CERT-In Empanelled Since 2008

CERT-In Compliance and Security AuditServices

Empanelled since 2008, Security Brigade delivers end-to-end CERT-In security audits, breach notification management, and continuous compliance for enterprises and regulated entities across India.

Request a Scoping Call Our Methodology
6,700+Assessments
700+Clients
150+Team
2006Founded

Trusted by India's leading enterprises

ICICI Bank
HDFC
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Pharmeasy
BillDesk
Jubilant Foods
ICICI Bank
HDFC
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Pharmeasy
BillDesk
Jubilant Foods
STEP 01

Assess

We perform a comprehensive gap assessment against all CERT-In baseline markers including CSM, PRO, DET, RES, REC, and IMP. Every application, network segment, and infrastructure component in scope is mapped and evaluated for compliance readiness.

STEP 02

Remediate

Our team delivers a prioritized remediation roadmap with specific, actionable guidance for every gap identified. We work with your development and infrastructure teams to resolve findings, conduct remediation walkthroughs, and validate fixes through multiple rounds of retesting.

STEP 03

Certify

Once all critical and high-severity findings are resolved, we issue the formal CERT-In security audit report and compliance certificate. The report is structured to meet regulatory expectations, and we provide ongoing support for any follow-up queries from CERT-In or sectoral regulators.

What Is CERT-In Compliance?

CERT-In compliance refers to meeting the cybersecurity standards defined by the Indian Computer Emergency Response Team, the national nodal agency under the Ministry of Electronics and Information Technology. Organizations must undergo periodic security audits conducted by CERT-In empanelled auditors, covering website security, application security, network infrastructure, and incident response readiness against six baseline markers.

Who Needs CERT-InCompliance?

CERT-In security audits are mandated across government, critical infrastructure, and regulated industries in India

Government Organizations

All central and state government departments, ministries, and public sector undertakings must undergo CERT-In audits for their IT infrastructure and citizen-facing applications.

BFSI and Financial Services

Banks, NBFCs, insurance companies, mutual funds, payment aggregators, and stock brokers are required to comply under RBI, SEBI, and IRDAI mandates that reference CERT-In standards.

Critical Information Infrastructure

Organizations operating critical infrastructure in sectors like power, telecom, transport, and healthcare must meet CERT-In security requirements.

Data Centers and Cloud Providers

Data center operators, cloud service providers, VPN service providers, and managed security service providers are covered under the 2022 CERT-In Directions.

E-Commerce and Digital Platforms

Large e-commerce platforms, digital payment companies, and fintech firms handling significant consumer data fall under CERT-In compliance requirements.

Enterprises with Regulatory Mandates

Any organization where a sectoral regulator such as RBI, SEBI, IRDAI, or UIDAI requires a CERT-In empanelled auditor for security assessments.

Methodology

6 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Scoping and Baseline Mapping

We identify all assets in scope including web applications, mobile applications, APIs, network infrastructure, and cloud environments. Each asset is mapped against CERT-In baseline markers to define the audit plan. Lemon automatically assigns testing tasks and coverage requirements based on the asset profile.

02

Vulnerability Assessment and Penetration Testing

Comprehensive VAPT across all in-scope assets using our structured methodology. Web and mobile application testing follows OWASP standards. Network and infrastructure testing covers external and internal attack surfaces. AI-validated coverage ensures no endpoint or service is missed. All findings are mapped to specific CERT-In baseline markers.

Testing
03

Configuration and Architecture Review

Server hardening review, firewall configuration audit, network architecture assessment, and access control validation. We evaluate security configurations against CERT-In benchmarks and industry best practices, identifying misconfigurations that automated tools often miss.

04

Policy and Process Assessment

Review of information security policies, incident response procedures, access management processes, change management controls, and log management practices. We evaluate organizational readiness against CERT-In Directions 2022 requirements including the six-hour breach notification process and 180-day log retention mandate.

Delivery
05

Multi-Layer Quality Review

Every finding undergoes our L1/L2/L3 review process. L1 auditors document findings with proof-of-concepts. L2 senior consultants validate methodology and coverage completeness. L3 security architects confirm impact assessments and report quality. No audit report is released without passing all three review layers.

06

Reporting, Remediation, and Certification

We deliver a comprehensive CERT-In audit report with gap analysis, prioritized remediation roadmap, and technology-specific fix guidance. Multiple rounds of retesting are included. Once critical findings are resolved, we issue the formal CERT-In security audit certificate and provide ongoing support for regulator queries.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Top 5 Private Sector Bank · Engaged since 2019

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Automated Baseline Marker Mapping

Lemon maps every testing task and finding to the six CERT-In baseline markers (CSM, PRO, DET, RES, REC, IMP), ensuring complete coverage and structured evidence for every requirement.

AI-Validated Coverage Completeness

AI cross-references mind maps, spidering results, JavaScript analysis, route files, and server logs to identify any missed endpoints, ensuring no asset goes untested.

Real-Time Client Dashboard

Track audit progress, review findings as they are discovered, monitor remediation status, and download reports. Full transparency for your CISO, compliance team, and developers.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

Web Application Security Audit
Maps to CERT-In CSM and PRO markers. Cov
Network and Infrastructure Audit
Maps to CERT-In CSM, PRO, and DET marker
Mobile Application Security Audit
Maps to CERT-In CSM and PRO markers. Cov
Configuration and Hardening Review
Maps to CERT-In IMP marker. Covers serve
Incident Response Readiness
Maps to CERT-In RES and REC markers. Eva
RBI Cyber Security Framework
CERT-In audit findings directly feed int
SEBI Cyber Security Circular
SEBI mandates CERT-In empanelled auditor
IRDAI Cyber Security Guidelines
Insurance companies must undergo securit

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

CERT-In Security Audit Report

Formal audit report structured per CERT-In requirements, with findings mapped to baseline markers. Designed for direct submission to CERT-In and sectoral regulators without revision.

Gap Analysis Report

Detailed analysis of gaps against every CERT-In baseline marker (CSM, PRO, DET, RES, REC, IMP) with current compliance status and specific areas requiring remediation.

Technical Vulnerability Report

Detailed vulnerability descriptions with step-by-step proof-of-concepts, annotated screenshots, request/response examples, CVSS severity scoring, and technology-specific remediation code examples.

Executive Risk Summary

High-level report for CISOs and board members covering overall risk posture, critical findings, business impact analysis, and remediation prioritization without technical detail.

Prioritized Remediation Roadmap

Sequenced remediation plan organized by risk severity, effort, and business impact. Enables your team to fix the most critical issues first and track progress systematically.

CERT-In Security Audit Certificate

Formal certificate issued after remediation and validation are complete, confirming your organization has undergone a structured security audit by a CERT-In empanelled auditor.

Remediation Retesting Report

Validation report confirming which vulnerabilities have been successfully fixed and which remain open, with updated severity assessments after each retesting cycle.

Breach Notification Readiness Kit

Documentation templates and process guides for the six-hour CERT-In breach notification requirement, customized to your organization's incident response structure.

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is a CERT-In empanelled auditor?+
A CERT-In empanelled auditor is a cybersecurity firm authorized by the Indian Computer Emergency Response Team to conduct security audits of government and critical infrastructure systems. Only firms that meet CERT-In's stringent technical and operational criteria receive this empanelment. Security Brigade has been empanelled since 2008, making it one of the longest-empanelled cybersecurity firms in India.
Is CERT-In compliance mandatory for private companies?+
Yes, CERT-In compliance is mandatory for a wide range of private organizations. The 2022 CERT-In Directions apply to all service providers, intermediaries, data centers, and body corporates. Additionally, sectoral regulators like RBI, SEBI, and IRDAI mandate CERT-In empanelled auditors for security assessments of regulated entities. Any organization handling significant digital infrastructure or consumer data should evaluate its obligations.
How long does a CERT-In security audit take?+
A typical CERT-In security audit takes 3 to 6 weeks depending on scope, including application testing, infrastructure assessment, policy review, remediation support, and report delivery. Organizations with a mature security posture often complete the process faster. Security Brigade's platform-driven approach reduces timelines by automating evidence collection, methodology assignment, and report generation.
What are the six CERT-In baseline markers?+
The six CERT-In baseline markers are CSM (Configuration and Security Management), PRO (Protection), DET (Detection), RES (Response), REC (Recovery), and IMP (Implementation). These markers provide a comprehensive framework for evaluating an organization's cybersecurity posture. Security Brigade's audit methodology maps every finding and test case to the relevant marker, ensuring complete and structured compliance coverage.
What is the six-hour breach notification requirement?+
Under the 2022 CERT-In Directions, organizations must report cybersecurity incidents to CERT-In within six hours of becoming aware of them. This includes data breaches, unauthorized access, malware attacks, and denial-of-service incidents. Security Brigade offers managed breach notification support, handling the reporting process on your behalf with full ownership to ensure compliance with the mandated timeline.
How many CERT-In empanelled auditors are there in India?+
There are approximately 100 CERT-In empanelled firms in India. However, empanelment alone does not guarantee audit quality. Firms vary widely in team size, methodology, platform capabilities, and delivery consistency. Security Brigade differentiates through 18 years of continuous empanelment, a proprietary audit platform, AI-validated coverage, and a structured L1/L2/L3 review process.
Can a CERT-In audit be combined with RBI or SEBI compliance?+
Yes, Security Brigade routinely integrates CERT-In audits with RBI, SEBI, IRDAI, and other regulatory compliance requirements. Many of these frameworks have overlapping security assessment mandates. Our methodology consolidates common requirements into a single structured engagement, delivering separately mapped reports for each regulator. This reduces audit fatigue, cost, and operational disruption.
What happens if we fail the CERT-In audit?+
A CERT-In audit is not a pass/fail examination. The audit identifies gaps and vulnerabilities in your security posture. Security Brigade delivers a prioritized remediation roadmap and works with your team to resolve findings. Multiple rounds of retesting are included to validate fixes. The formal certificate is issued once critical and high-severity issues are resolved. Our goal is to get you compliant, not just assess you.
What is the 180-day log retention requirement?+
The 2022 CERT-In Directions require all organizations to maintain logs of their ICT systems, including firewalls, intrusion prevention systems, and servers, for a rolling period of 180 days. These logs must be maintained within Indian jurisdiction and made available to CERT-In upon request. Security Brigade evaluates your log management infrastructure and provides recommendations to meet this requirement.
How often do we need a CERT-In security audit?+
The frequency depends on your organization type and sectoral regulator requirements. Most regulated entities require annual CERT-In audits. RBI-regulated entities may need more frequent assessments based on their risk classification. Security Brigade recommends annual comprehensive audits supplemented by continuous monitoring through ShadowMap to maintain compliance posture between audit cycles.

Start Your CERT-In Compliance Journey Today

18 years of CERT-In empanelment. 6,700+ assessments. Platform-driven quality your regulators will trust.

Request a Free Scoping Call

Typically responds within 1 business day · No commitment required

Get a Quote