VAPT & Security Posture Overhaul for a BFSI Institution
47 critical findings identified, remediated and documented in six weeks
Key outcomes
- Critical vulnerabilities identified
- 47
- Critical findings remediated
- 100%
- Full assessment-to-remediation cycle
- 6 weeks
- Regulatory audit result
- Clean
A mid-size BFSI institution needed a thorough vulnerability assessment and penetration test ahead of a regulatory audit. We conducted a full-scope VAPT across their production stack, identified 47 critical findings and worked alongside their internal team to remediate every one before the audit window.
Stack
The institution had not undergone a formal VAPT in over two years. With a CERT-In aligned regulatory audit approaching, they needed both assessment and remediation — and they needed it done fast. Internal security capacity was limited.
How we tackled it, step by step.
Scoped the engagement across web applications, APIs, network infrastructure, cloud configuration and internal systems
Ran black-box, grey-box and white-box testing phases in parallel to maximise coverage
Documented all findings with severity ratings (CVSS), evidence screenshots and step-by-step reproduction
Ran a prioritised remediation sprint with the client's internal engineering team on all critical and high findings
Conducted a re-test across all 47 critical and 23 high findings to verify remediation
Delivered a board-ready summary report and CERT-In aligned technical report for the regulatory submission
Outcomes that speak for themselves.
Critical vulnerabilities identified
Critical findings remediated
Full assessment-to-remediation cycle
Regulatory audit result
Clean audit result, first time in three years. The team moved fast and explained every finding in plain language our board could understand.