The 80-Page Report Problem

CERT-In empanelled audit firms deliver VAPT reports that are comprehensive by design. A typical assessment of a mid-sized insurance company's infrastructure produces an 80 to 120 page PDF containing 40 or more individual findings, each with a CVSS score, CVE references, affected hosts, proof-of-concept details, and remediation recommendations. For the CISO and IT team receiving this report, the challenge is not the quality of the assessment — it is the sheer volume of structured and semi-structured data that must be extracted, prioritised, assigned, tracked, and reported on.

Processing these reports manually takes days. A compliance analyst reads through the PDF, extracts each finding into a spreadsheet, looks up the CVSS base score, cross-references CVE IDs against the organisation's asset inventory, assigns severity, sets deadlines, and creates tickets for remediation teams. By the time this triage is complete, critical findings with a 7-day remediation deadline may already be 3 or 4 days old. The bottleneck is not remediation capability — it is report processing speed.

AI Parsing: From PDF to Structured Findings

AI-powered VAPT report processing eliminates the manual extraction bottleneck entirely. The system ingests the PDF — whether it's a Nessus export, a Qualys report, a Burp Suite assessment, or a custom format from a CERT-In empanelled firm — and extracts every finding as a structured data object. Each finding is parsed into its constituent elements: vulnerability title, CVSS vector and base score, CVE identifiers, affected hosts and ports, proof of concept, and recommended remediation.

The AI normalises severity across different scoring systems. A Nessus "Critical" and a Qualys "Severity 5" and a manual assessor's "High Risk" are all mapped to a unified severity taxonomy aligned with IRDAI's remediation deadline framework. CVE IDs are validated against the NVD database, enriched with exploit availability data, and linked to any known active exploitation campaigns. What took a compliance analyst two days now takes under 90 seconds.

Format Agnostic VAPT reports arrive in every format imaginable: Nessus .nessus XML exports, Qualys PDF reports, Burp Suite HTML, custom Word documents from empanelled firms, and sometimes just email attachments. AI parsing must handle all of these, extracting structured findings regardless of the source format. Template-based extraction fails here — only language-model-based parsing can handle the variability.

Automatic UCL Control Linkage

Extracting findings is necessary but not sufficient. Each vulnerability finding must be linked to the Unified Control Library (UCL) control it implicates. A SQL injection vulnerability maps to application security controls. An unpatched OpenSSL library maps to patch management controls. A weak TLS configuration maps to encryption-in-transit controls. This mapping is what transforms a VAPT finding from a technical issue into a compliance gap.

AI performs this mapping automatically by analysing the vulnerability category, the affected technology stack, and the remediation recommendation, then matching against the UCL control taxonomy. When a finding maps to a control that is currently marked as "compliant" in the GRC system, that control's status is automatically flagged for review. The result is a live view of which controls are actually effective and which have been undermined by the latest VAPT assessment — without any manual control mapping effort.

Severity-Based Deadline Enforcement

IRDAI's March 2025 revision introduced explicit remediation deadlines by severity: CRITICAL findings must be fixed within 7 days, HIGH within 30 days, and MEDIUM within 90 days. These deadlines are not advisory — they are the standard against which the IS Audit will measure compliance and against which the board must attest.

SeverityCVSS RangeRemediation DeadlineEscalation
CRITICAL9.0 – 10.07 daysCISO + Board notification
HIGH7.0 – 8.930 daysCISO notification
MEDIUM4.0 – 6.990 daysIT manager notification

AI-powered deadline enforcement means that the moment a finding is extracted and severity-classified, a countdown begins. Automated notifications escalate to the appropriate level as deadlines approach: IT teams for medium findings, the CISO for high findings, and both the CISO and board for critical findings. Overdue findings generate automated exception reports that feed directly into the IS Audit evidence pack and board attestation dashboard.

IRDAI.AUDIT.1 Auto-Compliance

IRDAI.AUDIT.1 — the control requiring annual VAPT by a CERT-In empanelled firm with all findings remediated within prescribed deadlines — is one of the most evidence-intensive controls in the insurance regulatory framework. To close this control, an organisation must demonstrate: (1) that the VAPT was conducted by a CERT-In empanelled firm, (2) that all findings were extracted and classified by severity, (3) that remediation was completed within the 7/30/90-day deadlines, and (4) that the empanelled assessor verified the remediation through a retest.

When AI manages the entire pipeline — from report ingestion through finding extraction, severity classification, deadline tracking, remediation verification, and assessor retest confirmation — the IRDAI.AUDIT.1 control closes automatically when all conditions are met. No manual evidence compilation. No spreadsheet reconciliation. The control status moves from "open" to "closed" the moment the last finding's remediation is verified by the CERT-In empanelled assessor, with a complete audit trail documenting every step.

RiskSage Capability RiskSage by CreativeCyber ingests VAPT reports from any CERT-In empanelled firm, extracts all findings in under 90 seconds, maps each to UCL controls, enforces IRDAI severity deadlines with automated escalation, and auto-closes IRDAI.AUDIT.1 when all findings are remediated and verified.

Request access to RiskSage →