Cybersecurity Insights & Guides
Expert insights on cybersecurity, vulnerability management, and digital defence strategies.
OWASP Mobile Top 10 (2024): The Definitive Guide for Indian Mobile App Teams
A reference walkthrough of every risk in the OWASP Mobile Top 10 (2024 release) — what each risk means in plain English, how attackers exploit it on Android and iOS, what your engineering team should fix, and how a CERT-In empanelled pentest validates the fix.
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.
SEBI CSCRF for KRAs & QRTAs: The April 2025 Demotion & What It Means
KYC Registration Agencies were reclassified from MII to Qualified RE in April 2025. QRTAs (≥2 Cr folios) remain at MII tier. What changed, what stayed, and what KRAs and QRTAs must do now.
SEBI CSCRF for AIFs & VCFs: Manager-Level Corpus Rule
CSCRF for Alternative Investment Funds and Venture Capital Funds: the April 2025 manager-level classification, corpus thresholds, sub-100-client exemptions, and what AIF/VCF managers must do.
SEBI CSCRF for AMCs & Mutual Funds: AUM-Tiered Classification & Qualified RE Obligations
Asset Management Companies under SEBI CSCRF: AUM-tiered classification (₹10k Cr, ₹1L Cr thresholds), Qualified RE obligations, ISO 27001 voluntary status, and what AMCs of every size must do.
SEBI CSCRF for Stock Brokers: The Two-Parameter Rule, Thresholds & QSB → QRE Link
SEBI's April 2025 CSCRF amendment rewrote stock-broker classification: clients OR trading volume determines your tier, and the higher of the two wins. How the two-parameter rule works, what each tier requires, and the QSB auto-classification.
The Principle of Exclusivity and Equivalence Under SEBI CSCRF: A Guide for Multi-Regulator Entities
SEBI's August 2025 clarifications introduced two principles for entities regulated by multiple bodies: Exclusivity (CSCRF covers only SEBI-regulated activities) and Equivalence (duplicate audits not required if the other regulator's framework matches). Here's how they work.
SEBI CSCRF Data Localisation in Abeyance: What Regulated Entities Should Know
SEBI's Data Localisation mandate (PR.DS.S2) has been in regulatory abeyance since December 2024. What this means for compliance planning, what stays binding, and what to do instead of building a localisation programme that may never activate.
August 2025 SEBI CSCRF Technical Clarifications: ISO 27001, PM Revision & More
SEBI's August 2025 technical clarifications made ISO 27001 voluntary for QREs, downgraded Mobile App Security and BAS/CART to recommendatory, narrowed critical-systems scope, and introduced multi-regulator principles. Decoded.
What Changed in the April 2025 SEBI CSCRF Amendment
SEBI's April 2025 CSCRF amendment rewrote stock-broker thresholds with a two-parameter rule, reclassified KRAs from MII to QRE, clubbed AIFs+VCFs at the manager level, and introduced the HSM mandate. Here's what every regulated entity needs to know.
SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
SEBI's May 2026 AI Vulnerability Detection Advisory: What Every Regulated Entity Must Do Now
SEBI just issued an advisory on AI tools like Claude Mythos that find vulnerabilities at speed and scale. 10 directives, 19 regulated-entity categories, and a 90-day path to readiness — decoded.
VAPT vs Penetration Testing: Which Do You Actually Need?
The terms get used interchangeably in Indian procurement RFPs, but they describe different things. What the distinction means for scoping, cost, and the report you receive.
OWASP Top 10 Explained for Business Leaders
A non-technical walk through the OWASP Top 10 — the ten classes of web application risk that account for the bulk of breaches we see in real engagements — and what each one actually costs your business.
RBI Cybersecurity Framework: A 2026 Compliance Guide
What the RBI Cybersecurity Framework actually requires of banks, NBFCs, and payment system providers in 2026 — translated from circular language into an action plan.
Manual vs Automated Penetration Testing: The Real Difference
Scanners excel at pattern matching. Manual testing covers what they cannot. Here is the real gap, with examples of findings each approach reliably catches and misses.
How to Choose a CERT-In Empanelled Security Auditor
CERT-In empanelment is a qualifying criterion, not a substitute for due diligence. Here is what to evaluate when shortlisting auditors for a regulated engagement.