What is the CERT-In six-hour reporting requirement?

CERT-In Direction No. 20(3)/2022 dated 28 April 2022 requires Indian organisations to report specified categories of cyber incidents to CERT-In within six hours of noticing the incident. Reportable categories include data breaches, ransomware, phishing/spear-phishing leading to incidents, server / database compromises, attacks on critical infrastructure, and several others. The reporting is via the CERT-In Incident Reporting Form. Failure to report carries penalties under the Information Technology Act, 2000. Our retainer includes managed CERT-In reporting on your behalf — we draft the report, validate the facts with you, and submit within the deadline.

What does sub-15-minute MTTR mean — first responder, or full resolution?

First responder. From the moment an incident is escalated to our hotline, a senior responder is on a call with your team within 15 minutes (median). Median across our 2025–2026 retainers is 9 minutes. This is the time to reach the incident commander; full resolution depends on incident type and ranges from minutes (a hot-walked credential rotation) to weeks (a sophisticated multi-stage compromise requiring forensic imaging, analysis, and remediation).

Are you available 24×7?

Yes — true 24×7×365 with on-call rotation across our Bengaluru and Mumbai offices. Public holidays (including all Indian and Karnataka state holidays), weekends, and overnight all covered. We have responded to incidents at 03:00 IST on Diwali; no extra charge for unsocial hours under retainer.

Do you do forensic imaging that holds up in court?

Yes. Court-admissible forensics is one of our core specialisations. We follow the chain-of-custody discipline standard for criminal investigations: write-blocked imaging, hash-verified copies (SHA-256 + MD5 dual hash), chain-of-custody documentation per artifact, evidence storage in our locked facility in Bengaluru, expert-witness availability for our lead forensic responders. Our reports have been admitted as evidence in Karnataka High Court, Bombay High Court, NCLT proceedings, and CCI investigations.

Will you do CERT-In incident reporting on our behalf?

Yes — included in retainer at no extra cost. The retainer agreement names us as your authorised cyber incident reporting agent for CERT-In purposes. We draft the incident report, validate with you, submit to CERT-In via the official channel, and handle any CERT-In follow-up queries.

Do you handle ransomware incidents specifically?

Yes — frequently. Ransomware is roughly 25% of our incident-response volume. Our ransomware methodology covers: initial containment (network segmentation, account lockdown), forensic imaging before any remediation, ransom-actor identification (which threat-actor group, what TTPs, what backup-deletion behaviour to anticipate), recovery from clean backups where available, decryption-key acquisition only as last resort and only with leadership approval, post-incident hardening, and CERT-In + insurer reporting. We do not negotiate ransom payment as a service — we have ethical reservations about funding ransomware operators — but we coordinate with law-enforcement liaisons, your insurer, and (where authorised) third-party negotiators.

How is the IR retainer different from your VAPT or pentest service?

A pentest is a planned, in-scope exercise designed to find weaknesses before attackers do. An incident response engagement is an unplanned, time-pressured exercise to contain damage after an attacker has already succeeded. Different skill set, different toolchain, different mindset. Our IR team is a specialised group within API4SOC2 with members who do nothing but IR; the pentest team and the IR team are separate cohorts.

Will you work with our cyber insurance carrier?

Yes. We are on the panel of breach response counsel for ICICI Lombard, HDFC ERGO, Bajaj Allianz, and Tata AIG’s cyber lines. Most of our retainer clients hold cyber insurance, and the insurer’s pre-approval of our firm reduces friction during a live incident. If your insurer requires a specific firm, we can typically be added to the panel within 30 days.

Do you support cloud-native incidents — AWS / Azure / GCP compromise?

Yes. Cloud incidents have specific characteristics — control-plane log analysis, IAM-related forensics, multi-account scope, often-rapid attacker lateral movement via legitimate cloud APIs. Our team includes cloud-native forensics specialists with deep AWS / Azure / GCP experience; we maintain detection and response runbooks for the most-common cloud-incident patterns.

How quickly can we onboard? We do not have a current incident.

Five business days from contract execution. Onboarding includes: hotline number distribution, escalation-tree drafting, runbook customisation for your environment, log-source mapping (so we know where to look first when called), and a tabletop exercise to validate the process. We strongly recommend onboarding before an incident — the first-incident response is roughly 40% slower without prior onboarding because we have to build environment knowledge under pressure.

Incident Response & DFIR Retainer Bangalore

Every Indian SaaS company that handles meaningful customer data will, eventually, have an incident. The Bangalore-specific question is not whether but when, and what your response capability looks like in the first hour. Six hours into an active compromise, the right answer is "incident is contained, forensic image is taken, CERT-In reporting is in flight, customer-communication draft is in legal’s queue." The wrong answer is "we are emailing three vendors asking if they can take an emergency engagement, the founder is googling whether to disclose, and someone is wiping the affected server because they think that is helpful." This page describes the IR retainer model that gets you the first answer — and what to look for if you are evaluating IR vendors against the volatile criterion of "they will be there at 3 AM."

Why every Indian SaaS company needs an IR retainer

Hiring an IR firm during an active incident is one of the most expensive decisions a CTO ever makes. The vendor knows you have no leverage, the timeline is non-negotiable, and the fee structure shifts to time-and-materials at premium rates. Quotes for emergency IR engagements in Bangalore in 2026 have ranged from ₹4,500/hour to ₹18,000/hour for senior responder time, with weekend and unsocial-hour multipliers. A typical mid-severity incident (5–8 days of investigation, 200–400 responder hours) costs ₹15–35 lakh on emergency engagement.

The retainer model collapses that cost and adds preparation. A retainer at ₹2,40,000/quarter (Tier 2 rate) gives you 24×7 coverage, sub-15-minute MTTR, full forensic capability, malware analysis, CERT-In reporting, insurer coordination, and law-enforcement liaison — for the same total annual cost as roughly 60 hours of emergency responder time. The break-even is at most one mid-severity incident per year, and the operational reality is that the prepared retainer also produces faster, cheaper, and more defensible incident handling.

CERT-In Direction 20(3)/2022 — six-hour reporting

The Indian Computer Emergency Response Team, operating under the Ministry of Electronics and Information Technology, issued Direction No. 20(3)/2022 on 28 April 2022 setting out cyber-incident reporting requirements for Indian organisations. The Direction obliges service providers, intermediaries, data centres, body corporates, and government organisations to report specified types of cyber incidents to CERT-In within six hours of noticing or being brought to knowledge of the incident.

Reportable categories include: targeted scanning / probing of critical networks, compromise of critical systems, unauthorised access to IT systems / data, defacement of websites, malicious code attacks (ransomware, viruses, worms, trojans, bots, spyware, cryptominers), attacks on servers (database, mail, DNS), identity theft and phishing attacks leading to incidents, denial-of-service attacks, attacks on critical infrastructure, attacks on IoT devices, attacks on payment systems, attacks on data centres, and attacks affecting cloud computing systems.

Reporting format is the CERT-In Incident Reporting Form, submitted via incident@cert-in.org.in or via the CERT-In portal. Failure to report carries penalties under Section 70B of the Information Technology Act, 2000. Our retainer agreement includes managed CERT-In reporting on your behalf — we draft, you validate, we submit, we handle CERT-In follow-ups. The reporting is treated as part of incident response, not a separate billable activity.

Sub-15-minute MTTR — what it means in practice

MTTR (Mean Time To Respond) in our retainer specifically means time from incident hotline activation to a senior responder on a call with your team. Our median across 2025–2026 retainers is 9 minutes; 95th percentile is 14 minutes. The activation channel is a dedicated hotline number issued at retainer onboarding, plus a Slack-channel integration for non-emergency escalations.

What happens in the first 15 minutes: senior responder joins your bridge, takes incident-commander role, runs the initial triage checklist (what is observed, what is the scope hypothesis, what is in motion to contain), establishes the communication cadence, and begins evidence preservation. The full response team (forensics, malware, threat-intel, communications) is paged behind them and joins within 30–45 minutes depending on severity.

Incident categories we handle

Ransomware — encryption attacks, data-extortion-only attacks, double-extortion; ~25% of volume
Business email compromise (BEC) — fraudulent wire transfer, vendor impersonation, executive impersonation; ~20%
Cloud account compromise — AWS / Azure / GCP credential theft, IAM-misuse, privileged-role takeover; ~15%
Application compromise — webshells, code-injection, supply-chain library compromise; ~12%
Insider threat — malicious or compromised employee, data exfiltration; ~8%
Phishing-led credential theft — escalating to account takeover; ~8%
DDoS — including extortion-DDoS; ~5%
Data breach (non-ransomware) — exposed databases, S3 misconfigurations, accidental exposure; ~4%
Malware on endpoints — APT-style implants, info-stealers; ~3%

Court-admissible forensic workflow

Forensic work in our engagement is conducted to the standard of evidence usable in Indian courts. The workflow:

1. Chain of custody initiation

Every artifact (disk image, memory dump, log file, packet capture, screenshot) is logged with: artifact ID, source, capture timestamp, capture method, capturing analyst, hash. The chain-of-custody log is digitally signed and stored separately from the artifacts.

2. Write-blocked imaging

Disk images are taken using hardware write-blockers (Tableau forensic bridges) for physical media; logical images of cloud volumes are captured via the cloud provider’s snapshot APIs with subsequent hash verification. Both raw (dd / E01) and forensically-sound (FTK Imager, X-Ways) workflows are available depending on requirement.

3. Hash verification

SHA-256 + MD5 dual-hashing on every artifact. Hashes recorded in chain-of-custody log; periodic re-verification during analysis to ensure artifacts have not been modified.

4. Analysis in isolated environment

All analysis runs against working copies of artifacts, never the original. Original images are stored read-only in our forensic vault (Bengaluru, biometric access).

5. Expert witness availability

Senior forensic responders are available for affidavit, deposition, and court testimony if litigation results from the incident. We have provided expert testimony in Karnataka High Court, Bombay High Court, NCLT proceedings, and CCI investigations.

Malware reverse engineering

For incidents involving novel or sophisticated malware, our reverse-engineering team produces: capability analysis (what the malware does), C2 infrastructure mapping (where it phones home), persistence-mechanism identification, indicator-of-compromise extraction, attribution analysis (which threat actor group, based on TTPs, infrastructure overlap, and code lineage), and remediation guidance.

Toolchain: IDA Pro, Ghidra, x64dbg, Immunity Debugger, Frida (for runtime analysis), Cuckoo Sandbox (for dynamic analysis), Joe Sandbox where appropriate, custom YARA rules for hunting. Analysis is conducted in air-gapped sandboxes; samples are submitted to CERT-In where appropriate for inclusion in their malware-intelligence repository.

Post-incident: lessons, lawsuits, regulator

The work continues after containment. Post-incident deliverables:

Incident final report — root cause, timeline, scope, evidence, remediation, lessons
Regulator submissions — CERT-In, sectoral regulators (RBI, SEBI, IRDAI as applicable)
Insurer claim package — formatted for cyber-insurance claims
Customer / stakeholder communications — drafted in collaboration with your legal counsel
Law-enforcement liaison — coordination with cyber crime cells (Karnataka Cyber Crime Cell, CBI Cyber Crime Cell, NCRB) where the incident is reportable
Hardening recommendations — specific, prioritised actions to prevent recurrence
Tabletop replay — 60-day post-incident exercise to validate hardening

Engagement model — retainer vs ad-hoc

We strongly prefer retainer engagements over ad-hoc IR. Three reasons. First, environment knowledge — retainer onboarding includes log-source mapping, escalation trees, and runbook customisation; without it, the first hour of an incident is spent learning your environment instead of containing the threat. Second, capacity guarantee — retainer clients have priority over ad-hoc requests and queue-jump during multi-incident periods (we have had quarters with 8 simultaneous active incidents; ad-hoc requesters wait, retainer clients do not). Third, cost — the retainer rate is roughly 1/3 the per-hour cost of ad-hoc engagement and includes the strategic value of preparedness.

We will accept ad-hoc engagements but charge premium rates and limit the SLA. If you are reading this page during an active incident and you are not on retainer, call us — we will engage and onboard simultaneously. After the incident is resolved, the retainer conversation is the next step.

Pricing in INR

Tier 1 · Standard retainer

IR Standard Retainer

₹2,40,000/ quarter + GST

24×7 hotline coverage
Sub-15-minute MTTR
40 responder hours / quarter included
CERT-In reporting included
Insurer coordination

Tier 2 · Forensic retainer

IR + Forensics Retainer

₹4,80,000/ quarter + GST

Everything in Standard
120 responder hours / quarter
Court-admissible forensic capacity
Malware analysis included
Quarterly tabletop exercise

Tier 3 · Ad-hoc

Emergency Engagement

₹14,000/ hour + GST

No prior retainer
Best-effort SLA
Senior responder rate
Weekend / unsocial-hour multipliers
Recommended only as bridge to retainer

Common incident patterns in Bangalore SaaS

Compromised AWS / Azure access keys via leaked GitHub commit
Engineer’s laptop stealer-malware harvesting browser-saved credentials
Phishing-led O365 / Google Workspace account takeover, used for BEC
Vulnerable web application leading to webshell deployment
S3 / Blob bucket misconfiguration discovered via public scan
Ransomware via compromised vendor remote-access tool
Supply-chain compromise via npm / pip / maven dependency
Insider exfiltration via sanctioned cloud-storage tool
Misconfigured database (MongoDB, ElasticSearch, Redis) exposed to internet
OAuth-token theft via malicious browser extension
SSO / SAML misconfiguration allowing user impersonation
Compromised CI/CD pipeline with malicious code injection
Privileged-account credential leak via shared password vault
Domain-takeover via subdomain DNS misconfiguration
Distributed denial-of-service extortion attack

IR retainer application by Bangalore industry vertical

Incident-response work is a different discipline by industry. The threat-actor population, the regulatory reporting obligation, the legal exposure, the evidentiary requirements, and the recovery timeline all vary materially by sector. Our retainers are scoped per vertical so the runbook, the responder team composition, and the regulatory submission workflow match the specific industry context.

BFSI — Banks, NBFCs, payment aggregators

BFSI incidents have the highest regulatory load: CERT-In Direction 20(3)/2022 reporting (six-hour clock), RBI specific incident reporting per the Master Direction on outsourcing and the Supervisory framework, audit-firm engagement for the post-incident report, and (often) law-enforcement engagement via the Cyber Crime Cell. Our BFSI runbooks include specific RBI-engagement playbooks, scripts for customer-communication that satisfy RBI’s expectations, and direct contact paths into CERT-In’s BFSI-coordination function. Several of our retainer clients have completed full incident cycles — detection through containment, remediation, regulatory reporting, audit closure, and supervisory-meeting response — without external escalation, because the runbook handled it.

Fintech — Lending, wealth, insurtech

Fintech incidents typically combine cybersecurity exposure with consumer-protection exposure. RBI Digital Lending Guidelines, account-aggregator framework rules, and the Code of Conduct for digital lenders all impose obligations triggered by certain incident types. SEBI and IRDAI add their own reporting expectations for relevant entities. Our fintech retainers include the consumer-protection workflow alongside the cybersecurity workflow — customer communication, grievance-redressal scaling, and reputation monitoring run in parallel with technical containment.

HealthTech — Telemedicine, diagnostics, EHR

HealthTech incidents involving PHI carry both DPDP exposure (sensitive personal data) and clinical-governance exposure (Telemedicine Practice Guidelines, MoHFW expectations). Forensic discipline matters more here than in most verticals because the post-incident litigation risk is higher. Our HealthTech runbooks include MoHFW-engagement protocols, NDHM coordination, and specific clinical-data-integrity verification steps.

Capital markets — Stock brokers, AMCs, RTAs, MIIs

SEBI CSCRF imposes specific incident-reporting cadences and content requirements; see our SEBI CSCRF page. Capital-markets incidents also carry market-abuse risk if customer order data is exposed. Our capital-markets retainers include direct integration with exchange-coordination (NSE / BSE / depository / KRA) for data-flow incidents and specific market-conduct review for any incident with potential customer-position exposure.

SaaS — B2B exporters and consumer products

The largest single category of our retainer clients. Incidents here typically combine technical-incident response (containment, forensics) with customer-communication response (notify customers under contractual breach-notification obligations, manage the procurement-team conversation for customers whose vendor security review is now an active escalation). Our SaaS runbooks include customer-communication templates that Procurement teams find acceptable, breach-notification scripts in plain English suitable for non-technical customer contacts, and the data-package format that most enterprise vendor-security reviews request post-incident.

ITeS / BPO / KPO

ITeS incidents touch customer agreements directly — most ITeS contracts include specific notification, evidence, and remediation obligations to the customer. Our ITeS retainers include customer-contract review at onboarding to map the obligations, runbook templates customised per major customer, and a documentation discipline that supports the multi-customer notification cycles that follow significant incidents.

Ransomware response playbook in detail

Ransomware is roughly 25% of our incident volume in 2025–2026, and the threat-actor population has matured. The current variants we see in Indian engagements include LockBit derivatives, ALPHV / BlackCat (despite operational disruption of the original group, splinter operations continue), Akira, Black Basta, RansomHouse, and several India-focused variants. The methodology below is what we run on every ransomware engagement.

Hour 0–1 — Triage and containment

Senior responder on call within 15 minutes. Initial triage: scope of encryption (which systems, which file shares, which cloud assets), threat-actor identification (ransom note, extension, behaviour pattern), backup status verification (are backups intact and verifiably untampered), exfiltration assessment (was data stolen prior to encryption — most modern actors steal first, encrypt second), business-impact assessment (which operations are degraded, what is the customer-facing impact). Containment: network segmentation to prevent lateral spread, account lockdown for suspected compromised identities, evidence preservation discipline before any clean-up.

Hour 1–4 — Forensic imaging and scope confirmation

Write-blocked imaging of patient-zero systems. Memory dumps where systems are still running. Log preservation across all relevant tiers. Backup integrity verification with hash checks. Confirm the confidence level on exfiltration assessment.

Hour 4–24 — Threat-actor research and decision tree

The decision tree branches on three questions: do we have intact, verifiably-clean backups (if yes, recovery from backups is the path); is exfiltration confirmed (if yes, the engagement extends to the data-breach response track); is the threat actor on a sanctioned list (if yes, ransom payment is legally prohibited regardless of any other consideration).

Hour 24–72 — Recovery from backups (preferred path)

Phased restore prioritised by business-impact. Pre-restore hardening (so the same vulnerability that allowed the original compromise is closed before re-exposure). Post-restore validation. Customer-communication initiated where contractually or legally required.

Hour 72+ — Post-incident

Final report, regulator submissions (CERT-In, sector regulator), insurer claim package, customer-communication completion, hardening recommendations, tabletop-replay scheduling, board-pack briefing. Litigation-readiness preparation for any cases that may follow.

We do not negotiate ransom payment as a service. We coordinate with law-enforcement liaisons (Karnataka Cyber Crime Cell, CBI Cyber Crime Cell, NCRB), with your insurer (most cyber-insurance policies have specific ransom-payment requirements), and (where authorised by you) with third-party negotiators experienced in ransomware-actor engagement. The decision to pay or not pay sits with you, with our advice being typically against payment unless backups are unrecoverable and operational continuity is at existential risk.

Bangalore-specific operational coordination

Operating IR from Bangalore has structural advantages. We are co-located with most of our retainer clients (many of whom are within 8 kilometres of our Indiranagar office); on-site response in Bengaluru is typically a 30-minute drive rather than a flight. The Karnataka Cyber Crime Cell’s technical division is also Bengaluru-based; our working relationship with the cell’s senior staff is years deep and incident escalations move faster as a result. CERT-In’s sectoral coordination teams work standard Indian working hours; our Bengaluru-based team operates on the same clock, which reduces coordination friction during incidents.

For our retainer clients headquartered outside Bengaluru (Mumbai, Pune, Hyderabad, Delhi-NCR, Chennai), we maintain remote-first runbooks with one or two on-site responder dispatches as required. Most incidents resolve without on-site presence, and where on-site is required we mobilise within 12 hours from Bengaluru. For UAE-operations IR (clients with VARA-licensed entities), we coordinate with our UAE operational footprint to provide same-time-zone response.

Tabletop exercises — practice before the incident

The cheapest, highest-leverage IR investment available is the tabletop exercise. A tabletop walks the leadership team and security team through a hypothetical incident, scenario by scenario, with our incident-commander guiding the discussion and surfacing decision-points. The output is identification of gaps in the response plan, alignment between leadership and operational team on decision-authority, and operational familiarity that compresses real-incident response time by 30–50%.

Our retainer includes one tabletop per quarter at Tier 2 and above. Standard scenarios cover ransomware, BEC with fraudulent wire transfer, cloud-account compromise, public data exposure via misconfigured storage, supply-chain compromise, and insider-threat data exfiltration. Each scenario runs 2–4 hours; output is a tabletop report with findings and recommended remediations. Clients who run tabletops consistently for 12+ months show a measurable improvement in real-incident handling — faster decision velocity, tighter communication, more-accurate scope estimation in the first hour. The investment is small; the return when an incident actually happens is large.

Evaluating an IR retainer vendor — eight questions that matter

IR retainer marketing is among the easiest categories of cybersecurity service to over-promise on, because the value of a good retainer only manifests during a real incident. Most clients buying their first retainer evaluate vendors with little hands-on basis for comparison. The questions below are the ones that meaningfully separate competent retainer providers from positioning.

1. Median MTTR — quoted with audit-trail

Ask the vendor for their median MTTR across actual retainer activations in the last 12 months, with willingness to share the underlying activation log under NDA. Vendors quoting a median without supporting data are quoting an aspiration rather than a measurement.

2. Senior-responder availability and roster

Who specifically is on call at 2 AM Sunday on a long weekend? How many senior responders does the vendor have on rotation? Is the on-call rotation national or regional? A retainer with one senior responder and three associates is structurally different from a retainer with five rotating senior responders.

3. Forensic infrastructure

Where does the vendor store forensic images? What is the chain-of-custody discipline? Has the vendor produced expert-witness testimony in Indian courts? Have any of the vendor’s reports been admitted as evidence? These are answerable questions that separate forensics-capable firms from VAPT-firms-with-an-IR-line-item.

4. Regulatory-reporting capability

Will the vendor handle CERT-In Direction 20(3)/2022 reporting end-to-end? RBI / SEBI / IRDAI sectoral reporting where applicable? Insurer-coordination? The boundary between "we will help you with these" and "we own these end-to-end" is operationally significant during an incident.

5. Tabletop frequency and quality

How frequently does the retainer include tabletop exercises? Who delivers them? Does the tabletop output produce a written report and tracked remediation? A retainer without tabletops is structurally weaker than one with quarterly tabletops.

6. Sector-specific runbook

Does the vendor maintain industry-specific runbooks (BFSI, fintech, healthtech, SaaS)? Or do they apply a generic runbook regardless of client context? Industry-specific runbooks compress real-incident response time meaningfully.

7. Insurance-panel position

Is the vendor on the panel of major Indian cyber-insurance carriers? Pre-approval reduces friction during an incident; non-panel vendors need additional carrier approval, which can take days while the incident is active.

8. Engagement transparency

Does the vendor publish pricing? Will they fix the retainer fee in writing? Vendors that decline both are pricing for negotiation rather than for delivery; the actual fee tracks the procurement team’s sophistication.

We answer all eight specifically and in writing during scoping. The questions are useful regardless of which vendor you ultimately engage.

To start an IR retainer, the next step is a thirty-minute conversation about your environment and threat model. Onboarding within five business days of contract signing.