Yash founded Security Brigade in 2006 and has led the firm through 6,700+ security assessments across BFSI, government, healthcare, and SaaS. The firm has been CERT-In empanelled since 2008. He is the principal architect of B-52 — the AI-powered pentesting and red-teaming platform that runs inside every Security Brigade engagement — and the founder of ShadowMap, the attack-surface intelligence platform. Yash writes regularly on India regulatory cybersecurity, AI in offensive security, and the engineering inside B-52.
Articles by Yash Kadakia
SEBI CSCRF for Custodians: AUC Tiers & CCI Obligations
Custodians under SEBI CSCRF: Assets Under Custody drives three-tier classification (₹1L Cr, ₹10L Cr thresholds), CCI self-assessment at QRE, and what custodians of every size must do.
May 6, 2026
SEBI CSCRF for KRAs & QRTAs: The April 2025 Demotion & What It Means
KYC Registration Agencies were reclassified from MII to Qualified RE in April 2025. QRTAs (≥2 Cr folios) remain at MII tier. What changed, what stayed, and what KRAs and QRTAs must do now.
May 6, 2026
SEBI CSCRF for AIFs & VCFs: Manager-Level Corpus Rule
CSCRF for Alternative Investment Funds and Venture Capital Funds: the April 2025 manager-level classification, corpus thresholds, sub-100-client exemptions, and what AIF/VCF managers must do.
May 6, 2026
SEBI CSCRF for AMCs & Mutual Funds: AUM-Tiered Classification & Qualified RE Obligations
Asset Management Companies under SEBI CSCRF: AUM-tiered classification (₹10k Cr, ₹1L Cr thresholds), Qualified RE obligations, ISO 27001 voluntary status, and what AMCs of every size must do.
May 6, 2026
SEBI CSCRF for Stock Brokers: The Two-Parameter Rule, Thresholds & QSB → QRE Link
SEBI's April 2025 CSCRF amendment rewrote stock-broker classification: clients OR trading volume determines your tier, and the higher of the two wins. How the two-parameter rule works, what each tier requires, and the QSB auto-classification.
May 6, 2026
The Principle of Exclusivity and Equivalence Under SEBI CSCRF: A Guide for Multi-Regulator Entities
SEBI's August 2025 clarifications introduced two principles for entities regulated by multiple bodies: Exclusivity (CSCRF covers only SEBI-regulated activities) and Equivalence (duplicate audits not required if the other regulator's framework matches). Here's how they work.
May 6, 2026
SEBI CSCRF Data Localisation in Abeyance: What Regulated Entities Should Know
SEBI's Data Localisation mandate (PR.DS.S2) has been in regulatory abeyance since December 2024. What this means for compliance planning, what stays binding, and what to do instead of building a localisation programme that may never activate.
May 6, 2026
August 2025 SEBI CSCRF Technical Clarifications: ISO 27001, PM Revision & More
SEBI's August 2025 technical clarifications made ISO 27001 voluntary for QREs, downgraded Mobile App Security and BAS/CART to recommendatory, narrowed critical-systems scope, and introduced multi-regulator principles. Decoded.
May 6, 2026
What Changed in the April 2025 SEBI CSCRF Amendment
SEBI's April 2025 CSCRF amendment rewrote stock-broker thresholds with a two-parameter rule, reclassified KRAs from MII to QRE, clubbed AIFs+VCFs at the manager level, and introduced the HSM mandate. Here's what every regulated entity needs to know.
May 6, 2026
SEBI CSCRF in 2026: A Complete Guide for SEBI Regulated Entities
A comprehensive guide to SEBI's Cybersecurity and Cyber Resilience Framework — the 5-tier model, 22 entity types, amendment history through Aug 2025, and what every regulated entity needs to do in FY 2026-27.
May 6, 2026
SEBI's May 2026 AI Vulnerability Detection Advisory: What Every Regulated Entity Must Do Now
SEBI just issued an advisory on AI tools like Claude Mythos that find vulnerabilities at speed and scale. 10 directives, 19 regulated-entity categories, and a 90-day path to readiness — decoded.
May 5, 2026