Cyber Incident Response in India — Bachao.AI Methodology

When the incident happens

A cyber incident in India is a regulated event. CERT-In Rule 3 mandates reporting within 6 hours. The DPDP Act requires DPB India notification for personal data breaches. RBI-regulated entities have additional 2-hour and 6-hour reporting obligations. SEBI-regulated entities have their own framework.

A traditional incident response engagement starts with a call and ends with a report. Bachao.AI's IR engagement starts with containment and ends with regulatory closure.

This page describes how we handle incidents.

Engagement modes

Emergency response (no prior relationship):

1. First responder on the call within 30 minutes (24×7)
2. Engagement letter signed via DocuSign in real time
3. Containment actions begin within 60 minutes
4. Suitable when an active incident is happening NOW

1. Pre-signed engagement letter, runbooks pre-shared
2. First responder paged within 15 minutes
3. Containment actions begin within 30 minutes
4. Monthly retainer covers 4 hours of proactive readiness work (tabletops, runbook updates)

The 6-phase response

Phase 1: Containment (Hour 0–4)

The named incident commander takes the call. Within the first 30 minutes:

1. Severity assessment
2. Containment actions agreed with the customer's IT lead
3. Evidence preservation (forensic image captured before any remediation)
4. Customer notification draft started in parallel

CERT-In Rule 3 mandates initial reporting within 6 hours. Bachao.AI's CERT-In submission template is pre-filled with the customer's CSP/UID/registration. We submit the initial report from our side with the customer's approval — typically within 4 hours.

Phase 3: Investigation (Hour 4–48)

Forensic team works on the captured evidence:

1. Initial access vector identification
2. Lateral movement timeline reconstruction
3. Affected data scope determination
4. Persistence and exfiltration assessment

Phase 4: Customer + regulator notification (Hour 24–72)

DPDP Section 8(6) requires DPB India notification for personal data breaches within 72 hours. We draft the notification; the customer's legal counsel reviews; we submit.

If customers (data principals) are affected, we draft the customer notification. Customer's CMO/Legal review; we send.

Phase 5: Remediation (Day 3–14)

The remediation depends on the incident:

1. Credential reset and rotation
2. Identified initial access vector closure
3. Lateral movement path closure
4. Persistence mechanism removal
5. Detection rule deployment for the observed TTPs

Phase 6: Lessons learned + regulatory closure (Day 14–30)

1. Post-incident review with customer executive team
2. Root cause analysis document
3. Updated runbook for similar future incidents
4. Final CERT-In closure report
5. Final DPB India update if required
6. Documentation package for the customer's auditors

What the incident commander does

The named Bachao.AI incident commander is your single point of contact through the engagement. They:

1. Run the war-room channel (Slack/Teams)
2. Coordinate Bachao.AI's forensic + comms teams
3. Speak to your CEO/board on update calls
4. Speak to CERT-In/DPB India officials with you
5. Speak to your audit firm if SOC 2 / ISO 27001 involved
6. Sign off the final report

Common incident types we handle

How to start (retainer)

A retainer engagement starts with a 90-minute scoping workshop. We capture:

1. Critical asset inventory
2. Notification contacts (CEO, CFO, CISO, legal counsel, PR)
3. Pre-approved containment authority
4. Runbook references

Schedule the IR retainer scoping call →

How to start (emergency)

Call the 24×7 IR hotline. First responder on the call within 30 minutes. Engagement letter signed via DocuSign during the call. Containment begins inside 60 minutes.

Emergency IR hotline →

Related: Case Study: Chennai NBFC Ransomware Contained in 4 Hours · CERT-In 6-Hour Reporting Explained