Frequently Asked Questions

Intelliroot provides a full spectrum of offensive and defensive cybersecurity services across nine domains: Offensive Security, Red Team Operations, Application Security, DevSecOps, Cloud Security, OT & IoT Security, Compliance & Audit, Risk Management, and Security Operations. Our engagements range from targeted penetration tests to long-term managed security programmes.

Yes. Intelliroot is empanelled by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics & Information Technology, Government of India. This certification is a mandatory requirement for information security audits of critical infrastructure, government bodies, and regulated organisations in India.

Fill out the contact form on our website or email us at contact@intelliroot.com with a brief description of your requirements. Our team will respond within one business day to schedule a scoping call. We tailor every engagement to your environment, risk appetite, and compliance obligations.

A penetration test is a structured, time-boxed assessment of a defined scope — network, web application, mobile app, or API — with the goal of identifying and exploiting as many vulnerabilities as possible. A red team exercise simulates a realistic, goal-oriented adversary campaign (e.g. "reach the crown-jewel database without detection") to test your detection, response, and containment capabilities holistically.

Our assessments are aligned to PTES (Penetration Testing Execution Standard), OWASP Testing Guide (web/API), NIST SP 800-115, and MITRE ATT&CK. For cloud and OT environments we additionally reference CSA CCM and ICS-CERT advisories. All findings are mapped to CVSS v3.1 severity ratings and include remediation guidance.

Yes. Our Red Team Operations practice includes targeted spear-phishing campaigns, vishing (voice phishing), pretexting, and physical intrusion simulations. Engagements can be run as standalone awareness exercises or as part of a full adversary simulation. All simulations are conducted under a signed rules-of-engagement document.

We offer web application penetration testing (OWASP Top 10 + business logic), mobile application testing (iOS & Android, OWASP MASVS), API security testing (REST, GraphQL, gRPC), thick-client assessments, and secure code review. We also perform SCA (Software Composition Analysis) to identify vulnerable third-party dependencies.

Yes. Our DevSecOps practice embeds SAST, DAST, container image scanning, IaC security checks, and secrets detection directly into your build pipeline (GitHub Actions, GitLab CI, Jenkins, Azure DevOps). We help your team select and tune the right tooling and establish security gates without slowing development velocity.

We support assessments and gap analyses across a wide range of frameworks including ISO/IEC 27001, SOC 2 Type I & II, PCI-DSS v4.0, HIPAA, GDPR, RBI/SEBI IT frameworks, DPDPA (India), NIST CSF, CIS Controls, and sector-specific mandates (IRDAI, NBFC-ICT, CERT-In). We help organisations both prepare for certification and maintain ongoing compliance.

A typical engagement begins with a scoping and gap analysis, followed by documentation review, technical controls testing, and interviews with key stakeholders. We deliver a detailed report with a risk-prioritised remediation roadmap, evidence templates, and a management summary. We also offer re-assessment services to verify that gaps have been closed.

Yes. Our cloud security assessments cover configuration review, IAM privilege analysis, network segmentation, data exposure risks, container and Kubernetes security, and serverless function review across AWS, Microsoft Azure, and Google Cloud Platform. We also assess hybrid and multi-cloud architectures.

Absolutely. Our OT & IoT Security practice follows a passive-first approach — network traffic analysis, asset discovery, and protocol inspection — before any active testing, which is performed only in agreed maintenance windows. We have experience with SCADA, DCS, PLCs, and industrial IoT devices across energy, manufacturing, and critical infrastructure sectors.

Engagements follow a five-step process: (1) Scoping & Requirements — we align on objectives, constraints, and success criteria; (2) Reconnaissance & Planning — passive and active information gathering; (3) Testing & Exploitation — hands-on assessment by certified engineers; (4) Reporting — executive summary plus detailed technical findings with CVSS scores and proof-of-concept evidence; (5) Remediation Support — debriefs, re-testing, and ongoing advisory.

Yes. Every engagement includes one complimentary retest of critical and high-severity findings within 30 days of report delivery. This verifies that fixes are effective and that no regressions have been introduced. Additional retest rounds are available as part of our retainer or managed security packages.

Our team holds certifications including OSCP, CRTO, CRTE, CRTE, CEH, CISSP, CISA, AWS Security Specialty, and GCP Professional Cloud Security Engineer. We operate under a strict code of conduct, and all engineers sign NDAs before any engagement. Every assessment is peer-reviewed before the report is delivered to the client.