Practitioner Intelligence
for Indian BFSI Security Leaders.

Regulatory guides, technical checklists, and deep dives mapped to real obligations under RBI, SEBI CSCRF, IRDAI, DPDP, and CERT-In. Written by practitioners.

⌕

All CERT-In IRDAI DPDP VAPT GRC RBI

Latest Articles

CERT-In · Incident Response Apr 2026 · 6 min read FEATURED

The 6-Hour Rule: How India's CERT-In Mandate Is Reshaping Cyber Incident Response

Mandatory cyber incident reporting within 6 hours of detection. RBI, IRDAI, SEBI, and DPBI all running from the same timestamp. Criminal liability under IT Act §70B for non-compliance. What every Indian BFSI enterprise must have in place before the next incident.

Covers: 9-field CERT-In format · 13 log source categories · 180-day retention · Multi-regulator deadline matrix

Read Article

IRDAI · Insurance SectorMar 2026 · 5 min

IRDAI's March 2025 Cybersecurity Revision: What Every Insurer Needs to Know

Mandatory reporting tightened to 6 hours. Board attestation now submitted to IRDAI. Applicable to TPAs, brokers, web aggregators, ISNPs, and IMFs — not just insurers.

5 min readRead article →

DPDP · Vendor RiskMar 2026 · 5 min

DPDP Meets Vendor Risk: Why Your Third-Party Contracts Are Now a Compliance Problem

DPDP §8/§9 imposes DPA obligations for every vendor processing personal data. The sub-processor problem. What an RBI inspector asks when they arrive.

5 min readRead article →

VAPT · AI · TechnicalFeb 2026 · 4 min

From 80-Page Nessus Report to Actionable Risk Findings: How AI Is Changing VAPT

AI extracts every finding, maps to UCL controls, sets deadlines by severity, and closes IRDAI.AUDIT.1 automatically. The security team shifts from data entry to decision-making.

4 min readRead article →

GRC ArchitectureFeb 2026 · 6 min

Why Indian BFSI Needs a Risk Graph, Not a Risk Register

Your risk register doesn't know the system changed, the control was deprecated, or that a new IRDAI circular changed the obligation. A risk graph knows. SEBI CSCRF's continuous audit mandate makes this the architecture question of 2025.

6 min readRead article →

Regulatory Checklists

Checklist · CERT-In

CERT-In Incident Reporting Checklist

9-field mandatory format · 13 log source categories · 180-day retention · CERT-In 6hr / RBI 6hr / IRDAI 6hr / SEBI 4hr / DPBI 72hr

View

Checklist · IRDAI

IRDAI VAPT Compliance Checklist

CERT-In empanelment verification · CRITICAL 7d / HIGH 30d / MEDIUM 90d · Board submission 90 days FY end · IRDAI.AUDIT.1 closure evidence

View

Checklist · DPDP §8/§9

DPDP Vendor DPA Mandatory Clauses

12 mandatory DPA clauses · Sub-processor notification · RBI IT outsourcing overlay · Data deletion certificate on contract end

View

Matrix · SEBI CSCRF · Apr 2025

SEBI CSCRF Control & Maturity Matrix

Continuous audit mandate · NIST CSF 2.0 Tier 1–4 alignment · Dashboard mandate gate items · Maturity scoring per function

View

Checklist · RBI IT Outsourcing

RBI IT Outsourcing Inspection Checklist

Mandatory contract clauses · Audit rights · Service continuity · Exit management · Data localisation declarations

View

Technical Guides — RiskSage Platform

API Guide · Auth

RiskSage API Quickstart

POST /auth/login → /auth/mfa/challenge → Bearer JWT · Tenant-scoped · Route groups: /incidents · /vapt · /crq · /threat-models · /dashboard

View

API Guide · VAPT

VAPT Report Ingestion & Parsing Guide

Nessus · Burp Suite · OpenVAS · Qualys · Manual · POST /vapt/assessments/:id/parse-report · CVSS + CVE IDs + UCL control links

View

API Guide · CRQ

CRQ Engine — FAIR, NIST 800-30, VaR Developer Guide

4 models · Asset Value ₹ crore / TEF events/yr / Vulnerability Level 0.01–0.99 / Response Cost ₹ lakh · AI threat intel endpoint

View

API Guide · Threat Modelling

STRIDE + PASTA Threat Modelling API Guide

11 routes /threat-models/* · Single-endpoint detail pattern · Enums: SPOOFING not "S" · RBI TRA + SEBI CSCRF SDLC + IRDAI IS Audit

View