9-Field Mandatory Reporting Format
CERT-In's prescribed initial incident report requires nine specific fields. Every field must be populated before submission. Prepare templates for each incident category in advance.
Field 1: Incident Category — Select from CERT-In's enumerated list (ransomware, data breach, DDoS, website defacement, phishing, unauthorised access, malware, vulnerability exploitation, etc.)
Field 2: Date & Time of Detection — Exact timestamp in IST (UTC+5:30). This is the anchor for all regulatory deadlines.
Field 3: Organisation Details — Full legal name, CIN, sector classification, and registered address.
Field 4: Affected Systems — IP addresses, hostnames, domain names, application names, and infrastructure type (on-prem, cloud, hybrid).
Field 5: Estimated Scope & Impact — Number of systems affected, data records potentially compromised, business functions impacted.
Field 6: Initial Indicators of Compromise (IoCs) — Known malicious IPs, file hashes, URLs, email addresses, or attack vectors identified so far.
Field 7: Containment Actions Taken — What immediate steps have been taken: isolation, credential rotation, service shutdown, etc.
Field 8: Point of Contact — Name, designation, mobile number, and email of the incident coordinator. Must be reachable 24/7.
Field 9: Any Other Relevant Information — Suspected threat actor, ongoing investigation details, engagement of external forensic support.
Remember
The initial report is a notification, not a final forensic analysis. You are not expected to have root cause or attribution within 6 hours. Submit what you know and update progressively.
13 Log Source Categories for 180-Day Retention
CERT-In Directions mandate retention of security logs in India for a rolling 180 days. Logs must be indexed and searchable — not just archived. Verify each category is covered:
Firewall logs
IDS / IPS logs
Web Application Firewall (WAF)
EDR / XDR endpoint logs
SSO / IdP authentication logs
Application server logs
Database activity logs
VPN access logs
Cloud control plane logs
Mail gateway logs
DNS query logs
Network flow / NetFlow logs
Operating system event logs
All 13 log categories are being collected and centralised in SIEM or log management platform
Retention period is set to minimum 180 days rolling for all categories
Logs are stored in India (data residency compliant)
WORM (Write Once Read Many) immutable storage configured for critical log sources
Logs are indexed and searchable — producible to CERT-In within 6 hours of request
Log integrity verification (hash-based tamper detection) is enabled
Multi-Regulator Deadline Matrix
Different regulators require different formats, different information, and different points of contact — all running in parallel from the same detection timestamp.
| Regulator | Deadline | Format / Portal | Legal Basis |
|---|---|---|---|
| CERT-In | 6 hours | 9-field prescribed format | IT Act §70B · criminal penalty |
| RBI | 6 hours | ITSS portal submission | RBI Master Directions on IT |
| IRDAI | 6 hours | Board-attested report | IRDAI Cybersecurity Guidelines (Mar 2025) |
| SEBI | 4 hours | SCORES portal | SEBI CSCRF (Apr 2024) |
| DPBI (DPDP) | 72 hours | Data Protection Board portal | DPDP Act 2023 · personal data breaches only |
Automated deadline calculator configured to trigger from detection timestamp
30-minute escalation alerts set for CERT-In, RBI, and IRDAI 6-hour windows
SEBI 4-hour window has separate, earlier escalation trigger
DPBI 72-hour tracker active for incidents involving personal data
Each regulator has a pre-assigned reporting owner with portal credentials verified
Report templates pre-built for each regulator's required format
What Triggers a Reportable Incident
Not every security event is reportable. CERT-In specifies the following categories as mandatorily reportable:
Ransomware attack on any system, regardless of whether ransom was paid
Data breach involving personal data or sensitive business information
DDoS attack that impacts service availability
Website defacement or unauthorised content modification
Phishing campaign targeting the organisation or its customers
Unauthorised access to IT systems, databases, or applications
Malware deployment including trojans, worms, and backdoors
Exploitation of vulnerabilities in public-facing or critical systems
Identity theft / spoofing attacks
Attacks on critical infrastructure (SCADA, OT, IoT systems)
Data leakage through misconfiguration or insider threat
Criminal Liability
Non-compliance with CERT-In Directions under Section 70B of the IT Act can result in up to one year of imprisonment and fines. The clock starts at detection, not confirmation.
Pre-Incident Preparation Steps
The organisations that report successfully are the ones that prepare before an incident occurs. Complete these steps during peacetime:
Incident classification taxonomy pre-built with all CERT-In reportable categories as dropdown selections
9-field CERT-In report template pre-populated with static organisation details (Fields 3, 8)
Multi-regulator reporting playbook documented and distributed to SOC team
Portal credentials for CERT-In, RBI ITSS, IRDAI, SEBI SCORES, and DPBI verified quarterly
Tabletop exercise conducted at least twice per year simulating a 6-hour reporting window
Escalation matrix defined: SOC Analyst → SOC Lead → CISO → Board (with contact details and backup contacts)
External legal counsel and forensic retainer agreements in place before an incident
AI-assisted report drafter configured to generate compliant initial reports from incident data
Communication templates ready for internal stakeholders, board, customers, and media
Log retention compliance verified across all 13 categories with quarterly audit
RiskSage Capability
RiskSage by CreativeCyber automates the complete CERT-In incident response workflow — detection timestamp → deadline calculation for all five regulators → AI-drafted 9-field initial report → 30-minute overdue escalation → 180-day log retention tracker across all 13 CERT-In log source categories.
Request access to RiskSage →
Request access to RiskSage →