Skip to main content
Since 2008 — CERT-In empanelled auditor with deep capital markets experience

NSE Trading Member VAPT: Comply with NSE/INSP/70471 and SEBI CSCRF Requirements

NSE requires all trading members to submit VAPT reports under the SEBI Cyber Security and Cyber Resilience Framework. Security Brigade, CERT-In empanelled since 2008, delivers submission-ready VAPT reports aligned to NSE/INSP/70471 requirements.

Request a Scoping Call Our Methodology
NSE/INSP/70471
Sep 2025 Circular
Jun 30, 2026
VAPT Due Date
Since 2008
CERT-In Empanelled
10 Areas
VAPT Scope Coverage

NSE circular NSE/INSP/70471 dated September 26, 2025 mandates all trading members to submit comprehensive VAPT reports for FY 2025-26. The circular enforces SEBI CSCRF compliance with strict yearly and half-yearly deadlines, detailed scope requirements across infrastructure, applications, APIs, cloud, WiFi, and mobile, and specific reporting formats under Annexure 2 and auditor norms under Annexure 3. Non-compliance puts your trading membership, reputation, and client trust at risk. Not sure which CSCRF tier your firm falls under? Run our self-service SEBI CSCRF compliance wizard to determine your classification, obligations, and prioritised gaps. Security Brigade has helped 370+ BFSI clients navigate complex compliance requirements with technically rigorous, regulator-ready VAPT reports.

Trusted by India's leading enterprises

ICICI Bank
NPCI
HDFC
Mahindra
Aditya Birla
PhonePe
Pernod Ricard
Swiggy
Asian Paints
Yes Bank
Tata Play
Larsen & Toubro
Voltas
DHL Express
Etihad Airways
Amazon Pay
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
Groww
Sephora
STEP 01

Assess

We scope your trading infrastructure, applications, APIs, cloud, WiFi, and mobile systems against the full SEBI CSCRF VAPT requirements. Asset inventory, architecture review, and test planning are completed before testing begins.

STEP 02

Test and Remediate

Our team executes the complete VAPT scope including infrastructure VA, application VA, external PT, WiFi assessment, API testing, mobile app testing, cloud security review, and configuration audit. Findings are tracked in Lemon with remediation guidance and closure validation.

STEP 03

Report and Submit

We deliver the final VAPT report in Annexure 2 format, ready for submission to NSE. The report includes all findings, remediation status, ATR details, and compliance attestation from a CERT-In empanelled auditor meeting Annexure 3 norms.

What Is NSE Trading Member VAPT Under SEBI CSCRF?

NSE Trading Member VAPT is a mandatory cybersecurity assessment required under SEBI's Cyber Security and Cyber Resilience Framework. NSE circular NSE/INSP/70471 requires all trading members to conduct comprehensive Vulnerability Assessment and Penetration Testing of their IT infrastructure, applications, and systems and submit reports in prescribed formats to NSE within specified deadlines.

Who Needs to Comply and What Does NSE VAPT Cover?

Every NSE trading member must comply. The scope is comprehensive and covers your entire IT and cybersecurity environment.

Infrastructure Vulnerability Assessment

Assessment of servers, firewalls, routers, switches, endpoints, and network devices for known vulnerabilities and misconfigurations.

Application Vulnerability Assessment

Security review of trading platforms.

External Penetration Testing

Simulated attacks against internet-facing systems to identify exploitable vulnerabilities before real attackers do.

WiFi Security Assessment

Assessment of wireless networks at office, branch, and data center locations for unauthorized access, rogue APs, and encryption weaknesses.

API Security Testing

Testing of trading APIs, market data feeds, client-facing APIs, and internal integrations for authentication, authorization, and data exposure issues.

Mobile Application Testing

Security assessment of mobile trading apps.

Cloud Security Review

Assessment of cloud infrastructure, storage, access controls, and configurations for cloud-hosted trading and business systems.

Configuration Audit

Review of OS, database, application server, and network device configurations against security benchmarks and hardening standards.

Network Segmentation Testing

Validation of network segmentation controls to ensure trading systems, back-office networks, and internet-facing services are properly isolated per SEBI CSCRF requirements.

Methodology

6 stages. Audit-ready results.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Security Brigade does not treat NSE VAPT as a checkbox exercise. Our methodology combines SEBI CSCRF compliance requirements with genuine cybersecurity depth, ensuring your report satisfies NSE submission criteria while identifying vulnerabilities that actually matter. Every engagement follows a repeatable, auditable process managed through our Lemon platform for full traceability. Our testing methodology aligns with the standards referenced in SEBI CSCRF Annexure 1: NIST SP 800-115, OWASP Testing Guide, OSSTMM, PCI-DSS standards, ISO 27001, and CERT-In guidelines.

Discovery
01

Scoping and Asset Discovery

We inventory all in-scope systems: trading platforms, back-office applications, APIs, market data feeds, mobile apps, cloud infrastructure, WiFi networks, and network devices. Architecture and data-flow documentation is created.

02

Infrastructure Vulnerability Assessment

Automated and manual assessment of servers, network devices, firewalls, endpoints, and infrastructure components. Findings are classified by severity with exploitation context.

Testing
03

Application, API, and Mobile Testing

Deep application security testing of trading apps, client portals, internal tools, APIs, and mobile applications using B-52 AI-assisted testing framework. Business logic and transaction flow testing included.

04

External PT, WiFi, Cloud, and Config Audit

External penetration testing against internet-facing perimeter, WiFi security assessment, cloud configuration review, and configuration audit of OS, databases, and application servers.

Delivery
05

Remediation Support and Closure Validation

Findings are tracked in Lemon with remediation guidance. We validate fixes and confirm closure before report finalization. Practical guidance is provided to your IT and DevOps teams.

06

Report Finalization and NSE Submission Support

Final VAPT report prepared in Annexure 2 format. Executive summary, technical findings, remediation status, and ATR details are included. L1/L2/L3 quality review before delivery. Note: the NSE submission portal is expected to be detailed in a forthcoming NSE circular ΓÇö Security Brigade will update reporting formats as portal requirements are published.

Download methodology whitepaper →
"We swap auditors every two years as policy. Security Brigade is the only firm we've kept continuously since 2016. The difference is Lemon — every engagement follows the same methodology, every finding gets three-layer review, and our RBI auditors have never questioned a report. That kind of consistency across 300+ annual assessments is rare."
CISO, Top-3 Indian Bank
Chief Information Security Officer

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Centralized Evidence and Findings

All VAPT findings, evidence, screenshots, and remediation notes are stored in one platform with full audit trail.

Remediation Workflow

Each finding is assigned to owners with severity, target date, and closure criteria. Teams track progress without spreadsheets.

Closure Validation

Security Brigade validates each fix in Lemon before marking it closed, ensuring your ATR reflects genuine remediation.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by Indian regulators and meet global framework requirements.

Yearly VAPT Report
All trading members must submit the comp
Yearly Action Taken Report
The ATR documenting remediation of VAPT
Half-Yearly VAPT (QSBs, Protected Systems, CII)
Qualified Stock Brokers (QSBs), NCIIPC-d
Annexure 2 Reporting Format
VAPT reports must follow the prescribed
Annexure 3 Auditor Norms
The VAPT must be conducted by auditors m

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Quality Assurance

L1/L2/L3 Quality Review for Every VAPT Report

Your NSE submission is only as good as the report behind it. We ensure every report meets the highest quality standards.

Every VAPT report delivered by Security Brigade goes through a three-tier quality review process before it reaches you. This is critical for NSE VAPT submissions because a poorly structured or incomplete report can trigger NSE queries, rejection, or re-submission requirements. Our quality process ensures that the report is technically accurate, complete against the full SEBI CSCRF VAPT scope, formatted per Annexure 2, and defensible under regulatory scrutiny.

L1: Technical Accuracy Review

Senior security analyst verifies every finding for accuracy, reproducibility, evidence quality, risk classification, and remediation guidance.

L2: Scope and Compliance Completeness

Your dedicated engagement lead validates that every Annexure 2 checklist item is addressed before the report reaches you. Each finding is reviewed against the full VAPT scope and SEBI CSCRF mapping.

L3: Final Sign-Off

Senior management reviews the report for regulatory defensibility, executive summary quality, and overall submission readiness before delivery.

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

VAPT Report in Annexure 2 Format

The primary submission document following the prescribed NSE reporting format with scope, methodology, findings, risk ratings, and compliance status.

Executive Summary

Board and management-ready summary of VAPT findings, risk posture, key observations, and recommended priorities for leadership review.

Technical Findings Report

Detailed findings with proof of concept, exploitation evidence, screenshots, impact assessment, and step-by-step remediation guidance for each vulnerability.

Remediation Tracker

Structured tracker with owner assignment, severity classification, target closure date, current status, and validation evidence managed through Lemon.

Action Taken Report Template

Pre-structured ATR template aligned to your VAPT findings, ready for completion and submission by the November 30 deadline.

Closure Validation Report

Post-remediation revalidation report confirming that critical and high-severity findings have been addressed and verified by Security Brigade.

Architecture and Data-Flow Diagrams

Documentation of assessed systems, network architecture, data flows, and integration points created during the scoping and assessment phases.

Auditor Compliance Attestation

Attestation from CERT-In empanelled auditor confirming the VAPT was conducted per Annexure 3 norms and covers the full SEBI CSCRF scope.

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is NSE circular NSE/INSP/70471 and who does it apply to?+
NSE circular NSE/INSP/70471 dated September 26, 2025 mandates VAPT report submission for FY 2025-26 for all NSE trading members under the SEBI Cyber Security and Cyber Resilience Framework. It applies to every stock broker registered with SEBI who holds an NSE trading membership. The circular specifies scope, timelines, reporting formats, and auditor eligibility criteria.
What is the deadline for NSE VAPT report submission in FY 2025-26?+
The yearly VAPT report must be submitted to NSE by June 30, 2026 for FY 2025-26. The Action Taken Report documenting remediation must be submitted by November 30, 2026. Qualified Stock Brokers and entities with SEBI-designated protected systems must submit VAPT reports on a half-yearly basis with additional deadlines.
What does the SEBI CSCRF VAPT scope include for trading members?+
The SEBI CSCRF VAPT scope covers eight testing areas: infrastructure vulnerability assessment, application vulnerability assessment, external penetration testing, WiFi security assessment, API security testing, mobile application testing, cloud security review, and configuration audit. All internet-facing and critical internal systems used for trading operations must be covered.
Does the VAPT auditor need to be CERT-In empanelled?+
Yes, Annexure 3 of the NSE circular specifies auditor eligibility norms that include CERT-In empanelment. Security Brigade has been continuously CERT-In empanelled since 2008, meeting both the letter and intent of the auditor qualification requirements. The empanelment ensures that the auditor has demonstrated technical competence validated by the Government of India.
What is the difference between the VAPT report and the Action Taken Report?+
The VAPT report documents the assessment scope, methodology, findings, risk ratings, and compliance observations submitted by June 30. The Action Taken Report is a follow-up submission due by November 30 that documents remediation actions taken against VAPT findings, closure evidence, and residual risk. Both must follow prescribed formats.
What is Annexure 2 format and why does it matter?+
Annexure 2 is the prescribed reporting format specified by NSE for VAPT report submission. Submitting a report that does not follow Annexure 2 structure may be rejected or flagged for re-submission. Security Brigade delivers reports pre-formatted to Annexure 2 specifications so your compliance team can submit without additional reformatting.
Do Qualified Stock Brokers, Protected Systems, or CII entities have different VAPT requirements?+
Yes. The NSE circular mandates half-yearly VAPT for three categories: (a) Qualified Stock Brokers (QSBs), (b) entities with NCIIPC-designated Protected Systems, and (c) Critical Information Infrastructure (CII) entities. All other trading members follow the yearly cycle. The scope remains the same but the frequency is doubled for these entities.
How long does a complete NSE VAPT engagement take?+
A typical NSE VAPT engagement takes 4-6 weeks from scoping to final report delivery. This includes asset discovery, full-scope testing across all eight areas, remediation support, closure validation, and report finalization. Security Brigade recommends starting at least 8-10 weeks before the submission deadline to accommodate remediation time.
Can Security Brigade help with remediation or only testing?+
Security Brigade provides practical remediation guidance for every finding, not just identification. Findings are tracked through our Lemon platform with owner assignment, severity, target dates, and closure validation. Our team provides hands-on guidance to your IT and DevOps teams on how to fix issues effectively, and revalidates fixes before finalizing the report.
What happens if we have open findings at the time of submission?+
If critical or high-severity findings remain open at submission time, they must be documented in the VAPT report with a remediation plan and timeline. The ATR submission by November 30 should then demonstrate closure. However, submitting with too many open critical findings can trigger additional NSE scrutiny. Security Brigade recommends prioritizing closure of critical findings before report finalization.
What are the complete Annexure 3 auditor eligibility requirements?+
Annexure 3 specifies: CERT-In empanelment, 3+ years BFSI IT audit experience (preferably Securities Market), relevant certifications (CISA, CISM, CISSP, GSNA), COBIT-aligned processes, independence (no consulting with the RE in last 2 years, no conflict of interest), and no pending SEBI cases against the auditor. Security Brigade meets all Annexure 3 norms.
I am a small stock broker without a dedicated IT or compliance team. Can Security Brigade help?+
Yes. Many of our trading member clients are self-cert or small-size entities without dedicated security teams. We handle the full VAPT scope end-to-end, provide practical remediation guidance your IT staff or MSP can follow, and use Lemon to reduce coordination overhead for smaller firms.

The June 30, 2026 Deadline Is Approaching.
Start Your NSE VAPT Today.

Security Brigade delivers submission-ready VAPT reports for NSE trading members. CERT-In empanelled since 2008. 370+ BFSI clients. Lemon-backed delivery.

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call