SEBI advisory on AI vulnerability detection tools.
Compliance, decoded.

The document is titled "Advisory" but several items use directive language. Item 3 (Exchanges and Depositories "shall direct" empaneled application vendors) and item 6c ("all eligible REs not yet onboarded shall expedite" M-SOC onboarding) are clear "shall" obligations. Item 10 mixes a "shall seek guidance from their respective IT committees" obligation with a "need to prepare" expectation around the long-term AI plan itself — the consultation is binding, the plan is directory. The advisory is issued under Section 11(1) of the SEBI Act, 1992 — the same statutory authority CSCRF was issued under. Treat the "shall" items as required; treat the "should" and "need to prepare" items as expected with audit-trail evidence.

The advisory explicitly says it should be read in conjunction with the Cybersecurity and Cyber Resilience Framework. Where CSCRF mandated periodic VAPT and risk assessment, this advisory adds AI-based VA tools (Annexure-A item 2), AI-aware risk scenarios (item 7), M-SOC onboarding (item 6c), SBOM (item 9), and a long-term agentic-defence plan (item 10). This advisory does not change CSCRF's existing VAPT cadence (annual for MIIs, half-yearly for QREs, change-driven for all REs); it adds AI-aware controls inside that cadence. Treat the two as one continuous control set, not separate workstreams.

The advisory says "using conventional and suitable AI-based Vulnerability Assessment Tools where possible." That language is permissive on the AI side ("where possible") but mandatory on the assessment ("Conduct Vulnerability Assessment"). In practice, regulated entities should be evaluating AI-based VA tooling for adoption — and engaging auditors who already operate AI-driven testing platforms. Security Brigade has been delivering AI-driven VAPT through B-52 for years.

No. The advisory addresses 19 categories of regulated entities — including AIFs, mutual funds, AMCs, portfolio managers, investment advisors, research analysts, KRAs, RTAs, merchant bankers, custodians, debenture trustees, and venture capital funds — alongside the more obvious MIIs (exchanges, depositories, clearing corporations, brokers).

The Market SOC (M-SOC) is a centralised security platform jointly established by NSE and BSE that provides 24x7 real-time monitoring and threat detection across digital infrastructure. The advisory directs that "all eligible REs (not on boarded with any M-SOC) shall expedite the onboarding." MIIs are also required to run awareness and handholding programs to support member onboarding.

A task force constituted by SEBI ([email protected]) comprising representatives from MIIs, QRTAs, all QREs, and other stakeholders. Its mandate covers AI cyber-risk examination, threat-intelligence sharing, priority incident reporting, and review of third-party vendor security posture. It is the standing forum through which subsequent guidance is likely to flow.

The advisory cites "Claude Mythos" as a representative example of AI-driven vulnerability identification tools — the named threat is the class of capability, not a single product. SEBI is signalling that the regulator is tracking AI tools that can identify and exploit vulnerabilities at speed and scale — and expects regulated entities to recalibrate their cyber posture accordingly.

A four-track engagement: (1) gap assessment against Annexure-A; (2) full B-52-powered VAPT covering AI-augmented attacker scenarios and AI-system-defender scenarios; (3) M-SOC onboarding readiness and SOAR/SIEM tuning; (4) long-term AI defence plan for IT-committee submission. CERT-In empanelled since 2008, with 370+ BFSI engagements and the B-52 platform inside every assessment.