Six practices.
One discipline.

Senior practitioners. Real engagements. Every recommendation filtered through one question — does this actually reduce your risk?

Our security services

01 / vAPT

Penetration testing, the way attackers do it.

Application, network, mobile, API. Manual testing by senior practitioners — not automated scanners with a logo. We chain bugs the way adversaries do, then sit with your engineers until each one closes.

Web · Mobile · API OWASP ASVS CERT-In aligned

What you walk away with

  • Executive summaryBoard-ready, jargon-free.
  • CVSS-scored findingsReproducible PoCs, fix recipes.
  • Engineering ticket queuePlug-and-play backlog by blast radius.
  • Free retest + attestationFix verification included in scope.
2–4 weeks · Scope-dependent Book a call
02 / Cloud Security

AWS, Azure, GCP — audited properly.

Posture reviews, IAM hardening, Kubernetes audits, supply-chain checks. We map your actual blast radius — not what a CSPM dashboard guesses at.

CSPM + IAM EKS / GKE / AKS IaC review

Coverage

  • Identity & accessStale keys, role chaining, escalation paths.
  • Network perimeterPublic exposure, segmentation, egress.
  • Data planeS3 / GCS / KMS / database posture.
  • Container orchestrationPod security, RBAC, image supply chain.
3 weeks · Multi-cloud ready Book a call
03 / Compliance

DPDP, ISO 27001, SOC 2 — auditor-ready.

DPDP Act 2023 changed the game — ₹250 cr penalties, 72-hour notification. We turn compliance from theatre into actual risk reduction. ISO, SOC 2, PCI-DSS, HIPAA, GDPR also covered.

DPDP 2023 ISO 27001:2022 SOC 2 I & II

Engagement model

  • Gap → readinessWhere you are vs. where the standard requires.
  • Policy & control authoringPlain-English, fit-to-stack, not boilerplate.
  • RoPA & DPIAData flows, lawful basis, risk register.
  • Audit prep & defenceWe sit with you in the auditor's room.
8–14 weeks · Audit-ready outputs Book a call
04 / Incident Response

When minutes matter, we're already moving.

Containment, forensics, regulator notification, recovery. CERT-In 6-hour reporting handled. Available on retainer or on call — retainers activate same-day.

24/7 on-call Forensics CERT-In 6h

Phases

  • Triage & containStop the bleeding within hour one.
  • Forensic investigationWhat happened, how, what was touched.
  • Notify & complyCERT-In 6h, DPDP 72h, customer comms.
  • Postmortem your board readsWhat changes, who owns it, by when.
Retainer or on-call · Same-day Book a call
05 / vCISO Advisory

Fractional security leadership.

For teams scaling past their first hire. Strategy, roadmap, vendor selection, board reporting — actual ownership of your security function, not slides.

Roadmap Board reporting Hiring

Engagement shape

  • 2 days / week embeddedStandups, planning, tactical decisions.
  • Quarterly board memoRisk posture, spend, incidents, headcount.
  • Customer security callsWe field your enterprise SecRev questions.
6 month minimum · Embedded Book a call
06 / Red Team

Goal-driven adversary simulation.

Phish, pivot, persist — without burning the house down. Multi-vector engagements combining social, physical, and digital. Closed with a purple-team debrief.

Social eng Physical Purple team

Outcomes

  • Realistic threat picture"Could they steal X?" — not "did we find a CVE?"
  • Detection-gap inventoryWhat your SOC missed and why.
  • Tabletop & tuningYour blue team gets sharper, not embarrassed.
4–6 weeks · Purple debrief included Book a call
How an engagement works

From scope to signed-off.

01

Scope

Targets & rules

02

Test

Manual, senior-led

03

Report

CVSS + PoC + fixes

04

Remediate

Pair with your team

05

Re-test

Verify & attest

Not sure which service fits?

Talk to a practitioner See recent case studies