The deadline situation
In March 2026, the IT Head of a Mumbai-based stockbroker (we'll call them "TradeCo" — actual name redacted) reached Bachao.AI 5 weeks before the SEBI CSCRF audit submission deadline. TradeCo's previous audit had been done by a Big-4 firm; that firm's quote for the new cycle was ₹26L, 6-week timeline, with engagement-letter delays pushing actual start to 8 weeks away.
5 weeks until deadline. 8 weeks until the Big-4 could start. The arithmetic didn't work.
TradeCo's profile:
- Mid-tier stockbroker, NSE + BSE membership
- 240 employees, ~3 lakh active customers
- 80 critical systems including trading frontend, order matching, settlement reconciliation, KYC, surveillance
- AWS + co-located infrastructure
- Previous audit cycle: 4 High findings, all remediated; 1 Medium open
- Risk: missed submission triggers daily penalty + reputational filing
How the engagement was scoped
Bachao.AI's CEO took the call directly. By end of day 2:
- Engagement letter signed (₹15L for the Large-tier audit)
- 7-day sprint scheduled to start the following Monday
- 80-critical-system inventory pre-shared by TradeCo IT for review
The 4-day audit (faster than the 7-day target)
Monday (Day 1) — discovery + scan kickoff
- 09:30 IST: scope confirmation call (60 min) with IT Head + Compliance Officer + 4 named engineers
- 10:30 IST: AI-assisted asset discovery launched against TradeCo's environment
- 11:00 IST: external attack surface scan launched
- 14:00 IST: internal authenticated scan launched (required pre-approval, granted in scoping)
- 15:00 IST: critical system classification workshop (90 min)
- 16:30 IST: scan results review with TradeCo SOC team (90 min)
- 18:00 IST: end-of-day status: asset inventory signed, all scans complete or running overnight
- 09:00 IST: web app VAPT on TradeCo's trading frontend (4 hrs Bachao team)
- 09:00 IST: API security testing on order routing + settlement APIs (4 hrs)
- 13:00 IST: mobile app testing (Android + iOS trading apps)
- 16:00 IST: backup restore test (TradeCo provided test recovery environment)
- 17:00 IST: sample access review (100 random events from prior 30 days)
- 18:00 IST: end-of-day status: all scanning complete; findings list at 47 items
- 09:00 IST: control-to-evidence mapping for all 64 CSCRF controls
- 10:00 IST: interviews with IT Head, VP Operations, Head of Compliance, named engineers (90 min each)
- 14:00 IST: sample test depth on top 3 critical systems (order matching, settlement, surveillance)
- 17:00 IST: end-of-day status: 47 findings triaged, severity assigned, evidence references locked
- 09:00 IST: report drafting (lead auditor + writer + technical reviewer)
- 14:00 IST: draft report review with TradeCo IT Head + Compliance Officer + General Counsel (90 min)
- 15:30 IST: final edits incorporating management responses
- 16:30 IST: final report signed by Bachao.AI CEO + Lead Auditor
- 17:00 IST: senior management certification signed by TradeCo CEO
- 17:30 IST: report uploaded to NSE portal
- 18:00 IST: submission confirmation received from NSE; submission timestamped 17 working days before deadline
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanWhat the audit revealed
Final findings:
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 3 |
| Medium | 9 |
| Low | 14 |
| Observation | 5 |
- HC-001 — MFA not enforced on 4 IAM users with production database admin access. Remediation: enforced within 24 hours of finding identification (TradeCo's DevOps closed it during the audit itself). Re-tested and validated.
- HC-002 — Critical patch backlog on 3 production hosts (RHEL 8.6 → 8.10). Remediation owner: Infrastructure Lead. Target close: 2026-04-15. Status as of close of audit: in progress (patch testing in lower environments).
- HC-003 — Order routing API rate limiting absent. A theoretical denial-of-service vector. Remediation: WAF rate-limit rule deployed during audit (closed in-audit).
What it cost
| Line item | Cost |
|---|---|
| Bachao.AI SEBI CSCRF audit (Large tier) | ₹15L |
| Bachao.AI 30-day follow-up tracking | included |
| TradeCo internal time (8 engineers × 8 hrs over 4 days) | ~₹3L opportunity cost |
| Total Bachao cost | ₹15L |
Savings: ₹11L cash + deadline met.
What TradeCo's IT Head said in the post-audit feedback
"I was sceptical of the 7-day claim. We came in under, even with our system complexity. The report is the highest-quality compliance document we have on file — better than the Big-4 deliverable from last year. The NSE portal accepted it on first upload. Most importantly, the High findings were real — we didn't get a sanitised report; we got the truth, and we fixed two of them during the audit itself."
Pattern this engagement followed
TradeCo's situation is common for Bachao.AI SEBI CSCRF customers:
- SEBI deadline approaching, traditional auditor unavailable or too slow
- Mid-tier or large entity with material critical system count
- IT Head willing to commit team time during the audit (the trade-off for speed)
- Decision-maker authorised to sign engagement quickly
Schedule the SEBI CSCRF scoping call →
Related: SEBI CSCRF Audit Methodology · Sample SEBI CSCRF Audit Report
