Identity Security Platform · Volume 01 — MFA

The MFA
Positioning Playbook

The complete go-to-market reference for e91's Multi-Factor Authentication platform — the anchor product of India's first Identity Security Platform. Positioning, messaging, personas, competitive, sales plays, and marketing motions.

Product

MFA Platform

We are not selling MFA

Before we write any pitch or email, we need to be clear about what category we are competing in. Selling MFA as a commodity is a losing game — vendors fight on features and price. We are selling something different.

Commodity category · Avoid

"MFA vendor"

Sells second-factor auth as a product. Evaluated on token type count, delivery speed, UX. Race to the bottom on price.

Our category · Own

"India's Identity Security Platform"

Sells a sovereign, government-grade identity security foundation. Evaluated on compliance, deployability, and platform reach.

The strategic re-framing

Every customer conversation, every piece of content, every landing page should reinforce: "e91 ISP is India's Identity Security Platform. Today that starts with MFA. Soon it covers SSO, PAM, IGA, ZTNA."

This matters because buyers who buy "MFA" never expand — they tick a box and move on. Buyers who buy "identity security" are strategic customers who grow with us for 5+ years and have 10x lifetime value.

02 · The statement

Master positioning statement

This is the one paragraph every employee, investor, and partner should be able to recite. It's the source of truth for every downstream message.

Official positioning · Do not edit

For Indian government agencies, BFSI institutions, and critical-infrastructure enterprises who need to secure access to their systems under sovereign compliance requirements, e91 ISP is the Identity Security Platform that protects identity end-to-end — starting with a government-grade, IdP-agnostic MFA platform that deploys in cloud, on-premises, or fully air-gapped environments. Unlike Okta and CyberArk which require rip-and-replace migrations and cannot operate in air-gapped facilities, e91 plugs into your existing identity provider, ships in weeks, and is built for Indian data residency, DPDP/RBI/CERT-In compliance, and post-quantum cryptographic readiness from day one.

Who it's for

Three defensible audiences

Government & Defense — unserved by global OEMs due to air-gap requirements. Highest deal size, longest sales cycle.

BFSI — driven by RBI mandates and audit cycles. Largest market volume in India, strongest reference network.

Critical Infrastructure Enterprise — power, telecom, oil & gas, healthcare, railway. Both regulated and strategic.

What it replaces

What the customer stops doing

Password-only authentication on internal systems

Legacy hardware tokens (RSA SecurID hardware) that cost ₹2,000+ per user

SMS-only OTPs that are phishable

Fragmented MFA implementations bolted into each app separately

Dependence on global SaaS MFA that cannot clear data-residency or air-gap audits

03 · Message hierarchy

Messaging architecture

One promise at the top, four value pillars underneath, dozens of proof points at the base. Every asset in this playbook flows from this tree.

Level 1 · Brand promise (use once, memorably)

Identity security, built in India, for everywhere India works — from a cloud data center to an air-gapped defense bunker.

Level 2 · Four value pillars (use in every pitch)

Sovereign by design Every byte of identity data stays within Indian borders. DPDP, RBI, CERT-In compliance baked in, not bolted on.

Deploy anywhere Cloud, on-premises, or fully air-gapped. The only MFA platform that serves both a fintech startup and a defense installation.

Plug in, don't replace Works with Azure AD, Okta, AD, LDAP. No rip-and-replace. Ships in weeks, not quarters.

Future-proof crypto Post-quantum ready. When RBI mandates PQC, you flip a flag. Competitors need 18-month migrations.

Level 3 · Proof points (use selectively, based on what the buyer cares about)

8 token types: TOTP, HOTP, SMS, Email, Push, FIDO2, RADIUS, Registration
Air-gapped deploy: Ntfy, Gotify, SMSEagle, local KMS
SHA-256 chain-hashed tamper-proof audit log
4 KMS backends: AWS, Azure Key Vault, HashiCorp Vault, local
NIST FIPS 203, 204, 205 PQC alignment via BouncyCastle
p99 latency < 200ms, 500+ req/sec per 4-vCPU node
RBAC with Admin / Operator / Auditor / Service roles
7-year audit retention with automatic archival
RBI Cybersecurity Framework, SEBI CSCRF, IRDAI aligned
Horizontal scaling via stateless nodes
NIST SP 800-63B aligned
FIDO2 / W3C WebAuthn Level 2 certified

04 · Say it right

Elevator pitches by length

Four calibrated pitches for four different situations. Memorize all four. Never ad-lib a pitch — buyers can tell.

The 10-second pitch · For conference name tags, LinkedIn headlines 8 words

India's Identity Security Platform. Built sovereign. Deployable everywhere.

The 30-second pitch · For networking events, cold intros 60 words

We're e91. We build India's Identity Security Platform. Right now that means the country's first government-grade MFA platform — works with any IdP, deploys in air-gapped defense networks, and is post-quantum ready. It's for banks, PSUs, and anyone who can't use Okta because their data can't leave India.

The 90-second pitch · For first discovery call, investor meeting 180 words

Most Indian enterprises and government agencies have a problem: they need modern identity security — MFA, PAM, zero trust — but the global leaders like Okta and CyberArk don't work for them. Either the data has to leave India, or the deployment requires internet connectivity, or the migration timeline is 18 months.

We built e91 to solve that. Our anchor product is a multi-factor authentication platform with three differentiators: it plugs into any existing identity provider instead of replacing it, so deals close in weeks. It deploys in air-gapped environments, so defense and critical infra can use it. And it's post-quantum cryptography ready, so when RBI mandates PQC in the next 2-3 years, our customers flip a flag instead of running a migration project.

MFA is the anchor. Over the next 24 months we'll layer on SSO, PAM, IGA, and ZTNA — becoming India's complete identity security platform, built on a foundation that global OEMs cannot replicate without rearchitecting their products.

The 3-minute pitch · For customer C-level meetings Full narrative with discovery pivot

Open with a question, not a pitch:

"Before I describe what we do — can I ask: today, when a regulator asks you for evidence of multi-factor authentication on privileged systems, how many days does it take your team to produce the audit log? And does that log survive a forensic integrity check?"

[Listen. Take notes. Then:]

"The reason I ask — most Indian enterprises we meet are running MFA stitched together across Azure AD, a homegrown OTP system, and sometimes an old RSA hardware deployment. Every system has its own audit log, most aren't tamper-proof, and assembling evidence for an RBI or CERT-In audit is a fire drill.

At e91, we built India's Identity Security Platform. Our first product is an MFA platform with three properties that matter specifically for your situation: it plugs into your existing IdP — Azure AD, Okta, AD — without replacing it. It deploys in air-gapped environments, which matters if you have defense or critical infra customers. And it produces a single tamper-proof audit log that passes forensic integrity checks and maps directly to RBI, DPDP, and CERT-In requirements.

We're rolling out our first customers in BFSI and government right now. I'd love to understand whether there's a specific use case in your environment where this could matter — and whether it makes sense to do a technical deep-dive with your team."

Part 2 · Market & buyers

05 · Know your buyer

Buyer personas

Five personas matter for MFA. Each has different pain, different language, different way they want to be sold to.

Persona 01 · Economic buyer · Champion

The CISO — "Priya, Head of Information Security at a mid-size private bank"

What keeps them up at night

Board-level accountability for any breach
RBI audits, SEBI inspections, CERT-In incident reports
Proving MFA coverage across every privileged system
Budget justification and ROI for every security tool
Integrating with a zoo of legacy systems and new SaaS

What they want to hear from us

Single pane of glass for all auth events
Tamper-proof audit log that survives forensic scrutiny
Works with everything already in their stack
Clear RBI and DPDP compliance story
Deployable in 8 weeks, not 8 months

"I don't need another dashboard. I need one system I can point auditors at that tells them who logged into what, when, with what second factor, and whether anyone bypassed it."

Persona 02 · Technical buyer · Evaluator

The IAM Architect — "Rakesh, Principal Security Architect at a large enterprise"

What keeps them up at night

Making existing Azure AD / Okta / AD work with new requirements
Breaking production authentication for tens of thousands of users
API performance, availability, scalability under load
Whether the vendor's promises survive a technical evaluation
Post-deployment support and on-call response

What they want to hear from us

IdP-agnostic architecture — their IdP stays
Published OpenAPI spec, clean /validate/check contract
p99 latency, throughput numbers, reference hardware
Specific token types, crypto primitives, standards alignment
How integration works with their specific stack

"I've been burned by vendors who demo a slick UI and then can't tell me their p99 latency or how their HA works. Show me the architecture, show me the metrics, and I'll decide if I'll champion this."

Persona 03 · Compliance buyer · Audit blocker

The CRO / Compliance Head — "Meera, Chief Risk Officer at a life insurance company"

What keeps them up at night

IRDAI inspections, SEBI CSCRF audits, SOC 2 renewals
DPDP compliance deadline and consent management
Producing evidence — who accessed what, when, how
Documenting controls to match regulatory frameworks
Multi-vendor tool sprawl making evidence scattered

What they want to hear from us

Pre-mapped controls: RBI, SEBI, IRDAI, DPDP, ISO 27001
Audit export in regulator-acceptable formats
7-year retention with tamper-evident archival
Data residency guarantee — not just promise
Vendor attestation documents, SOC reports

"When the auditor asks for three months of privileged-access logs with integrity proof, I need one system to export it cleanly. Anything less and I'm writing memos instead of doing my job."

Persona 04 · Government / Defense buyer · Unique motion

The Government CIO — "Arjun, CIO at a state government directorate"

What keeps them up at night

MeitY empanelment, STQC certification compliance
Data localization as a non-negotiable
Budget cycles tied to government financial year
Dependence on foreign vendors for critical infrastructure
Aadhaar, DigiLocker, UPI integration requirements

What they want to hear from us

Made in India, not just sold in India
MeitY-empanelled, STQC-tested, CERT-In mapped
Air-gap deployability with on-site support
INR pricing, GEM portal availability
References from other gov or PSU customers

"If I buy from Okta or Microsoft and data leaks, I lose my job. If I buy from a Made-in-India vendor with MeitY empanelment and something goes wrong, at least the procurement was defensible."

Persona 05 · SI partner · Channel influencer

The SI Solution Architect — "Vikram, Cybersecurity Practice Lead at a Tier 1 SI"

What keeps them up at night

Hitting quarterly cybersecurity practice revenue targets
Being able to deliver MeitY / air-gap requirements
Margin pressure from global OEMs on large deals
Complicated implementation timelines that slip
Customer escalations from poor vendor support

What they want to hear from us

High partner margin, deal registration protection
Clean implementation playbook, fewer surprises
Joint GTM, MDF funds, case-study co-development
Training and certification for their delivery team
Indian support team reachable on WhatsApp

"I can sell Okta or CyberArk but my margin is 10-15% and the customer wanted Made-in-India anyway. Give me a product that my team can deliver and my customer feels good about — I'll close more deals than I close with global OEMs."

06 · Know your rival

Competitive positioning

Three competitor archetypes. For each, specific plays to take the deal.

Global SaaS leaders

Okta · Microsoft Entra · Duo (Cisco) How to win against them

"Your data stays in India, always."
"We deploy air-gapped. They can't."
"We plug into your IdP. They replace it."
"INR pricing. GST-native invoicing."
"Deploy in weeks, not an 18-month migration."
"Post-quantum ready today, not on roadmap."

Where they beat us

Global brand recognition
Mature admin UIs and polish
Very large partner ecosystems
Existing enterprise contracts as default choice

Indian incumbents

ARCON · eMudhra · Miniorange How to win against them

"Cloud-native architecture, not a rebadged legacy stack."
"Single platform — MFA today, IGA tomorrow, PAM next."
"Modern developer experience, clean APIs."
"Post-quantum ready by design, not retrofit."
"Air-gap is a first-class deployment mode."
"Built for scale — 500+ req/sec per node, horizontal."

Where they beat us

10+ years of installed base and references
Established relationships with SIs
Known to PSU and gov procurement teams
Already empanelled / certified

Do-it-yourself / Open source

PrivacyIDEA · Keycloak · homegrown OTP How to win against them

"You own the code — we own the compliance."
"Audit-grade log comes out of the box, not built by your team."
"KMS integration, key rotation, RBAC — not rebuilt in-house."
"Commercial support and indemnification."
"Your engineers build your product, not your auth stack."
"Vendor-ready for RBI and CERT-In questions."

Where they beat us

Zero license cost (until the total cost shows up)
Internal control perception
No procurement approval needed
Works for small teams with in-house expertise

The one-line competitive frame

Against Okta — "We do what Okta does, for the Indian enterprises Okta can't actually serve."

Against ARCON — "We do what ARCON does, with a modern architecture and a platform roadmap."

Against open source — "We are the compliance-wrapped version of what your team would otherwise build in 18 months."

07 · Handle the pushback

Objection handling

Every real objection we'll hear in the first 100 sales conversations. Internalize the answers — don't read them off a script.

"We already have MFA through Microsoft / Azure AD. Why do we need another one?"

The right answer: "You're right — Azure AD covers MFA for Microsoft apps. The problem is your RBI-audited systems aren't all Microsoft. Your core banking is on AIX. Your SWIFT terminal is Windows standalone. Your VPN is Fortinet. Your legacy apps don't speak SAML. When the auditor asks for MFA coverage across everything privileged, Azure AD only covers one slice. We give you one MFA layer that covers all of it — including the 15-year-old systems Microsoft never integrated with."

"Okta is the global leader. Why should we pick an Indian vendor?"

The right answer: "Globally, Okta is the leader. In India, that leadership comes with three problems. First, your data must leave India for their cloud — your DPDP compliance and the regulator's view of that is your call to make. Second, they cannot deploy air-gapped, so if you ever need to protect an isolated network, you need a second vendor anyway. Third, their license is in USD and their support hours are US-based. If leadership in a customer's specific context is what matters, we're the better leader — we're already deployed in scenarios where Okta structurally cannot operate. Happy to walk you through those customer references."

"You're a startup. How do we know you'll be around in 5 years?"

The right answer: "Fair question. Three things — one, our code is ours. In any escrow or source-code-in-trust arrangement, you have continuity even in a worst-case scenario. Two, our architecture runs on standard open-source components: PostgreSQL, Redis, Java, BouncyCastle. No proprietary magic you can't migrate from. Three, we're building a platform with committed capital and growing customer references — I'd rather you evaluate our trajectory than a static promise. Let me share our 36-month product and customer roadmap and you can decide whether that trajectory is credible."

"Your pricing seems high compared to X competitor."

The right answer: "Let's make sure we're comparing like for like. What's the annual cost of your current approach — including the FTEs managing the existing auth stack, the audit evidence work, and the integration effort per new system? In most deployments we replace, the internal cost of operating their existing approach is 3-5x our license fee. If you'd like, we can run a specific ROI exercise with your numbers."

"We're not ready to deploy MFA widely. Let's revisit next year."

The right answer: "Understood. Before we pause — can I ask what's driving 'next year' specifically? Often it's one of three things: RBI audit cycle timing, budget approval, or a specific integration concern. If it's integration, we can run a 4-week pilot on a single system with no commitment, so when you are ready, you have internal evidence. If it's budget, let me share how our licensing works — it may be lighter than you expect. If it's RBI cycle, we should absolutely talk before the audit lands, not after."

"We need [specific feature X] and you don't have it yet."

The right answer: "Thanks for the specificity — let me note exactly what you need. Two questions: is this a deal-blocking requirement, or a 'nice to have'? And is there a regulatory or audit requirement driving it, or is it a technical preference? If it's deal-blocking and on our near-term roadmap, we can discuss timeline commitments. If it's outside our roadmap, I'd rather tell you up-front so you don't waste your procurement team's time. Honesty is cheaper than a failed deployment."

"Can you guarantee 99.99% uptime?"

The right answer: "Our platform is designed for 99.9% uptime as a baseline. For higher SLAs, we offer HA deployment patterns with horizontal scaling, multi-region database replication, and Redis sentinel configurations. 99.99% is achievable with a specific deployment pattern — let's discuss your availability zone strategy and we can commit to contractual SLAs. I'll also share that MFA is, by design, a gate that must be up — so our availability story includes graceful degradation for TOTP/HOTP tokens even if external dependencies fail."

"We'll run a POC with three vendors including you."

The right answer: "Great — POCs are where we typically win, because we're measurably differentiated on specific axes. Two requests: first, can we co-author the evaluation criteria with your team? Generic criteria tend to favor incumbents; specific criteria surface real differences. Second, can we include at least one scenario in the POC that tests air-gap readiness, IdP-agnostic integration, or audit log integrity? Those are the places we're objectively better, and they tend to map to your actual regulatory concerns."

Part 3 · Sales playbook

08 · The motion

Sales process & stages

Five stages, clear exit criteria per stage. No deal advances without meeting the criteria. This discipline compounds over time.

STAGE 01

Qualify

Is there budget this FY?
Is security or compliance a current-year priority?
Identify CISO / CIO equivalent
Validate ICP fit (Gov, BFSI, Enterprise)
Exit: Meeting booked with buyer

STAGE 02

Discover

Run discovery (§09)
Map existing auth landscape
Identify pain, regulatory driver
Size deal: users, systems, timeline
Exit: Documented pain + quant opportunity

STAGE 03

Demo + evaluate

Run tailored demo (§10)
Engage technical team
Propose POC scope (4 weeks, 1 system)
Loop in compliance/audit stakeholder
Exit: POC signed or verbal go

STAGE 04

Prove

Deploy POC on real system
Weekly check-ins with stakeholders
Show audit log, performance, integration
Document success criteria met
Exit: Commercial proposal requested

STAGE 05

Close

Propose pricing (§11)
Legal + procurement navigation
Security & vendor risk review
Contract signature
Exit: PO received

Discipline over speed

A deal that moves from Qualify to Close in under 90 days in government or BFSI is statistically likely to fall through at procurement. Our average sales cycle will be 4-9 months. Celebrate the rigor of stage transitions, not the speed.

09 · Ask, don't pitch

Discovery questions

Three question sets by buyer type. Ask at least 5 before you make any claim about the product.

For the CISO / Economic buyer

What regulatory audits are coming up in the next 12 months — RBI, SEBI, IRDAI, CERT-In?
How many privileged systems do you have MFA on today? How many do you not?
When the board asks "are we compliant with MFA requirements for privileged access", what does your current answer look like?
What's your current MFA stack and who owns it internally?
Have you had an incident in the last 24 months where weak auth was a contributing factor?
How does your organization feel about data residency and sovereign infrastructure?
What would "success" look like for an identity security project this year?

For the IAM Architect / Technical evaluator

Walk me through your current authentication flow for a privileged admin logging into a core system.
Which IdPs are live — Azure AD, Okta, on-prem AD, LDAP? In what ratios?
What's your existing MFA — TOTP, push, hardware, SMS? How happy are users?
Which legacy apps still use password-only? Why haven't they been MFA'd?
What's your target p99 latency for an auth call?
Do you have systems that need to operate in an air-gapped or network-segmented environment?
How is your audit log handled today? Is it tamper-proof?

For the Compliance / Risk officer

Which frameworks do you report against — RBI CSCRF, SEBI, IRDAI, DPDP, ISO 27001, SOC 2?
When an auditor asks for MFA evidence, what's the process — and how long does it take?
Can your current audit log survive a forensic integrity check?
How do you demonstrate DPDP data residency to auditors today?
What retention period do you need — 3 years, 7 years, longer?
Are you planning for post-quantum cryptography migration, and on what timeline?
What's a typical audit finding in identity access today?

10 · Show, don't tell

Demo flow — 30 minutes

A structured demo that speaks to all three buyer types. Every minute is accounted for. Never wing it.

0:00 – 3:00

Open with their pain, not our features

Recap the 2-3 pain points from discovery. Confirm them back. "Last time we met, you told me three things mattered — air-gap deployment for your defense division, RBI audit evidence, and not replacing your Azure AD. Is that still accurate? Anything to add?"

All stakeholders

3:00 – 6:00

Architecture whiteboard (1 slide)

Show the IdP-agnostic plug-in diagram. "Your IdP stays. We add the second factor. This is the critical architecture choice that differentiates us from Okta." Do not go into token types yet.

Architect · CISO

6:00 – 12:00

Live login demo — the "money shot"

Real user logs into a real app. Show the MFA challenge appearing. Show the token types toggle — TOTP, Push, FIDO2. Show a failed attempt and the audit log response. Keep moving.

All

12:00 – 17:00

Audit log + compliance view

Open the admin console. Query the audit log. Show the tamper-proof integrity verification. Export to a format regulator would accept. This is for the compliance stakeholder.

CISO · Compliance

17:00 – 22:00

The "only we can do this" moment

Based on what matters to them: show air-gap deployment config, OR show RADIUS delegation for legacy VPN, OR show the PQC configuration flag. Pick ONE. Make it memorable.

Architect · CISO

22:00 – 27:00

Discuss implementation reality

"Here's what a typical 8-week deployment looks like for a customer like you." Walk through weeks 1-8. Include the SI partner if one is involved. Name their integration partner.

All

27:00 – 30:00

Close with a next step, not a pitch

"Based on what I've shown, are there any concerns? Can we scope a 4-week pilot on your [specific system]? I'll send a pilot scope document within 48 hours — who on your team should I include?"

All

11 · Price with intent

Pricing & packaging

Three tiers. Price per user per year, with platform caps. Air-gap variant is a separate SKU. All prices in INR.

Workforce MFA · Essential

Essential

₹360 / user / year

For mid-market enterprises and fintech. SaaS deployment. Starts at 250 users.

TOTP, HOTP, SMS, Email tokens
Self-service enrollment portal
Admin web console
Audit log (3-year retention)
Email + ticket support (12x5)
Standard integrations: Azure AD, Okta, LDAP

Most common

Workforce MFA · Enterprise

Enterprise

₹720 / user / year

For BFSI, large enterprises, regulated industries. Cloud or on-premises. Starts at 1,000 users.

All 8 token types including Push & FIDO2
RADIUS delegation (legacy systems)
4 KMS backends + key rotation
Tamper-proof audit (7-year retention)
RBAC + mTLS + advanced security
Policy engine & event handlers
24x7 support + named CSM
RBI / SEBI / IRDAI compliance mappings

Sovereign MFA · Classified

Classified

Custom · from ₹1,500 / user / year

For Government, Defense, Intelligence, Critical Infra. Fully air-gapped. Scoped per deployment.

Everything in Enterprise, plus:
Air-gapped deployment (Ntfy/Gotify/SMSEagle/local KMS)
Hybrid TLS with PQC (X25519 + Kyber)
On-site installation & commissioning
MeitY / STQC certification support
Dedicated SE & named engineer on-call
Source code escrow option
Annual security re-certification

Pricing principles

Always price in INR. No USD pricing, ever. This is a differentiator — most global OEMs quote in USD, which immediately signals foreign risk to CFOs.

Annual contracts with multi-year incentive. 3-year commitment = 15% discount. 5-year = 25% discount. We want stickiness; customers want predictability.

Platform expansion credits. 20% of first-year MFA ARR converts to credit toward SSO, PAM, IGA when those products launch. This is how we lock in the platform thesis.

No punitive overage. If they exceed the user count mid-year, we raise the tier at renewal, not mid-term. Customer trust compounds.

Part 4 · Marketing & enablement

12 · Own the narrative

Marketing themes & content

Three content pillars we'll own for the next 24 months. Every piece of content maps to one of these.

Pillar 01 · Own the sovereignty narrative

"Made for India, not just sold in India"

Every piece of content reinforces that sovereign digital infrastructure needs sovereign identity security. Position e91 as the flag-bearer of Made-in-India cybersecurity.

Example content ideas — Long-form blog: "Why Okta cannot serve India's defense sector"
— Op-ed: "DPDP + sovereign identity — what the regulator actually expects"
— LinkedIn thread: "5 reasons air-gap matters in 2026"
— Podcast: Founder interviews on NDTV Tech, Moneycontrol

Pillar 02 · Educate on PQC before the market

"The crypto transition nobody is ready for"

Be the thought leader on post-quantum cryptography in Indian context. Most Indian CISOs don't know PQC yet. We teach them — and become the answer when RBI mandates it.

Example content ideas — Research paper: "PQC roadmap for Indian BFSI"
— Webinar series with NIST / CERT-In speakers
— "Store now, decrypt later" threat briefings
— NASSCOM and DSCI workshop circuits

Pillar 03 · Compliance as a product feature

"Auditor-ready out of the box"

Turn compliance complexity into our unique marketing weapon. Publish detailed mappings. Release compliance checklists. Make it easy for CISOs to justify us to their board.

Example content ideas — Free downloads: "RBI CSCRF MFA checklist"
— Case studies with named BFSI customers
— Auditor playbook: "10 questions every RBI auditor will ask"
— CERT-In / NCIIPC partnership announcements

13 · Where to show up

Channel strategy

Priority-weighted list. Start with high-priority, low-effort. Graduate as we hire.

LinkedIn (CEO)

Thought leadership, inbound from CISOs, trust building. 3 posts/week.

High

Low effort

Direct outbound

100 qualified meetings in 90 days via targeted outreach to 500 named accounts.

High

Medium

NASSCOM / DSCI

Speak at DSCI, NASSCOM CISO roundtables. Position as Indian cybersecurity authority.

High

Medium

SI partnerships

2-3 Tier-1 SIs signed within 6 months. Joint GTM, deal reg, partner margin 25-35%.

High

Long-form blog / website

SEO dominance on "India MFA", "DPDP compliant MFA", "air-gap MFA" within 12 months.

Medium

Industry events

Booth presence at AISS (DSCI), GISEC, IDC CIO summits. Sponsorship = lead gen.

Medium

High

Webinars & workshops

Monthly technical webinar. Topic examples: RBI CSCRF, PQC, air-gap design patterns.

Medium

Low

Developer / GitHub

Open-source reference integrations, Postman collections, SDK docs. Builds credibility with architects.

Medium

Paid ads (Google, LinkedIn)

Skip in year 1. Return when inbound demand > 5 qualified leads/week organically.

Low

Analyst relations (Gartner)

Defer until 20+ customers. Analyst briefings are effective only with customer proof.

Low

High

14 · Write like a human

Email & outreach templates

Starting templates for the top 5 scenarios. Personalize every one — never send these unedited.

Template 01 · Cold outbound to CISO Length: 100 words · Tone: direct

Quick question on your RBI CSCRF MFA coverage

Priya,

I saw your note on LinkedIn about Saket's CSCRF panel last week. One question from that has been on my mind:

When the auditor asks you to produce a tamper-proof MFA log across all privileged systems — not just the Microsoft ones — how many hours does your team spend assembling that today?

We've built an MFA platform specifically for this scenario. Deployed by a similar-size private bank 3 months ago. Happy to share what changed for them and whether it's relevant to you.

15 minutes, next week?

— [Name], e91
Founder & CEO · Building India's Identity Security Platform

Template 02 · Post-discovery, pre-demo Length: 120 words · Tone: confirming

Recap of our discovery + what I'll show Thursday

Rakesh,

Thank you for the hour yesterday. To make sure I'm aligned before Thursday's demo:

Your three concerns — (1) integration with your existing Azure AD without replacement, (2) the CSCRF audit cycle in Q2, and (3) extending MFA coverage to the ten legacy systems currently on password-only.

Thursday I'll walk you through: the IdP-agnostic architecture, the audit log feature set, and a specific pattern for adding MFA to legacy RADIUS-based systems without user disruption.

Please confirm if Meera (compliance lead) should join. Her team's questions on retention and data residency are probably best addressed live.

— [Name], e91

Template 03 · SI partner engagement Length: 130 words · Tone: commercial

Joint GTM proposal — e91 MFA platform

Vikram,

Three data points relevant to your cybersecurity practice:

— 40%+ of your BFSI clients have a live or near-term RBI CSCRF commitment requiring MFA upgrades
— Global MFA OEM margins for you are typically 10-15%
— Your clients increasingly request Made-in-India certified software post-MeitY directives

Our proposal: a partner agreement with 30% margin, deal registration, joint GTM funding for first 3 deals, and implementation certification for your team. We bring the product + air-gap capability; you bring customer relationships + delivery.

I'd like 30 minutes to walk through the partner program. What works — this Friday afternoon, or next Monday morning?

— [Name], e91

Template 04 · Re-engagement after silence Length: 80 words · Tone: light, useful

A resource you may find useful — RBI CSCRF MFA checklist

Priya,

No sales pitch today. Just a resource.

We've published a free checklist mapping every MFA requirement in RBI's CSCRF framework to specific controls and evidence artifacts. Our customers have found it useful whether they're evaluating us or not.

Link: [e91.com/rbi-cscrf-mfa-checklist]

If it's useful, I'd love to hear your feedback. If you'd like to reopen the conversation about our platform, my door is open.

— [Name], e91

Template 05 · Post-POC / pilot success Length: 110 words · Tone: closing

Pilot results + proposed next steps

Team,

Summarizing our 4-week pilot on the [system] integration:

Success criteria met — (1) p99 auth latency at 140ms (target 200ms), (2) 100% audit log integrity verification pass, (3) zero user-facing incidents, (4) Azure AD integration working with no IdP changes.

Proposed next step: full production rollout covering the remaining 12 systems in scope. Timeline: 8 weeks. Commercial proposal attached.

I'd like to propose a final call next week with your procurement team to walk through terms. What's the best time for you and [CFO/procurement lead]?

— [Name], e91

15 · The right words, right moment

One-liners by scenario

Phrases that land. Practice until they come out naturally.

Walking into a booth

We build India's Identity Security Platform. Deployable in cloud, on-prem, and air-gapped defense networks.

Someone says "like Okta?"

Like Okta — for the scenarios Okta structurally cannot serve.

Asked about differentiation

We plug into your IdP. We don't replace it. That means weeks, not quarters.

Asked about compliance

Auditor-ready out of the box. RBI, DPDP, CERT-In, SEBI — all pre-mapped.

Asked about security

Tamper-proof audit log. Post-quantum ready. Air-gap deployable. Zero data leaves India.

Asked about roadmap

MFA today. SSO, PAM, IGA, ZTNA over the next 24 months. One platform, one audit log.

Asked about pricing

INR pricing. GST-native invoicing. Fraction of CyberArk. Half of Okta.

Asked about risk of choosing us

Open-source foundation. Code escrow available. Standards-based integration. No lock-in.

Pressured on why now

RBI is tightening CSCRF. DPDP is live. PQC mandates are coming. Being late is expensive.

Part 5 · Execution

16 · Measure what matters

Success metrics & KPIs

The numbers to track weekly, monthly, quarterly. If it's not here, don't optimize for it yet.

Weekly · Top of funnel

Lead & engagement

→ Outbound meetings booked
→ Inbound demo requests
→ LinkedIn CEO impressions
→ Content downloads (checklists, whitepapers)

Monthly · Middle of funnel

Pipeline health

→ Qualified opportunities added
→ Active POCs running
→ Pipeline coverage (3-5x quota)
→ Stage conversion rates

Quarterly · Outcome

Revenue & retention

→ New ARR
→ Win rate (deals won / engaged)
→ Average contract value
→ NPS from existing customers

17 · Starting now

First 90 days execution

What needs to happen in the next 13 weeks to put this playbook into motion.

Days 1 – 30 · Foundation

Build the infrastructure

□ Finalize website copy matching this playbook
□ Build target account list (500 named accounts)
□ Create demo environment + 5-min demo video
□ Publish RBI CSCRF MFA checklist
□ CEO LinkedIn content cadence — 3 posts/week
□ Identify and engage first 3 design partners

Days 31 – 60 · Pipeline

Open the top of funnel

□ 100 outbound meetings booked
□ First SI partner agreement signed
□ Speak at 2 NASSCOM / DSCI events
□ 20 qualified opportunities in active discovery
□ First PQC webinar (target 200 attendees)
□ Launch MeitY / STQC certification process

Days 61 – 90 · Proof

Turn POCs into revenue

□ 5 active POCs running
□ First 2 paying customers closed
□ First published case study
□ Second SI partner + first joint deal
□ Refresh playbook based on learnings (v1.1)
□ Plan Q4 launch of SSO + Passwordless bundle

The playbook in one paragraph

Remember this when nothing else lands

We are not selling MFA. We are selling the first pillar of India's Identity Security Platform — and we win because we're sovereign, deployable everywhere (including air-gapped), plug into existing IdPs instead of replacing them, and are post-quantum ready before the market.

Our buyers are CISOs, CIOs, CROs, and Government CIOs who are either tired of stitching together global vendors or structurally cannot use them at all. We meet them where they are — with audit-ready compliance mappings, INR pricing, air-gap deployment, and an honest platform roadmap.

We win with discipline, not noise. Every meeting is a qualified one. Every demo follows the flow. Every POC has exit criteria. Every customer becomes a reference. This playbook is how we make that consistent across 50 salespeople and 5 years.