Talk to a security advisor — a free 30-minute review
AlphaCISO®
Contact us
All servicesService

Indian Compliance & CERT-In

Six hours to report. Be ready.

Six hours is the clock CERT-In actually enforces

CERT-In's April 2022 directions changed the compliance baseline for organisations operating in India. Reportable incidents must reach CERT-In within six hours of detection. Logs must be retained for 180 days within Indian jurisdiction, and clocks must be synchronised to NTP. These are not aspirational — they are directions with legal weight. Most organisations cannot meet the six-hour window because the workflow was never built. We build it.

This applies to service providers, intermediaries, data centres, and body corporates operating in India.

What we do

  • Assess. We test your current posture against the 2022 directions — reporting, log retention, synchronisation, and KYC obligations.
  • Operationalise. We build a six-hour reporting playbook with detection triggers, escalation, and the CERT-In submission path.
  • Test. We run VAPT to the standard an empanelled auditor would expect, then drive findings to closure.
  • Extend. We map DPDP Act 2023 duties — consent, notice, and breach handling — onto the same program.

One program for the Indian regime

Rather than treating CERT-In, VAPT, and the DPDP Act as separate fire drills, we wire them into a single compliance posture you can operate year-round.