Do you test in production or staging?

Strongly prefer a staging environment that mirrors production. Production testing is possible with rate-limiting and a small white-cell on your side.

Are your reports CERT-In / ISO compliant?

Yes. Macksofy is a CERT-In empanelled auditor — our reports are accepted by SEBI, RBI, certification bodies and Big-4 audit firms without rework.

What's your discount for repeat engagements?

Annual retainer programs typically reduce per-engagement cost by 25–35% compared to one-off engagements. Talk to us for a quote.

Manual + Tooled · OSCP / OSWE-Certified Operators

Penetration Testing Services in India & UAE.

Goal-oriented penetration testing across infrastructure, web, mobile, cloud and Active Directory. We chain low-severity findings into business-impacting compromises — and deliver a report your engineering team can actually fix.

Request a quote See PTES methodology

Download sample pentest report

CERT-In format · anonymised

macksofy-ops · session-A4F2 · liverecording

PTES Methodology

Seven phases. No shortcuts.

The Penetration Testing Execution Standard, executed end-to-end. Every Macksofy engagement runs the same seven-phase protocol regardless of scope.

01Pre-engagement

02Intelligence gathering

03Threat modeling

04Vulnerability analysis

05Exploitation

06Post-exploitation

07Reporting & retest

01
PTES · Phase 01 of 07
Pre-engagement
Scope, authorize and classify crown-jewel assets before a single packet flies.
- Mutual NDA + scoping
- Rules of engagement (RoE), authorization letter
- Crown-jewel asset identification
1–2 daysOutput · Signed SOW + RoE
02
PTES · Phase 02 of 07
Intelligence gathering
Active and passive reconnaissance to map every asset an attacker would see.
- Active + passive recon (OSINT, ASN, DNS, certificate transparency)
- Attack surface mapping
- Technology stack fingerprinting
2–3 daysOutput · Attack-surface map
03
PTES · Phase 03 of 07
Threat modeling
STRIDE-style decomposition that prioritises the attack paths your industry actually faces.
- STRIDE / PASTA-style threat decomposition
- Attacker profiles aligned to your industry threat actors
- Prioritized attack paths
1 dayOutput · Attack-path priority matrix
04
PTES · Phase 04 of 07
Vulnerability analysis
Authenticated + unauthenticated scanning paired with manual review where it matters.
- Authenticated + unauthenticated scanning (Nessus, Nuclei)
- Manual code/config review where in-scope
- Credential weakness assessment
3–5 daysOutput · Triaged vulnerability backlog
05
PTES · Phase 05 of 07
Exploitation
Manual exploitation chains and custom payloads — never just a Nessus report with a logo.
- Manual exploitation chains (we don't ship Nessus reports)
- Custom payloads where commercial tooling fails
- Validated impact, not theoretical CVSS
4–7 daysOutput · Exploited findings with PoCs
06
PTES · Phase 06 of 07
Post-exploitation
Privilege escalation, lateral movement, AD compromise paths — what would a real adversary do next?
- Privilege escalation, lateral movement
- AD compromise paths via BloodHound
- Sensitive data access demonstration
2–3 daysOutput · Lateral-movement evidence
07
PTES · Phase 07 of 07
Reporting & retest
Board-ready executive summary plus developer-friendly remediation, with a free 30-day retest.
- Executive summary for the board
- Technical detail with PoC for each finding
- Free retest within 30 days of remediation
3–5 days + retestOutput · Executive + technical report

The 70/30 rule

Scanners cover ~30% of real-world attacks.

The remaining 70% — BOLA, JWT alg confusion, OAuth flow hijacks, race conditions, business-logic bypass, kerberoastable accounts, ACL misconfig — requires human consultants. Macksofy weights manual testing heavily.

Quantify real risk before regulators or attackers do
Satisfy CERT-In, RBI System Audit, SEBI CSCRF and ISO 27001 requirements
De-risk product launches and M&A due diligence
Train your blue team via a free purple-team handoff

Scanner-only output

30%

coverage of typical web/network attack surface

+ Manual exploitation

95%

coverage of typical web/network attack surface

↳ deltaMacksofy consultants spend 60–70% of every engagement on manual exploitation.

Case studies

What we found. What it cost the attacker.

Listed Fintech (Mumbai)

Scope

Web + API + AWS environment

Finding · Chained BOLA + JWT alg=none → full customer PII exfiltration capability

Impact · Critical — all customer balances + KYC accessible by any logged-in user

Risk severity · Critical

LMHC

BFSI MNC (Mumbai BKC)

Scope

Internal AD + Citrix infrastructure

Finding · Kerberoastable service account → DA in 4 hours via NoPac (CVE-2021-42278)

Impact · Domain Admin compromise simulated and contained inside red-cell window

Risk severity · Critical

LMHC

GCC Telecom Operator

Scope

Customer mobile app (iOS + Android)

Finding · API key in shared_prefs + insecure deeplink → account takeover at scale

Impact · Critical — pre-prod fix shipped before public release

Risk severity · Critical

LMHC

Tooling

Tools we trust. And tools we built ourselves.

Burp, Nmap, BloodHound, Impacket — the open-source canon every senior pentester reaches for first. We use them because they’re battle-tested, and because the operators on your engagement have spent thousands of hours inside each one.

But every now and then we hit a wall the commercial tools can’t break through — and when that happens, we don’t shrug. We write the Burp extension, the recon helper, the AD primitive that gets us past it. Years of that work adds up. Your engagement gets all of it.

Tools we operate

NmapBurp Suite ProMetasploitBloodHoundCrackMapExecImpacketHashcatCobalt Strike (RoE-permitting)Custom toolingNessusNucleiScoutSuite

Regulator-format output

One engagement. Eight frameworks.

CERT-In

Information security audit empanelled by Indian CERT

RBI CSF

RBI Cyber Security Framework + System Audit Reports

SEBI CSCRF

Cybersecurity & Cyber Resilience Framework for capital markets

ISO 27001

ISMS implementation, internal audit and certification support

PCI-DSS

Payment card industry — ASV scans, internal audit, pentest

GDPR

Article 32 controls, DPIA, data flow mapping

HIPAA

Healthcare data protection (relevant for India + UAE health-tech)

UAE NESA / SIA

UAE National Electronic Security Authority compliance

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

Most engagements run 5–15 working days depending on scope (apps, network, cloud, mobile). We give a fixed-price proposal within 48 hours of discovery.

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements