xhield.tech Pre‑VAPT Blog

Pre‑VAPT • VAPT • Attack Surface

How CERT-In Compliance is Reshaping Enterprise VAPT in India (2026)

By Xhield Team • 2026-04-25
  • CERT-In
  • VAPT
  • Compliance
  • India Cybersecurity
  • CISO
  • Enterprise Security
  • Attack Surface Management

April 25, 2026 · By xhield.tech · 9 min read

A CISO reviewing compliance dashboards in a modern Indian enterprise security operations center For India's CISOs, 2026 looks very different from 2021. Compliance isn't optional anymore — and that's changing everything about how enterprises approach VAPT.

I want to start with a conversation I keep hearing in different forms across Indian enterprises right now.

A CISO at a mid-sized fintech tells me: "We did VAPT last year. Ticked the box. But when our auditors asked about our 6-hour incident reporting capability, we realised our pentest hadn't even looked at our logging infrastructure."

A security head at a large hospital chain: "CERT-In says we need to report breaches within 6 hours. We don't even detect most incidents within 6 hours, let alone report them. So now we're being asked to do a VAPT specifically to validate our detection stack — which is something we'd never thought of before."

These aren't edge cases. They're the new normal. And they tell you something important about where enterprise VAPT in India is heading.

The April 2022 Moment That Changed Everything

Most security professionals mark April 2022 as the inflection point. That's when CERT-In issued its landmark directions under Section 70B of the IT Act — and the Indian cybersecurity landscape shifted overnight.

The headline that everyone noticed was the 6-hour breach reporting window. For context, the EU's GDPR gives you 72 hours. The US varies by state but is typically 30–72 hours. India went to 6 hours. That's not a small difference. That's a fundamentally different operational posture.

But the 6-hour rule was only one part of it. The full directive also required:

  • Mandatory logging of all ICT systems for a rolling 180-day period, with logs kept within Indian jurisdiction
  • Mandatory reporting of 20 specific categories of cyber incidents — including data breaches, ransomware, identity theft, and attacks on critical infrastructure
  • Annual VAPT for critical sectors, with findings submitted to CERT-In
  • VPN and cloud service providers to maintain customer logs for five years

The enterprises that had been treating cybersecurity as a back-office function suddenly found it sitting in the boardroom.

Why This Is Specifically a VAPT Problem

Here's where it gets interesting for security teams. CERT-In compliance didn't just create a reporting obligation — it created a technical readiness obligation. And technical readiness is exactly what VAPT is supposed to measure.

Consider what the 6-hour reporting window actually demands. To report a breach within 6 hours, you need to:

  1. Detect the incident in near real-time
  2. Triage and confirm it's a genuine incident, not a false positive
  3. Understand what systems and data were affected
  4. Have a communication chain ready to notify CERT-In

If your detection capability has gaps — blind spots in your network, unmonitored endpoints, logging failures on legacy systems — you simply cannot meet this window. Not because your people are slow, but because your infrastructure won't tell you what happened.

Security operations team responding to an incident alert, monitoring real-time dashboards A 6-hour reporting window demands real-time detection capability. VAPT is increasingly being used to validate whether that capability actually exists.

Traditional VAPT, done well, surfaces exactly these gaps. But the scope of "done well" has expanded significantly. CISOs are now asking their pentest vendors questions they weren't asking three years ago:

  • Can you validate our logging coverage — are we actually capturing what CERT-In requires us to capture?
  • Can you test whether our SOC would detect your attack within our reporting window?
  • Can you check for data residency violations — are logs leaving Indian jurisdiction?

This is a meaningfully different brief than "find our web app vulnerabilities."

The Sector-by-Sector Reality

CERT-In's directions don't apply uniformly. Critical sector organizations — banking, insurance, telecom, healthcare, power, government — carry a heavier compliance burden, and most of them are already navigating multiple overlapping frameworks.

Banking and Financial Services: RBI's Master Direction on IT Governance (2023) mandated annual VAPT for all regulated entities, with specific requirements around internet-facing applications, core banking systems, and API security. Banks aren't just doing VAPT to find vulnerabilities anymore — they're doing it to satisfy three or four different regulatory bodies simultaneously.

Healthcare: The Digital Personal Data Protection Act (DPDPA) combined with CERT-In creates a particularly complex compliance surface for hospitals and health-tech companies. Patient data is sensitive personal data, and any breach triggers both CERT-In reporting and DPDPA obligations. The VAPT mandate here is effectively being driven by legal liability, not just regulatory compliance.

Telecom: With the Telecommunications Act 2023 and increasing scrutiny on network infrastructure security, telecom providers are under pressure to demonstrate continuous, not just periodic, security assessment capability.

Government and PSUs: CERT-In's directions have the most direct teeth here. Public sector undertakings are increasingly required to share VAPT reports with CERT-In directly, making the quality and completeness of those reports a matter of regulatory scrutiny.

India's digital infrastructure: data centers, financial networks, and government systems under cyber compliance mandates India's critical infrastructure sectors — banking, telecom, healthcare, government — are now operating under layered cybersecurity compliance frameworks that are reshaping how VAPT is scoped, conducted, and reported.

The Gap Between Compliance VAPT and Real Security

This is the part that security professionals talk about quietly, but rarely write about.

The explosion in VAPT demand driven by CERT-In compliance has, in many cases, led to a surge in compliance-grade VAPT — assessments designed primarily to produce a report that satisfies a regulator, not assessments designed to find what an attacker would find.

The difference is significant and worth being direct about.

Compliance-grade VAPT tends to:

  • Scope narrowly, testing only what's explicitly required
  • Rely heavily on automated scanning with limited manual validation
  • Prioritize speed (to keep costs down and timelines short)
  • Produce reports calibrated to regulatory language, not operational risk

Real-security VAPT does the opposite. It starts from the attacker's perspective — what would someone with time and motivation actually target? — and works backward into scope. It involves substantial manual testing, chains vulnerabilities together into realistic attack paths, and produces findings that an incident response team can actually use.

The irony is that CERT-In's intent — building genuine cyber resilience in Indian enterprises — is better served by the second type. But market incentives often push toward the first.

This is something CISOs are increasingly aware of, and it's driving a more sophisticated conversation about how to procure and evaluate VAPT engagements.

What Good Looks Like in 2026

So what does a CERT-In-aligned, genuinely useful VAPT engagement look like in the current environment? A few things stand out when you talk to security leaders who are getting this right.

Starting with the attack surface, not the scope document. The most sophisticated teams are doing continuous attack surface monitoring as a precursor to formal VAPT. They want to know — before the pentest begins — what's actually exposed, what's changed since the last engagement, and where their highest-risk assets are. This pre-VAPT intelligence phase is where a lot of the real value gets created.

Testing detection, not just defences. Given the 6-hour reporting window, CISOs want to know whether their SOC would catch a real attack. Some VAPT engagements now include a "purple team" element where testers work alongside the SOC to validate detection coverage — not just find vulnerabilities, but confirm the organization could identify and report them in time.

Scope that follows the data. CERT-In's data residency and logging requirements mean that VAPT scope increasingly needs to follow the data — across cloud environments, third-party integrations, SaaS tools, and API connections. An assessment that only covers the core application but ignores how data flows through the broader ecosystem will miss a significant portion of the actual risk.

Continuous over periodic. Annual VAPT is a regulatory floor, not a security ceiling. The enterprises taking compliance seriously in 2026 are treating it as the minimum — and supplementing it with continuous attack surface monitoring and more frequent targeted assessments for high-risk components.

A security team conducting a threat modeling session with attack surface maps on a whiteboard The best VAPT programs in 2026 start well before the pentesters arrive — with a clear, continuously updated picture of what's exposed and what matters most.

A Practical Note for CISOs Navigating This

If you're a security leader working through CERT-In compliance right now, a few things worth keeping in mind:

Documentation matters as much as findings. CERT-In audits increasingly look at process maturity, not just point-in-time vulnerability counts. Your VAPT reports, remediation tracking, and retesting cadence are all part of the compliance picture.

Your logging infrastructure is a security asset. The 180-day log retention requirement isn't just an administrative burden — it's the foundation of your incident detection and reporting capability. Make sure your VAPT scope explicitly validates logging coverage.

The 6-hour window changes your breach response math. Work backward from that deadline. If you discovered a breach right now, could you characterize it, confirm it, and report it to CERT-In in 6 hours? If you're not sure, that uncertainty is itself a finding worth investigating.

Pre-VAPT intelligence shortens your assessment timeline. One of the most consistent feedback points from enterprises doing mature VAPT programs is that better pre-engagement reconnaissance leads to more focused, higher-quality testing. AI-assisted attack surface mapping — knowing exactly what you have before the pentest starts — is becoming a standard part of how leading teams approach this.

The Bigger Picture

CERT-In's 2022 directions were controversial when they landed. The 6-hour window, in particular, drew criticism for being operationally unrealistic for many organizations. And in some cases, that criticism was fair.

But here in 2026, looking back, something else is also true: the directions forced a conversation about cybersecurity maturity that Indian enterprises had been deferring for years. They moved VAPT from a compliance checkbox to a board-level accountability item. They created market demand for genuine security capability, not just audit-ready paperwork.

For CISOs navigating this environment, the challenge is to use that momentum well — to let compliance requirements be the floor, not the ceiling, and to build security programs that would hold up not just to a CERT-In audit, but to an actual attacker.

That's the harder, more important work. And it starts with knowing your attack surface.

At xhield.tech, we're building AI-powered pre-VAPT intelligence to help security teams understand their attack surface before the pentest begins — faster, more completely, and with better signal on what actually matters. If you're preparing for a VAPT engagement or navigating CERT-In compliance, we'd love to talk.

Tags: CERT-In VAPT Cybersecurity Compliance India Cybersecurity CISO Enterprise Security Attack Surface Management DPDPA RBI Cybersecurity