MTA
Ethical hacking, VAPT, and DPDP compliance for Indian businesses
SERVICE
Cybersecurity
STARTING PRICE
From ₹50,000
CORE DELIVERABLE
PTES methodology penetration testing
AGREEMENT SET
MTA-CS, MTA-NDA, MTA-DPA, MTA-ROE
Security assessments using PTES methodology. VAPT, compliance gap analysis, and incident response — with clear reporting and remediation paths.
Required for all engagements processing personal data under DPDP Act 2023.
DELIVERY STAGES
RoE + NDA + scope definition
We define the Rules of Engagement, execute NDA/DPA, and establish precise testing scope boundaries. All stakeholders align on testing windows and emergency contacts.
OSINT, DFD, LINDDUN/STRIDE analysis
We gather open-source intelligence, create Data Flow Diagrams, and apply LINDDUN/STRIDE frameworks to identify privacy and security threat vectors affecting PII.
OWASP testing, controlled exploitation with proof-of-concept
We execute OWASP Top 10:2025 testing, perform controlled exploitation with documented proof-of-concept, and maintain detailed evidence chains for all findings.
Executive + technical reports, DPDP readiness notes, retest
We deliver executive summaries and detailed technical reports with CVSS scoring, add DPDP readiness notes where applicable, and conduct remediation retests.
Shield
Basic cyber hygiene and compliance check
₹50,000
Guard
Full-scope audit with compliance mandate
₹1,30,000
Fortress
Structured security review and ISO readiness support
₹2,50,000
All prices in INR. See full pricing page for contract terms and cross-department bundles.
Service execution is gated through signed agreements, payment-linked transitions, and documented handover controls.
PTES (Penetration Testing Execution Standard) is the 7-phase methodology we follow for security assessments. It covers pre-engagement through reporting — each phase has clear deliverables. We use it because it produces thorough, documented results that clients can act on.
Under DPDP Act 2023, MTA (as Data Processor) notifies the client within 24 hours of detecting a breach. The client then has 72 hours to report to the Data Protection Board. Our contracts spell out these roles and timelines clearly.
Gray-box (our default) gives testers limited credentials to simulate an insider threat. White-box provides full source code access for deeper analysis. Black-box starts from scratch like an external attacker. Gray-box gives the best balance of depth and cost for most engagements.
Yes. All exploitation is conducted under strict controlled conditions with immediate cleanup. We never establish persistent backdoors, never execute denial-of-service attacks, and require explicit written approval for any action that could impact production availability. Test environments are preferred for high-risk exploits.