Kavach by ZynoSec — A Platform Walkthrough for First-Time Buyers

If a vendor has pitched you “Kavach by ZynoSec” recently and you’re trying to figure out what it actually is under the marketing, this is the walkthrough. No slide decks. Just a plain description of the five parts, how they fit, how you’d deploy it, what the first week looks like, and the questions to ask before buying.

Kavach is our offensive security platform, built in India for Indian and APAC enterprises. Data-residency, regulatory, and language coverage are assumed from day one rather than bolted on. Five agents, each named for a function. Humans sign every customer-facing finding. Below is the detail.

The five pillars at a glance

Sentinel — agentic AI pentest

Sentinel is the always-on penetration-testing engine. Under the hood it’s four coordinating agents — recon, exploit, validate, report — running 24/7 against the scope you define. Findings go through a human validator on our team before they reach you. Integrations push signed findings into Jira, GitHub, or Slack. CERT-In reporting obligations are covered in the report format.

Hive — bug bounty, built for India

Hive is the crowdsourced discovery layer. Researchers submit findings; AI handles deduplication and first-pass severity; a human arbitrator makes the final call. Payouts go out on UPI within 48 hours of accepted findings. Researcher onboarding is available in regional languages — we’re not asking a college student in Madurai to figure out English legal terms before they can earn.

Compass — compliance mapping

Compass is the compliance brain. Findings from Sentinel and Hive auto-map to the clauses you care about: DPDP, RBI Cyber Security Framework, SEBI CSCRF, CERT-In’s 6-hour incident reporting, ISO 27001, SOC 2, PCI DSS v4, HIPAA, GDPR, IRDAI, PFRDA. One finding, multiple clause tags, one evidence trail.

Recon — attack-surface intelligence

Recon is the external-surface mapping agent. It pulls from 40+ data sources, builds an exploit-chain graph (not just a flat inventory), and shows change diffs at roughly 60-minute intervals. If a new subdomain appears, a cert rotates, or a port opens, Recon sees it within the hour. DPDP tagging flags exposed PII automatically. Recon ships as SaaS, as a VPC-deployed service, or air-gapped on-prem for customers who can’t let external traffic leave the boundary.

Mirror — security awareness that speaks your languages

Mirror is the human-layer agent — phishing, vishing, and deepfake drills in Hindi, Marathi, Tamil, and Telugu at launch, with Kannada, Malayalam, Bengali, and Gujarati in the phase-two queue. Deepfake voice synthesis for vishing. Devanagari homoglyph brand impersonation for Paytm, SBI, and UPI clones. UPI-specific scam templates. Integrations with AD, Okta, Google Workspace, M365, SAP, Slack, Teams, WhatsApp, SMS gateways, LearnDash, and Moodle.

How they fit together

The interesting part of Kavach is how the agents hand off to each other without the customer re-keying data.

1. Recon finds the asset. A new subdomain appears. Recon classifies it, tags any exposed PII per DPDP, notes the change.
2. Sentinel pentests it. Within your rules-of-engagement, Sentinel’s recon agent probes, exploit agent hypothesizes chains, validate agent checks, report agent drafts the finding.
3. Hive adds crowdsourced discovery. Researchers hunt in parallel. A researcher finds something Sentinel missed — or vice versa — and dedup keeps the queue clean.
4. Compass maps findings to clauses. Every confirmed finding is tagged with the regulatory controls it touches. The audit pack writes itself.
5. Mirror trains the humans. If a finding points at weak MFA, Mirror’s next drill for that department is calibrated accordingly.

The loop is circular. A Mirror-caught credential-reuse event can push a new asset into Recon’s watch list. Everything talks through one data model.

Deployment — three modes, three audiences

Not every customer has the same data-residency constraint, so Kavach ships three ways.

SaaS

The default. Sign up, configure scope, start. Best for SaaS-native companies and enterprises without hard residency constraints. Customer data stays within Indian region boundaries.

Cloud-deployed in your VPC

We deploy Kavach inside your AWS, Azure, or GCP account. Your data never leaves your cloud boundary. Best for BFSI and insurance customers where the auditor asks “does this vendor hold our data outside our VPC?” and the acceptable answer is “no.”

Air-gapped on-prem

For government, defence, and critical infrastructure — organisations that cannot let a packet reach the internet. Kavach ships as an on-prem appliance with signed update bundles. Sentinel, Recon, and Compass work in this mode; Hive’s researcher marketplace doesn’t, for obvious reasons, so air-gapped customers run closed-roster programs.

A realistic onboarding week

Vendors like to promise “deployed in hours.” That’s true for a throwaway demo. For a real customer, here’s what the first week actually looks like.

Day 0 — kickoff

A 90-minute call with your security lead, DPO if you have one, and the business-unit owner whose assets you want in scope first. We cover objectives (what does “good” look like in 90 days), scope boundaries, rules-of-engagement, and how findings will route into your existing Jira or GitHub. You leave the call with a signed scope document.

Day 1–2 — Recon intake and scope confirmation

Recon goes live against the domains and cloud accounts you’ve authorized. By end of Day 2 you have an asset inventory that’s usually 15–25% bigger than your existing one. Every asset is tagged with owner, environment, and PII classification. You’ll reject some of them — “that’s a shadow-IT asset we didn’t know about; we’re decommissioning it” — and confirm the rest.

Day 3 — Sentinel begins

With scope confirmed, Sentinel starts. First pass is shallow — reachability, fingerprinting, low-risk probing — so nothing breaks in production. Your team sees the scope, sees what’s being touched, and has the kill switch.

Day 4–5 — first findings

Initial candidate findings surface. The validator team picks them up, reproduces them, writes them up, and signs. By Day 5 you typically have 3–10 signed findings in Jira, with a much larger pipeline of lower-severity items still in validation.

End-of-week review

A 60-minute review: what we found, what surprised us, what needs scope adjustment, what the first Compass compliance mapping looks like. We agree on the next two weeks’ cadence. Mirror pilots are typically scheduled here — usually one business unit, one language to start.

No enterprise onboarding finishes in a week. What finishes is the baseline: surface mapped, Sentinel running, first real findings being worked, compliance layer connected. The rest is the ongoing cycle.

What the operator console looks like

Four views matter to most customers:

• Findings queue. Every confirmed finding, with severity, validator signature, affected asset, status, and linked Jira ticket.
• Evidence pane. Request/response traces, screenshots, PoC payload, and validator notes for any given finding.
• Compliance dashboard. A clause-by-clause view across the frameworks you’ve subscribed to — DPDP, RBI Cyber, SOC 2, and so on — with current status and linked evidence.
• Asset map. Recon’s live picture of your surface, with change history and exploit-chain overlays.

Who uses what

Kavach is not a single-user tool. Different roles live in different modules:

• AppSec leads live in Sentinel and Hive. That’s where findings originate and where they work.
• Compliance and risk leads live in Compass. That’s where the audit trail is.
• Security operators and threat-intel live in Recon. That’s the external-surface weather.
• L&D, HR, and security-awareness owners live in Mirror. That’s the human-training layer.
• CISOs have a roll-up view across all of them, usually checked at the start and end of each week.

Pre-procurement questions that matter most

If you’re about to run a serious evaluation, the questions that separate good platforms from demo-only platforms are:

1. Data residency. Where is my data stored? Can you prove it stays in-region?
2. Validator count and accreditation. How many human validators are on staff? What’s the minimum certification? Who signs my findings?
3. Integration list. Which of my existing systems — Jira, GitHub, Slack, Okta, AD, M365, my LMS — does the platform actually integrate with today, not on the roadmap?
4. Deployment flexibility. Can you run in my VPC? Air-gapped? What changes between modes?
5. Exit and data portability. If we leave, how do we get our findings, evidence, and compliance history out?

Answers to those five questions tell you nearly everything about whether a platform can survive the next three years with you.

When you’re ready for a working session rather than a demo, we’ll walk through Kavach against your actual attack surface — with your DPO in the room, your compliance lead watching Compass, and your AppSec lead seeing the first real findings come through. That’s the evaluation that tells you whether this is a fit.