Vulnerability Assessment + Penetration Testing.
VA finds the inventory of weaknesses; PT proves which ones an attacker can actually exploit. Macksofy delivers both as a single engagement, in the format Indian regulators expect.
- 48hQuote SLA
- 5–15 daysEngagement
- 30 daysFree retest
- CERT-In readyFormat
VA finds the inventory. PT proves the impact.
A scanner can list 800 vulnerabilities in a day; an attacker only needs one to matter. We do both — then the report only shows you what mattered.
Vulnerability Assessment
Tells you everything that might be wrong.
Penetration Testing
Tells you what an attacker would actually do.
Six phases, every step documented.
Auto-advancing timeline of how a Macksofy VAPT engagement actually runs — pause, rewind or click any phase to drill in.
Scoping & Pre-engagement
Mutual NDA · Rules of Engagement · Crown-jewel identification
Every Macksofy engagement begins with a tight scoping call. We agree on assets in/out of scope, define the Rules of Engagement, identify your crown jewels, and align on success metrics before a single packet leaves our infrastructure.
- Mutual NDA + authorization letter
- Asset inventory + scope freeze
- Crown-jewel and high-impact target identification
- Communications and emergency-contact protocol
Every asset class. Every test depth.
A VAPT scope is a 2D matrix: what we test (asset types) × how deep we test (authenticated, manual exploitation, chained). The grid shows what’s included in a Macksofy engagement.
| Asset class \ Test depth | Authenticated scan | Unauthenticated scan | Manual exploitation | Chain analysis |
|---|---|---|---|---|
| External perimeter | manual | manual | ||
| Internal network | scan | manual | manual | |
| Web app + API | manual | manual | ||
| Mobile (iOS / Android) | — | manual | manual | |
| Cloud (AWS / Azure / GCP) | scan | manual | manual | |
| Containers / IaC | scan | manual | — |
Low + low + low is how breaches actually start.
Scanners look at findings one at a time, and one at a time most of them really do look low. Attackers don’t read reports — they chain. Three innocuous misconfigurations stitched together is how an unauthenticated foothold quietly becomes domain admin. We show you that chain, not just the CVSS list.
One engagement. Eight frameworks.
The VAPT deliverable doubles as evidence for whichever regulator is breathing down your neck this quarter.
Information security audit empanelled by Indian CERT
RBI Cyber Security Framework + System Audit Reports
Cybersecurity & Cyber Resilience Framework for capital markets
ISMS implementation, internal audit and certification support
Payment card industry — ASV scans, internal audit, pentest
Article 32 controls, DPIA, data flow mapping
Healthcare data protection (relevant for India + UAE health-tech)
UAE National Electronic Security Authority compliance
Every report card has eight axes.
CVSS isn’t enough — we attach business-impact, MITRE technique, exploit weaponisation status, fix-effort estimate and re-introduction likelihood to every High/Critical finding.
- CVE/CWE pinning
- MITRE ATT&CK technique mapping
- Validated CVSS + business risk score
- Reproduction script + screenshots
- Remediation effort estimate
- Verified-fix retest result
SSRF in image-proxy → AWS instance metadata exposure
The internal image-resize service accepts a user-controlled URL parameter, fetches it server-side, and returns the body. Pointing the URL at the EC2 metadata endpoint (169.254.169.254) returns IAM credentials with s3:*and kms:Decrypt permissions.
curl 'https://target/img-proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/web-role'
{"Code":"Success","AccessKeyId":"ASIA...","SecretAccessKey":"...","Token":"..."}- FoundDay 6 · authenticated scan + manual recon
- ValidatedDay 7 · PoC executed in isolated tenant
- ReportedDay 9 · CERT-In format · risk register updated
- Re-testedDay 21 · fix verified · closure letter issued
Tools we trust. And tools we built ourselves.
Nessus, Qualys, Burp Pro, Nuclei, Trivy, Checkov — the same scanners every senior BFSI red team runs first, because they catch the obvious things quickly and free our operators to chase what really matters.
But scanners only see what they were taught to see. When ours hit something a commercial tool would miss — a chained CSP bypass, a quiet SSRF inside a JSON proxy, a serverless privesc path — we don’t shrug. We write the Burp extension, the Nuclei template, the Pacu module that catches it. On your engagement you get both: the tooling everyone else runs, and the bits we built ourselves.
What lands in your inbox
- VAPT report in CERT-In submission format
- Risk register updates with CVSS + business risk score
- Findings tracked by severity, asset, owner, ETA
- Remediation guidance per CWE
- Free retest within 30 days
- Annual closure letter + Macksofy attestation
Sectors we operate in
Rated 4.9 ★ from 612 client reviews.
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
Things people ask before signing.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements