Will the WASA report satisfy our enterprise customers' security questionnaires (CAIQ / SIG / Shared Assessments)?

Yes. Every WASA engagement ships a vendor-pack annex written in customer-security-questionnaire language, with framework crosswalk to OWASP, ASVS, ISO 27001:2022 Annex A and (where applicable) HIPAA / PCI DSS. The pack is the operational-evidence attachment your customer-success team uses on enterprise RFPs.

Does WASA close my CERT-In + RBI Master Direction obligations?

For BFSI / fintech / payment-aggregator scope, yes. The WASA deliverable is shipped in CERT-In empanelled submission format with explicit crosswalk to RBI Master Direction on IT Governance (Nov 2023) Annex-1 clauses. The same evidence inputs the next CSITE Cell or DPSS thematic review without rework.

How long does a WASA engagement take?

5–6 weeks for a mid-sized SaaS or fintech scope. Larger / multi-tenant / multi-region scopes stretch to 7–8 weeks. The closing week is dedicated to remediation validation and the 60-day re-test window covers every Critical and High finding.

Do you cover AI / LLM application security in WASA scope?

Yes — OWASP Top 10 for LLM Applications (2025) is the default catalogue for any AI surface in scope. Direct + indirect prompt-injection, tool-use abuse, training-data exfiltration, and domain-specific impersonation paths are tested as base scope.

Will the report drop into our GRC tool?

Yes. Findings export to Archer, ServiceNow IRM, Vanta, Drata, Tugboat Logic, OneTrust or Jira / Linear / GitHub Issues with owner, severity, CWE and ETA. The risk-register sync happens at engagement closure as part of the standard deliverable.

Fixed-fee SoW sized by application count, tenant model and framework-overlay scope. Pricing transparency is standard — methodology document, lead consultant credentials, comparable-engagement references and a sample anonymised report are shared at the proposal stage.

OWASP ASVS · SANS CWE Top 25 · Compliance-mapped

WASA — Web Application Security Assessment

Procurement-grade Web Application Security Assessment — design integrity, not just exploit-finding.

WASA is a structured, framework-mapped evaluation of how a web application withstands real-world attack behavior across architecture, business logic, APIs, session handling and authentication. Macksofy delivers WASA reports that drop directly into enterprise procurement, RBI / SEBI / DPDP submissions, and SOC 2 / ISO 27001 evidence packs — without the rework most pentest PDFs trigger.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

OWASP Top 10 (2021) + API Security Top 10 (2023)
OWASP ASVS V4.0 (Application Security Verification Standard)
SANS CWE Top 25
NIST SP 800-53 (IA-5, SC-7) + NIST SP 800-115 v2 testing methodology
ISO/IEC 27001:2022 Annex A.5, A.8 + ISO/IEC 27002:2022
PCI DSS v4.0 (clauses 6.x + 8.2.6 session controls)
OWASP Top 10 for LLM Applications (2025) — for AI surfaces in scope
CERT-In empanelled submission format (for Indian regulator inputs)
RBI Master Direction on IT Governance (Nov 2023) Annex-1 (for BFSI scopes)

Why this matters

Compliance is leverage, not paperwork.

A modern enterprise buyer (and an increasing share of Indian BFSI auditors) doesn't want a raw pentest PDF. They want a Web Application Security Assessment that proves design integrity, maps every finding to a recognised control framework (OWASP Top 10, ASVS V4.0, SANS CWE Top 25, ISO 27001 Annex A, PCI DSS), and surfaces compound risk — the chained low-severity flaws that combine into account takeover, lateral movement or tenant-bleed. The 2025 State of Continuous Pentesting report attributes 96% of vulnerabilities in the last 12 months to web applications, and most of them are not zero-days; they are weak session controls, exposed API metadata and misconfigured headers that look minor in isolation but combine into compound exposure. Macksofy's WASA programme is purpose-built for that reality, with dual-layered AI-augmented + manual testing, threat-modelled scoping, and RFP-ready reporting that satisfies enterprise InfoSec, CERT-In format submission and the RBI Master Direction on IT Governance (November 2023) Annex-1 evidence the inspector reads.

Applicability

B2B SaaS shipping enterprise security questionnaires (CAIQ, SIG, Shared Assessments)
Fintech / lending / payment-aggregator licensees needing RBI-format AppSec evidence
Healthtech / US-PHI GCC operators needing HIPAA Security Rule §164.308–312 evidence
BPO / KPO + IT-services majors with customer-third-party-AppSec-standard obligations
Public-sector and ministry-adjacent operators on the Digital India ecosystem
AI / LLM product companies adding OWASP LLM Top 10 (2025) coverage on AI surfaces

Standards & frameworks

Aligned to the regulations that matter.

OWASP Top 10 (2021) + API Security Top 10 (2023)

OWASP ASVS V4.0 (Application Security Verification Standard)

SANS CWE Top 25

NIST SP 800-53 (IA-5, SC-7) + NIST SP 800-115 v2 testing methodology

ISO/IEC 27001:2022 Annex A.5, A.8 + ISO/IEC 27002:2022

PCI DSS v4.0 (clauses 6.x + 8.2.6 session controls)

OWASP Top 10 for LLM Applications (2025) — for AI surfaces in scope

CERT-In empanelled submission format (for Indian regulator inputs)

RBI Master Direction on IT Governance (Nov 2023) Annex-1 (for BFSI scopes)

Methodology

How we run a WASA Audit engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 6

Wk 1 · Threat-Modelled Scoping

4 activities

Architecture review and trust-boundary mapping with CTO + AppSec lead
Authorisation matrix discovery role-by-role (tenant / role / api-key / admin)
Sensitive-data flow inventory (PII, PHI, payment, regulated-financial-data)
Engagement letter with production safe-harbour + rules of engagement

01
Wk 1 · Threat-Modelled Scoping
- Architecture review and trust-boundary mapping with CTO + AppSec lead
- Authorisation matrix discovery role-by-role (tenant / role / api-key / admin)
- Sensitive-data flow inventory (PII, PHI, payment, regulated-financial-data)
- Engagement letter with production safe-harbour + rules of engagement
02
Wk 2 · AI-Augmented Recon & DAST Baseline
- Authenticated and unauthenticated surface map (Burp Pro, Caido, Nuclei)
- Misconfiguration, exposed-endpoint, insecure-header, CORS gap discovery
- Known-CVE / dependency-vulnerability triage against the deployed stack
- Dynamic attack-surface mapping for the manual phase to chain into
03
Wk 3 · Manual Context-Aware Testing
- Authentication & session — brute-force, MFA flow tampering, session fixation, token replay, refresh-token rotation, JWT algorithm confusion
- Access control — broken object-level access (BOLA), IDOR chaining, tenant-bleed, SCIM impersonation, role-misassignment
- API behaviour — fuzzing, parameter pollution, endpoint over-exposure, rate-limit bypass
- Business logic — order manipulation, unauthorised workflow branching, billing abuse, design-flaw exploitation
- Error & info leakage — debug-trace exposure, verbose error handling, stack metadata in UI responses
04
Wk 4 · Chained Exploit Modelling
- Combine low-severity findings into compound exploit narratives (account takeover, privilege escalation, data leakage)
- Map each chain to MITRE ATT&CK techniques where applicable
- Validate proof-of-exploit with reproducible curl / Burp .req / Python harness
- Tie every finding to the threat-model output and the framework control it violates
05
Wk 5 · RFP-Ready Reporting
- Executive summary in buyer-readable language (InfoSec + procurement)
- Framework crosswalk per finding (OWASP, ASVS, SANS CWE Top 25, ISO 27001 Annex A, PCI DSS)
- CERT-In empanelled format + RBI Master Direction Annex-1 mapping where Indian scope applies
- Vendor-pack annex for customer-security-questionnaire attachment (CAIQ, SIG, Shared Assessments)
06
Wk 6 · Remediation & Validation
- 60-day re-test of every Critical and High finding at no extra cost
- Updated severity scoring with clean validation output per finding
- Engineer-readable remediation guidance with reproducible repros
- Risk-register sync to the customer's GRC tool (Archer / ServiceNow IRM / Vanta / Drata)

Deliverables

Everything you need to satisfy auditors.

WASA report with framework-mapped findings (OWASP Top 10, ASVS V4.0, SANS CWE Top 25, ISO 27001 Annex A, PCI DSS)
Reproducible exploit code (curl / Burp .req / Python) per High and Critical finding
Chained-exploit narrative with MITRE ATT&CK technique mapping
Threat-model output document — architecture, trust boundaries, authorisation matrix
CERT-In empanelled submission-format report for Indian regulator scope
Vendor-pack annex for enterprise procurement (CAIQ, SIG, Shared Assessments) attachment
60-day re-test of every Critical and High at no extra cost
Post-engagement risk-register sync to GRC tool (Archer / ServiceNow IRM / Vanta / Drata)

Recent engagements

Series-D B2B SaaS (US-Fortune-500 enterprise customer base)

Annual WASA tied to next SOC 2 Type II audit + customer-procurement evidence pack

Outcome: 23 chained-exploit findings closed pre-disclosure; report shipped as vendor-pack annex for 18 enterprise RFPs over the next 12 months; SOC 2 Type II audit cleared with zero AppSec findings carried forward.

RBI PA-PG licensee (Sector 18, Noida)

WASA + CERT-In submission-format report + RBI Master Direction Annex-1 crosswalk

Outcome: Three settlement-flow abuse paths closed pre-disclosure; one indirect-prompt-injection-via-RAG path on the AI customer-service assistant closed; RBI DPSS thematic review cleared with zero clarifications.

Healthtech SaaS (US-PHI, India-built)

WASA + HIPAA Security Rule §164.308–312 evidence + DPDP §16 cross-border-transfer attestation

Outcome: Three SCIM impersonation paths closed; HIPAA evidence pack accepted by two US-customer compliance functions on first read; DPDP §16 attestation accepted by sponsor DPO.

At a glance

The shape of a WASA Audit engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Authentication & session integrity3 pts
Access control & multi-tenant authz3 pts
API behaviour3 pts
Business logic3 pts
Error & info leakage3 pts
AI / LLM application surface3 pts

Pillar 01

Authentication & session integrity

Where most procurement-questionnaire callouts originate — auth flows, MFA tampering, session lifecycle.

Brute-force resistance, MFA flow tampering, credential stuffing
Session fixation, token replay, refresh-token rotation
JWT algorithm confusion, audience-claim handling, PKCE enforcement

Pillar 02

Access control & multi-tenant authz

Broken Object Level Authorisation (BOLA) remains OWASP API Top 10 #1 — exercised role-by-role.

BOLA + IDOR chaining across every role boundary
Tenant-bleed and shared-store impersonation
SCIM impersonation paths in enterprise-customer-driven SaaS

Pillar 03

API behaviour

Modern web apps are API surfaces — fuzzing, rate-limit and endpoint over-exposure are first-class scope.

Input fuzzing, parameter pollution, mass-assignment
Endpoint over-exposure and shadow-API discovery
Rate-limit bypass and abuse-case testing on partner-API trust chains

Pillar 04

Business logic

The flaws automation cannot find — design-level abuse paths tied to real business impact.

Order / billing / workflow manipulation
Unauthorised workflow branching and state-machine abuse
Privilege escalation through legitimate-looking sequences

Pillar 05

Error & info leakage

Verbose errors and stack traces hand attackers the exploit blueprint — removed at source.

Debug / verbose error suppression at the application boundary
Stack-metadata and tech-stack-disclosure removal
Header hygiene (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)

Pillar 06

AI / LLM application surface

OWASP Top 10 for LLM Applications (2025) coverage on any AI feature in scope.

Direct + indirect prompt-injection (via RAG corpus or upstream customer data)
Tool-use abuse on agent reasoning
Training-data exfiltration via inference-API probing

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a WASA Audit engagement. Click any station for detail in the methodology section above.

Week 1

Wk 1 · Threat-Modelled Scoping

Week 2

Wk 2 · AI-Augmented Recon & DAST Baseline

Week 3

Wk 3 · Manual Context-Aware Testing

Week 4

Wk 4 · Chained Exploit Modelling

Week 5

Wk 5 · RFP-Ready Reporting

Week 6

Wk 6 · Remediation & Validation

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

A pentest is scoped to break things — it answers 'can this be exploited?'. WASA is scoped to evaluate design integrity and control coverage — it answers 'why was this possible, what trust assumptions broke, and what else does this expose?'. WASA is broader, context-aware, framework-mapped and produces RFP-ready output. Most Macksofy buyers run both annually — pentest for the audit committee's adversary-realism question, WASA for the procurement-and-compliance evidence cycle.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements

WASA — Web Application Security Assessment

Compliance is leverage, not paperwork.

Aligned to the regulations that matter.

How we run a WASA Audit engagement.

Wk 1 · Threat-Modelled Scoping

Everything you need to satisfy auditors.

Annual WASA tied to next SOC 2 Type II audit + customer-procurement evidence pack

WASA + CERT-In submission-format report + RBI Master Direction Annex-1 crosswalk

WASA + HIPAA Security Rule §164.308–312 evidence + DPDP §16 cross-border-transfer attestation

The shape of a WASA Audit engagement.

What we actually examine.

From kick-off to regulator-ready report.

Rated 4.9 ★ from 612 client reviews.

Things compliance leads ask before signing.

Cybersecurity Audit Services

Compliance & Regulatory Audits

Cybersecurity Risk Assessment

Get a fixed-price proposal in 48 hours.