditors for sectoral assessments.
6. You are a power sector entity covered under CEA cyber security guidelines. Central Electricity Authority and sectoral guidelines reference empanelment for certain audit work.
7. You are bidding for central or state government, PSU, or quasi-government tenders. Most government RFPs and tender documents in IT security specify CERT-In empanelment as a qualification criterion. If you are responding as a vendor, you need to be empanelled. If you are buying as a government entity, your procurement rules require you to procure from empanelled firms.
8. You are an organisation that has chosen to follow CERT-In guidelines voluntarily. Some private companies opt into CERT-In guidelines as a trust signal. In that case, you self-impose the empanelled-auditor requirement.
If any of these eight categories applies, read the sister post: Who Needs a CERT-In Empanelled Pentest Vendor in 2026 for the affirmative path, what empanelled firms typically charge, how to verify empanelment status, and how to procure correctly.
If none applies, read on.
When CERT-In Empanelment Is NOT Required
This is the segment most readers of this article fall into. We will be specific about the scenarios, because vague reassurances are how founders end up overpaying.
1. B2B SaaS startups serving private enterprise customers. Your buyers are CTOs, CISOs, and procurement teams at private companies. They want SOC 2 or ISO 27001 evidence, a recent pentest report, and a vendor security questionnaire returned. Their requirement is methodology and proof, not Indian regulator empanelment.
2. Most fintech-adjacent apps that are not themselves RBI-regulated entities. If you process payments via a regulated PA/PG, build investment tools that route through SEBI-registered brokers, or operate as an insurance comparison platform routing through regulated insurers, you are typically not the regulated entity. The PA/PG or broker is. Their auditor requirements do not flow through to you unless you take on a regulated function.
3. E-commerce, marketplace, and consumer commerce platforms. Unless you have been designated as Critical Information Infrastructure or you have a specific direct relationship to RBI/SEBI/IRDAI as the regulated entity, e-commerce is not in scope. A pentest from a qualified non-empanelled firm satisfies your typical customer, payment partner, and PCI-DSS adjacent requirements.
4. EdTech and HealthTech that are not hospital-grade. Education platforms, learning apps, fitness apps, mental wellness apps, and most HealthTech products are not in CERT-In empanelment-required scope. Hospital information systems serving regulated clinical operations may have separate requirements (NABH, etc.), but those are not CERT-In empanelment.
5. General web, mobile, and API products for business use. Productivity tools, dev tools, analytics, B2B platforms, vertical SaaS for HR/sales/marketing/operations. The pentest evidence is for customer questionnaires and compliance audits (SOC 2, ISO 27001), not regulator submission.
6. Companies preparing for SOC 2 or ISO 27001 certification. Both frameworks accept qualified third-party pentest reports based on methodology and tester credentials. Neither requires CERT-In empanelled vendors. The ISO 27001 control A.8.8 and SOC 2 trust services criterion CC7.1 ask for evidence of vulnerability management. They do not name empanelment.
7. Companies responding to enterprise customer security questionnaires. Read the questionnaire wording. The standard fields ask for: third-party penetration testing performed in the last 12 months, methodology used, tester credentials, severity rating in findings, retest evidence. They do not ask for CERT-In empanelment unless your buyer is itself an Indian regulated entity that needs to pass empanelment evidence up the chain.
If you are in this segment, your pentest budget should go to methodology and founder-led delivery, not to empanelment-premium pricing.
What Enterprise Customers and Auditors Actually Look For
When a SOC 2 auditor, ISO 27001 lead auditor, or enterprise customer’s security team evaluates whether a pentest report is acceptable, they look at specific things. Empanelment is rarely one of them. The actual bar:
Methodology. The report should explicitly cite a recognised framework. OWASP WSTG v5.0 for web applications. OWASP API Security Top 10 for APIs. PTES for engagement structure. NIST SP 800-115 for technical assessment methodology. MITRE ATT&CK for attack technique mapping where applicable.
Tester credentials. OSCP, CompTIA PenTest+, CREST registered, GIAC GPEN, or GIAC GWAPT are the credentials auditors recognise. CEH is also accepted in many contexts. At Cybersecify, OSCP is held by the team (Rathnakara, who personally leads every pentest engagement). The auditor’s question is who actually did this work, and what is their verifiable credential.
Report quality. Each finding needs reproduction steps (the actual HTTP request, the exact URL, the exact payload), business impact assessment (what happens if this is exploited), severity rating (Critical, High, Medium, Low, Informational) using a recognised scoring framework (CVSS), and remediation guidance specific enough to fix. Compliance mapping to SOC 2 and ISO 27001 controls in the report is what makes it audit-grade.
Retest practice. The report should reference a defined retest window. Auditors look for evidence that findings were not just reported, but treated.
India regulatory awareness. Even non-empanelled vendors should be able to speak fluently to CERT-In Direction 70/B/2022 on incident reporting, DPDP Act technical safeguards, and the data handling expectations during the engagement itself. This is methodology hygiene, not empanelment.
If a vendor can produce work that passes all five criteria, the auditor will accept the report. Empanelment is not a substitute for any of the five, and it is not required in addition to them for the segments listed in the previous section.
Cost Reality: Empanelled vs Non-Empanelled
The single most common reason this question gets asked is price. So here is the honest picture.
Empanelled firms typically price 2 to 3 times higher for comparable SaaS-scope work than founder-led boutique firms. The premium reflects real cost structure: larger team overhead, audit-grade documentation requirements, regulated-sector BD overhead, sectoral compliance load, ISO 27001 certification cost for the firm itself, and the operational discipline empanelment demands.
For a buyer who genuinely needs empanelment (any of the eight categories above), this premium is justified and necessary. The empanelled firm has built the operating model to serve regulated work. The price reflects that. Paying it gets you a deliverable your regulator will accept.
For a buyer who does not need empanelment, the same premium is pure overpay. The methodology a non-empanelled qualified firm follows is the same. The credentials of the tester can be equivalent or better. The report quality can be equivalent or better. The only thing the empanelled firm adds is a credential your buyer is not asking for.
For context on what a SaaS-scope pentest should actually cost, see our pentest pricing breakdown for India. Our own boutique pricing sits at INR 74,999 for a single-scope Startup Pentest and INR 1,79,999 for a two-scope Growth Pentest. Empanelled-vendor comparable scope is typically INR 2 to 6 lakh and up.
How to Verify What Your Specific Buyer or Auditor Wants
Do not take a vendor’s word for it. Do not take a sales pitch’s word for it. The right way to settle this question is with three checks, in order:
Step 1: Ask the auditor directly. If you are pursuing SOC 2 or ISO 27001, ask your audit firm in writing whether they require the pentest vendor to be CERT-In empanelled, or whether methodology and tester credentialing are the criteria. Get the answer in email or a signed engagement letter. The answer for SOC 2 and ISO 27001 audits is almost always the latter.
Step 2: Read the customer security questionnaire wording. If a customer has sent you a security questionnaire that triggered this question, read the exact field. Is it asking for a CERT-In empanelled vendor specifically? Or is it asking for a third-party penetration test from a qualified vendor with documented methodology? In our experience reviewing dozens of these questionnaires, the second wording is overwhelmingly more common. If it is the first, ask the customer whether they will accept equivalent credentials (OSCP, CREST, GIAC) and recent third-party engagement evidence. Many will.
Step 3: Read your regulator’s published requirements directly. If a regulator is invoked (RBI, SEBI, IRDAI, TRAI, CEA), find the specific master direction or circular and read the actual text. Do not rely on a vendor’s summary. RBI master directions on cyber security, the SEBI cyber resilience framework, and IRDAI cyber guidelines are all publicly available. The exact language tells you what is required. Often the requirement applies only to specific entity categories or specific assessment types, not blanket.
After these three checks, you will know whether you need an empanelled vendor or not. If you need one, follow the path in Who Needs a CERT-In Empanelled Pentest Vendor in 2026. If you do not, you are free to choose on methodology, credentials, and founder involvement.
What Cybersecify Offers (And Where We Are Honest About Scope)
We are not CERT-In empanelled, and we say so explicitly on our site and to every prospect. Our positioning is deliberate. We serve the segment where empanelment is not a requirement and where founder-led delivery, methodology depth, and tester credentialing are the criteria that matter.
Who we serve: SaaS startups (Seed to Series B primarily), B2B software, fintech-adjacent apps that are not RBI-regulated, e-commerce, EdTech, HealthTech that is not hospital-grade, and any private company preparing for SOC 2 or ISO 27001 audits or responding to enterprise customer questionnaires.
How we work: Founder-led from Bengaluru. Rathnakara (OSCP, CompTIA PenTest+, M.Sc Cyber Security) personally runs every penetration test. No juniors, no handoff to less experienced staff, six clients per month maximum. Methodology follows OWASP WSTG v5.0, OWASP API Security Top 10 where applicable, and PTES for engagement structure. Reports are audit-grade with SOC 2 and ISO 27001 mapping included.
Pricing. Startup Pentest at INR 74,999 (single scope, 7 calendar days). Growth Pentest at INR 1,79,999 (two scopes, 10 calendar days, includes SOC 2 + ISO 27001 audit prep evidence and Brand Protection Snapshot). Both include free retest within 30 days. See a redacted sample report to evaluate methodology and reporting quality before deciding.
For buyers who genuinely need empanelment: the right path is one of the approximately 237 currently CERT-In empanelled firms. We do not list specific recommendations on the public site (we do not represent them and competitive positioning would be misleading), but we do help prospects narrow the search during a Security on Demand session if that is the conversation you want. The empanelled firms list is publicly published by CERT-In and is the authoritative source.
This is the locked transparency posture. We do not pretend to compete in the empanelled segment, and we do not let buyers overspend by recommending us when empanelment is the actual requirement.
Decision Framework: One Page
If you got this far, you should be able to answer the question for your own company. As a one-page check:
| Your situation | CERT-In empanelment required? |
|---|---|
| NCIIPC-designated CII operator | Yes |
| Bank, NBFC, payment aggregator, or RBI-named fintech | Usually yes (verify by master direction) |
| SEBI-regulated market intermediary | Often yes (verify by circular) |
| IRDAI-regulated insurer or intermediary | Often yes |
| Telecom service provider | Yes |
| Power sector regulated entity | Yes |
| Government department, PSU, or government tender bid | Yes |
| Private SaaS startup, B2B software | No |
| Fintech app not itself RBI-regulated | No (unless customer-specific contractual requirement) |
| E-commerce, marketplace, consumer commerce | No |
| EdTech, HealthTech (not hospital-grade) | No |
| Pursuing SOC 2 or ISO 27001 certification | No (methodology and credentials are the criteria) |
| Responding to enterprise customer questionnaire | No, unless questionnaire specifically requires it |
If your answer is yes, read the sister article. If your answer is no, save the empanelment premium and spend it on methodology, retesting, and ongoing security work instead.
Related Reading
- Pillar: What Is Penetration Testing? 2026 Startup Guide for the foundational pentest buyer guide
- Sister: Who Needs a CERT-In Empanelled Pentest Vendor in 2026 for the affirmative path when empanelment is required
- Penetration Testing Cost in India 2026 for the full price-range breakdown
- How to Evaluate a Pentesting Firm for the questions to ask any vendor regardless of empanelment status
- DPDP Act Compliance Checklist for SaaS Startups for the India regulatory layer that does apply to most SaaS
- CERT-In 6-Hour Incident Reporting Rule for the CERT-In Direction that applies to every company in India regardless of empanelment
- Our methodology for the full testing approach we follow
- Sample report to evaluate report quality before you sign
Built for AI-first and API-first SaaS startups. Founder-led from Bengaluru. If you have a specific compliance requirement, customer questionnaire question, or pentest vendor decision to make, book a 30-minute call with the founders or start with Security on Demand for a focused 4-hour engagement. If your situation genuinely requires CERT-In empanelment, we will tell you directly and point you toward the right path.