How VAPT Helped a Bengaluru Fintech Startup Win Their First Enterprise Banking Client

Anish Pandey · 2026-02-05 · 9 min read

FinFlow Solutions is a 28-person fintech startup in Bengaluru that builds reconciliation software for NBFCs and payment aggregators. In 2024, they had excellent product-market fit, strong references from SMB clients, and a clear enterprise pipeline — including two conversations with mid-size private banks that represented combined ARR of over ₹1.5 crore. Both deals stalled at the security review stage. The banks' IT security teams asked for a VAPT (Vulnerability Assessment and Penetration Testing) report. FinFlow did not have one. Both banks paused the evaluation. FinFlow engaged our team for a comprehensive VAPT, fixed the findings, and got their report — and within 6 months, closed ₹1.2 crore in enterprise contracts.

Why Enterprise Clients Require VAPT in India

The Reserve Bank of India's Master Direction on IT Governance (2021) requires regulated entities — banks, NBFCs, payment aggregators — to conduct security assessments of third-party software vendors before deployment. This is not optional or informal: a bank's auditors check vendor security assessments as part of the annual IT audit. If a bank deploys software from a vendor without a VAPT report, the bank itself faces RBI compliance penalties. This means that for any software company selling to Indian financial services, a VAPT report is not a nice-to-have — it is the price of admission for enterprise deals. The same requirement, with slight variations, applies to healthcare (DISHA), insurance (IRDAI IT guidelines), and listed companies (SEBI's Cyber Security framework).

What VAPT Actually Covers

Vulnerability Assessment and Penetration Testing has two distinct components. Vulnerability Assessment (VA) is a systematic scan of your application, APIs, and infrastructure to identify known weaknesses — unpatched software, misconfigured servers, weak encryption, exposed admin panels. Penetration Testing (PT) is the active exploitation of those vulnerabilities by certified ethical hackers, to determine which ones are genuinely exploitable in your specific environment and what an attacker could access if they got in. For FinFlow, the VAPT scope covered their web application, REST APIs (which the bank integrates with), the AWS infrastructure (EC2, RDS, S3 buckets), and the internal admin dashboard. The test was conducted by CERT-In empanelled security auditors — a certification required for the VAPT report to be accepted by RBI-regulated clients.

What the VAPT Found at FinFlow

The VAPT found 23 vulnerabilities across FinFlow's application and infrastructure. Three were rated Critical, eleven were High severity, and nine were Medium. The Critical findings included an exposed internal API endpoint that allowed unauthenticated access to transaction metadata (a serious finding for a financial application), an S3 bucket with public-read permissions that contained archived reconciliation reports, and an outdated version of a Node.js library with a known remote code execution vulnerability. None of these were the result of poor engineering — they were the accumulated technical debt of a startup that had prioritised feature development over security hardening. This is not unusual; it is almost universal in Series-A and earlier startups.

Remediation: What It Takes to Fix the Findings

our team's remediation team worked with FinFlow's developers over four weeks to close all Critical and High severity findings. The unauthenticated API endpoint was fixed by adding JWT authentication with role-based access control. The S3 bucket was converted to private with pre-signed URL access. The Node.js library was updated and a dependency scanning step was added to FinFlow's CI/CD pipeline to catch future vulnerable dependencies automatically. The remediation was not just fixing the specific vulnerabilities — it was putting in place the processes that prevent the same category of vulnerability from recurring: automated dependency scanning, monthly security reviews of AWS configurations, and a policy requiring security sign-off before new API endpoints go to production.

The Retesting and the Final Report

After remediation, our team's CERT-In empanelled auditors conducted a retest — verifying that all Critical and High findings had been resolved and that the fixes did not introduce new vulnerabilities. The final VAPT report was a formal document showing the original findings, the remediation steps taken, the retest results confirming closure, and the auditor's certification. This is the document the banks were asking for. FinFlow submitted it to both banks within 4 months of starting the engagement. The first bank's security review was completed in 3 weeks. The contract was signed in month 5. The second bank followed in month 6. Combined contract value: ₹1.24 crore ARR.

How Often Does VAPT Need to Be Done?

RBI guidelines require annual VAPT for regulated entities and recommend that their software vendors also undergo annual assessments. SEBI's framework requires listed companies to conduct VAPT at least annually and after any major system changes. The industry standard for serious enterprise software vendors is twice yearly — once before the peak enterprise procurement cycle (typically Q4 in India) and once mid-year. For startups at the enterprise sales stage, the first VAPT is the most important — it clears the sales pipeline. Subsequent VAPTs become lighter and faster because the foundational security architecture is already in place. We provide VAPT through CERT-In empanelled auditors, with reports formatted to meet RBI, IRDAI, SEBI, and DISHA compliance requirements.

Conclusion

VAPT is not a cost for a security-conscious startup — it is a sales enablement investment. FinFlow Solutions spent ₹4.8 lakh on their VAPT engagement (including remediation support) and closed ₹1.24 crore in contracts that had been blocked for 18 months. If your software business is losing enterprise deals at the security review stage, or if you are preparing for your first enterprise pitch to a bank, insurance company, or listed corporate, start the VAPT process now. The procurement cycle for enterprise software in regulated industries averages 4 to 6 months — the VAPT report needs to be ready before the deal reaches security review.

Topics: VAPT, Cybersecurity, Fintech, Enterprise Security, RBI Compliance, Bengaluru, CERT-In