What if our scope grows mid-year?

Scope adjustments are handled via change-orders at the discounted retainer rate, not at one-off pricing. The annual program is designed to flex.

Is this just a pre-paid block of hours?

No — it's outcomes-based. The deliverables list above is contractually committed. Hours are tracked for transparency but the contract is for the assessments + deliverables, not a bucket of consulting time.

How is this different from a vCISO retainer?

The annual program is execution-heavy (we run the assessments). The vCISO is leadership-heavy (we sit in your governance forums, set policy, advise on architecture). Most regulated mid-market clients buy both — the vCISO designs the program, this contract executes it.

What's the typical contract size?

Ranges from ₹40 L to ₹2.5 Cr depending on asset count, product portfolio and regulatory footprint. Fixed price for the year, billed quarterly. Quote within 5 working days of scoping.

Continuous Assurance · Quarterly Cadence · Single Retainer

Annual Security Program

Bundle your pentest, VAPT, code review, configuration audits and tabletop exercises into a single 12-month program with a quarterly cadence — at a 25–35% discount to one-off pricing. Audit-evidence-ready, board-reportable, regulator-defensible.

Request a quote See methodology

Download sample pentest report

CERT-In format · anonymised

Engagement at a glance

Quote SLA48 hours
Typical engagement5–15 working days
RetestFree within 30 days
Reporting formatCERT-In + ISO + SOC 2 ready
Team100% in-house · OSCP / OSWE / OSEP

What this actually looks like

A Annual Program engagement, in plain language.

The annual security program replaces the panic-driven one-off engagement cycle. We sit with your CISO, map the 12-month assessment plan against your regulatory deadlines (RBI System Audit, SEBI CSCRF, CERT-In, ISO 27001 surveillance, SOC 2 Type 2), and execute on a rolling quarterly cadence. Findings flow into a single risk register. Remediation gets chased between quarters. Free retests are unlimited within the contract window. Your board sees one trend chart, not 11 disconnected PDFs.

Business impact

25–35% lower spend vs. one-off engagement pricing across the same scope
Single risk register across pentest + audit + code review + tabletop findings
Regulator-defensible evidence package — no last-minute scramble before audit
Continuous remediation chasing (we don't just hand over a PDF and disappear)
Quarterly board / risk-committee deck produced for you

Methodology

Phased delivery — every step documented.

Interactive walkthrough of how we run a Annual Program engagement — tap a phase to expand its activities.

Phase 01 / 6

17% complete

1 · Annual scoping & roadmap

01
Regulatory calendar mapping (RBI · SEBI · CERT-In · ISO · SOC 2 · PCI-DSS)
02
Asset + product roadmap intake
03
12-month assessment cadence designed jointly with your CISO
04
Risk-register baseline established

Tooling

Industry-standard + custom.

We use the same tooling top BFSI red teams operate — combined with Macksofy in-house extensions and proprietary scripts where commercial tools fall short.

Tools we operate

Macksofy proprietary risk-register platformTenable / Qualys / Rapid7 InsightVM (configuration audits)Burp Suite Pro · Nuclei · Custom tooling (pentest cadence)Semgrep · CodeQL · Snyk (code review cadence)TheHive + Cortex (tabletop exercise infrastructure)

Industries served

Sectors we operate in

Banking & Financial ServicesFintech & PaymentsInsurance & InsurTechHealthcare & HealthTechGovernment & PSUSaaS & Product CompaniesManufacturing & Energy

Deliverables

What you get

12-month assessment roadmap aligned to your regulatory calendar
Quarterly execution: pentest · VAPT · code review · audit · tabletop
Single consolidated risk register (Macksofy platform)
Quarterly business review + board-ready trend chart
Unlimited free retests within the contract window
Year-end auditor evidence package (CERT-In · RBI · SEBI · ISO · SOC 2)
Annual maturity assessment (NIST CSF + ISO 27001 alignment)

Case studies

Anonymized engagement snapshots.

Listed Insurance MNC (Mumbai BKC)

Scope · 12-month program: 4 pentests + 2 code reviews + 1 red team + 4 audits

Finding: Consolidated savings of ₹68 L vs. one-off pricing; closed 91% of High/Critical findings inside the contract window

Material — passed IRDAI System Audit + ISO 27001 surveillance with zero major non-conformities

Risk severity · High

LMHC

Regulated Fintech (Bengaluru)

Scope · 12-month program for SEBI CSCRF + RBI master direction readiness

Finding: Found 3 Critical issues in pre-prod that would have triggered SEBI CSCRF non-conformity; remediated before go-live

High — avoided regulatory delay of new investment platform launch

Risk severity · Critical

LMHC

12-month program — bespoke scope

One contract. Twelve months of assurance.

Annual program pricing runs ₹40 L–₹2.5 Cr per year depending on asset count, product portfolio and regulatory footprint — at a 25–35% discount vs. one-off engagement pricing. Quote within 5 working days of scoping.

Scope the annual program Review the methodology

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

Yes — the cadence above is a template. We sit with your CISO during scoping and re-balance based on your regulatory deadlines, product roadmap and where past assessments found weaknesses. The total scope, not the exact split, is what's contracted.

Related services

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.