Is Bachao.AI a CERT-In empanelled VAPT auditor?

No. Bachao.AI uses CERT-In aligned methodology — our reports follow the CERT-In Vulnerability Reporting and Responsible Disclosure framework, severity calibration mirrors CERT-In advisory conventions, and our incident response service supports CERT-In Form C / Form D notification drafting. Formal empanellment is a separate Government audit panel; we are not on that panel. For organisations that require empanelled-only reports (some Govt entities, PSUs, regulated banks), engage an empanelled firm in parallel and use our scanning as continuous interim coverage.

When does CERT-In's 6-hour reporting clock apply to my organisation?

CERT-In's April 2022 Direction makes incident reporting mandatory within 6 hours of awareness for any 'reportable cyber incident' impacting Indian users or infrastructure. The 22 incident categories cover unauthorised access, data breaches, ransomware, identity theft, supply-chain attacks, fake mobile apps, IoT compromise, and more. Applies to all service providers, intermediaries, data centres, body corporates, and Govt organisations operating in India — startup size is irrelevant. The clock runs in parallel to DPDP's 72-hour Data Protection Board notification.

What does the CERT-In-aligned report look like?

Findings classified by CERT-In severity bands (Critical / High / Medium / Low / Informational) with CVSS v3.1 base scores, CWE mapping, reproduction steps, evidence (screenshots, payloads, responses), business impact, and remediation guidance. Reproducible PoC for every Critical/High. Executive summary maps to the CERT-In report taxonomy so your CISO can lift sections directly into the Form C narrative if a finding becomes an incident. India-specific compliance overlays (DPDP, RBI IT Framework, SEBI CSCRF) appear alongside the CERT-In track.

What technology infrastructure logging does CERT-In require?

The April 2022 Direction mandates: (1) accurate ICT system clocks synced to NPL or NIC NTP servers, (2) logs of all ICT systems retained for 180 days within Indian jurisdiction, (3) data centres / VPN providers / cloud service providers maintain validated subscriber records for 5 years, (4) virtual asset service providers maintain KYC + transaction records for 5 years. Our VAPT engagements include a logging-coverage audit so you can attest to point (1) and (2) for your in-scope systems.

How does CERT-In aligned VAPT help Indian startups vs international frameworks?

For startups operating in India, CERT-In alignment matters in three places: (1) incident response — when something goes wrong, you must file CERT-In Form C in 6 hours and our pre-built runbook gives you the template; (2) procurement — Indian enterprise + Govt buyers expect CERT-In severity language in vendor security questionnaires; (3) regulator-readiness — RBI/SEBI/IRDAI security audits all reference CERT-In conventions even when the actual control framework is sectoral. SOC 2 and ISO 27001 buyers from the US/EU don't care about CERT-In specifically, but they do care that your incident response works — so the alignment is dual-purpose.

CERT-In Aligned VAPT India — Methodology + 6-Hour Reporting Support

CERT-In aligned, India-first

Bachao.AI is built in India for India. CERT-In aligned methodology, India-geo scanning infra, 6-hour incident reporting runbook ready before you need it.

Honest disclosure: we are NOT formally CERT-In empanelled. We use the same methodology and report taxonomy so your incident response and procurement teams can lift findings directly.

CERT-Inaligned methodology

6 hrsincident reporting

180 dayslog retention guidance

Indiageo-located scanning

Book a free CERT-In aligned scan Talk to our team

CERT-In aligned methodology6-hour incident reporting supportIndia-located logging

What 'CERT-In aligned' means at Bachao.AI

We use the CERT-In Vulnerability Reporting and Responsible Disclosure framework as the spine of our methodology — severity bands, report taxonomy, evidence requirements, and remediation language all mirror CERT-In conventions. Our incident response service provides the Form C narrative template, the 22-category incident taxonomy reference, and the 6-hour response runbook so that when a finding becomes an actual incident, your team is not drafting from scratch under deadline pressure. We are intentionally up-front: 'CERT-In aligned' is a methodology claim, not an empanellment claim. If your procurement explicitly requires an empanelled firm, engage one — and use us in parallel for continuous interim coverage between their engagements.

The 6-hour incident reporting obligation — who it applies to

CERT-In's April 2022 Direction mandates incident reporting within 6 hours of awareness for any reportable cyber incident impacting Indian users or infrastructure. Scope is broad:

Service providers — anyone offering ICT services in India, including foreign SaaS with Indian users
Intermediaries — social platforms, marketplaces, payment gateways, messaging services
Data centres + cloud service providers + content delivery networks operating in India
Body corporates — every company registered in India regardless of size or sector
Government organisations — central, state, PSUs, autonomous bodies
Virtual asset service providers — exchanges, custodians, brokers
Sectoral overlay — banks (RBI), capital market entities (SEBI), insurers (IRDAI) have additional reporting obligations on top of CERT-In

The 22 reportable incident categories

CERT-In's Direction lists 22 incident categories that trigger the 6-hour reporting obligation. Highlights:

Unauthorised access to ICT systems / data — the broadest catch-all category
Data breach / data leak — including accidental exposure (e.g. misconfigured S3 bucket)
Ransomware / cryptojacking — both encryption-for-ransom and stealth crypto-mining
Identity theft, spoofing, phishing — including business email compromise affecting Indian users
DDoS attacks — even attempted ones meeting the threshold
Attacks on critical information infrastructure as notified
Fake mobile apps impersonating Indian organisations or services
Attacks on IoT devices and associated networks
Attacks on systems related to e-Governance, e-Commerce or digital payments
Supply chain attacks via third-party software / hardware components
Attacks on or attempts to compromise AI / ML systems

India-located scanning + logging infrastructure

Per the April 2022 Direction's logging clause: ICT system logs must be retained for 180 rolling days within Indian jurisdiction. Our scanning infrastructure runs on AWS Mumbai (ap-south-1), our scan logs are India-resident, and our report storage uses the bachao-reports S3 bucket in Mumbai. For organisations that need to attest in-jurisdiction logging in their CERT-In disclosures, our scan evidence + log retention satisfies that data-residency requirement without additional vendor controls.

Pre-built CERT-In Form C narrative template

Form C is the standard CERT-In incident reporting form. The 6-hour clock means the form gets filed before the forensic scope is fully resolved — most teams either underreport (treated as concealment) or overreport (creates regulator follow-up overhead). Our pre-built template covers the seven Form C fields with placeholders aligned to common incident categories. Where a Bachao.AI VAPT finding becomes an active incident, the report sections (CVSS, CWE, evidence, business impact, remediation status) lift directly into the Form C narrative. Read our incident response service description at /incident-response.

How CERT-In alignment compares with international frameworks

If you're selling to US/EU enterprise, your buyer asks about SOC 2 and ISO 27001 — not CERT-In. If you're selling to Indian enterprise, PSUs, regulated entities, or Govt, CERT-In language appears in every vendor security questionnaire. The two are not in conflict. A single VAPT engagement can produce evidence aligned to SOC 2 CC7.1 (see /vapt-for-soc2-compliance), ISO 27001 A.8.8 (see /vapt-for-iso27001-compliance), and CERT-In severity bands — three documentation tracks from one assessment. DPDP Act 2023 requires the same incident response posture (72-hour Board notification on top of the 6-hour CERT-In clock — see /dpdp-breach-notification-checklist).

CERT-In aligned VAPT for Indian organisations — free first scan

Get a CERT-In aligned executive summary in hours and a full report within days. India-located infra. Form C runbook included.

Book free scan Talk to our team

Explore more products

Bachao.AI covers your entire security surface — from code to cloud to compliance.

AI VAPT Scanner

Automated penetration testing for web apps and APIs. Results in under 2 hours.

Learn more →

API Security Testing

OWASP API Top 10 coverage for REST and GraphQL endpoints.

Learn more →

Cloud Security Audit

AWS, Azure & GCP misconfiguration detection with DPDP mapping.

Learn more →

What 'CERT-In aligned' means at Bachao.AI

The 6-hour incident reporting obligation — who it applies to

CERT-In's April 2022 Direction mandates incident reporting within 6 hours of awareness for any reportable cyber incident impacting Indian users or infrastructure. Scope is broad:

Service providers — anyone offering ICT services in India, including foreign SaaS with Indian users

Intermediaries — social platforms, marketplaces, payment gateways, messaging services

Data centres + cloud service providers + content delivery networks operating in India

Body corporates — every company registered in India regardless of size or sector

Government organisations — central, state, PSUs, autonomous bodies

Virtual asset service providers — exchanges, custodians, brokers

Sectoral overlay — banks (RBI), capital market entities (SEBI), insurers (IRDAI) have additional reporting obligations on top of CERT-In

The 22 reportable incident categories

CERT-In's Direction lists 22 incident categories that trigger the 6-hour reporting obligation. Highlights:

Unauthorised access to ICT systems / data — the broadest catch-all category

Data breach / data leak — including accidental exposure (e.g. misconfigured S3 bucket)

Ransomware / cryptojacking — both encryption-for-ransom and stealth crypto-mining

Identity theft, spoofing, phishing — including business email compromise affecting Indian users

DDoS attacks — even attempted ones meeting the threshold

Attacks on critical information infrastructure as notified

Fake mobile apps impersonating Indian organisations or services

Attacks on IoT devices and associated networks

Attacks on systems related to e-Governance, e-Commerce or digital payments

Supply chain attacks via third-party software / hardware components

Attacks on or attempts to compromise AI / ML systems

India-located scanning + logging infrastructure

Pre-built CERT-In Form C narrative template

How CERT-In alignment compares with international frameworks

CERT-In Aligned VAPT for Indian Organisations — Methodology + Incident Reporting Support

What 'CERT-In aligned' means at Bachao.AI

The 6-hour incident reporting obligation — who it applies to

The 22 reportable incident categories

India-located scanning + logging infrastructure

Pre-built CERT-In Form C narrative template

How CERT-In alignment compares with international frameworks

CERT-In aligned VAPT for Indian organisations — free first scan

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit

CERT-In Aligned VAPT for Indian Organisations — Methodology + Incident Reporting Support

What 'CERT-In aligned' means at Bachao.AI

The 6-hour incident reporting obligation — who it applies to

The 22 reportable incident categories

India-located scanning + logging infrastructure

Pre-built CERT-In Form C narrative template

How CERT-In alignment compares with international frameworks

CERT-In aligned VAPT for Indian organisations — free first scan

Explore more products

AI VAPT Scanner

API Security Testing

Cloud Security Audit