CSCRF + AI Advisory · May 2026 · Combined Reference
SEBI CSCRF + AI Advisory Combined Readiness Guide
On 5 May 2026, SEBI issued the AI Vulnerability Detection Advisory (circular HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026). It must be read in conjunction with CSCRF. This guide maps all 10 Annexure-A directives to CSCRF controls, lays out per-tier readiness, and gives you a 90-day sequence.
The 10 directives → CSCRF controls
Each Annexure-A directive maps to one or more CSCRF control families. The "tier impact" column indicates which tiers carry binding obligations, and the "evidence" column tells you what your auditor will ask for.
Patch immediately + virtual patching
Update all OS and applications with latest patches immediately. Where patches are unavailable, adopt virtual patching (WAF, ModSecurity, network ACLs) as an interim measure.
PR.MA (Maintenance) + DE.CM (Continuous Monitoring)
All tiers. MIIs + QREs: half-yearly VAPT surfaces patch gaps; virtual patching bridges the window between discovery and vendor release.
Patch matrix with date-applied column. Virtual patching rationale for unpatchable findings.
Vulnerability assessment with AI-based VA tools
Conduct VA using conventional AND suitable AI-based tools where possible on a regular/continuous basis per CSCRF cadences.
DE.CM + ID.RA (Risk Assessment) + VAPT framework
All tiers. MIIs + QREs: AI-based VA tools should be integrated into the twice-annual/annual VAPT cycle. Mid/Small/Self-cert: evaluate adoption; document rationale.
AI VA tool evaluation memo. VAPT report referencing AI-based tooling used.
Third-party + COTS vendor risk (shall)
Engage third-party vendors to release timely patches. Exchanges and Depositories shall direct empaneled application vendors to assess AI-led vulnerability detection risks.
GV.SC (Supply Chain Risk Management)
MIIs + QREs: binding. Mid-size: IT Committee consultation. Exchanges/Depositories: additional obligation to direct COTS vendors.
Vendor risk assessment letters. COTS vendor AI-risk assessment responses.
Change management (including minor changes)
Any change — including minor changes — must encompass full documentation, impact analysis, review, testing, and secure deployment.
PR.IP (Information Protection) + ID.RA
All tiers. Broader than CSCRF material-change framing. Every change — including config changes, hotfixes, dependency bumps — needs documented change control.
Change management register. Impact analysis and rollback plan per change.
API security
Maintain API inventory. Enforce strong authentication/authorisation with least privilege. Implement rate limiting and throttling. Whitelist-based API connections.
PR.AA (Access Control) + PR.DS (Data Security)
All tiers. MIIs + QREs: full API inventory and threat modelling. Mid/Small/Self-cert: inventory + authN/Z review.
API inventory document. Rate-limit config. AuthN/Z audit trail.
SOC monitoring + SOAR/SIEM + M-SOC onboarding (shall)
All eligible REs shall expedite M-SOC onboarding. Examine ALL SOC alerts including low-priority. Integrate SOAR playbooks with SIEM. MIIs: run awareness workshops for member onboarding.
DE.CM + DE.DP (Detection Processes) + M-SOC (CSCRF §4.5)
Small-size + Self-cert: M-SOC mandatory — this is the most time-sensitive obligation. QRE + Mid-size: eligible — accelerate onboarding. MIIs: run workshops.
M-SOC onboarding status. SOAR playbook library. SIEM alert-triage log.
CSCRF risk assessment with AI-based threat scenarios
Include AI-based model capability as a risk scenario in every CSCRF periodic risk assessment. Speed-and-scale exploitation, agentic chain abuse, prompt injection.
ID.RA (Risk Assessment)
All tiers. MIIs: half-yearly risk assessment includes AI scenario. QRE + Mid-size: annual assessment includes AI scenario. Add AI-attacker scenario to risk register.
Updated risk register with AI-threat entries. Risk assessment report referencing AI scenarios.
Zero Trust + system hardening
Implement ZTNA architecture. Apply CIS-style hardening — secure configurations, disable unnecessary services and default accounts, least privilege. Network segmentation, no SPOF, HA.
PR.AA + PR.AC (Access Control) + PR.PT (Protective Technology)
All tiers. Aug 2025 reframed ZT as methodology-driven ("approved by IT Committee") rather than prescriptive.
ZTNA architecture documentation. System hardening baseline. IT Committee approval record.
SBOM + asset inventory
Periodically update asset inventory and Software Bill of Materials for all critical applications — including open source stack.
ID.AM (Asset Management)
All tiers. First SBOM mandate in Indian sectoral regulation. Critical applications only (as defined per CIR/2025/119 — same network segment).
Asset inventory. SBOM per critical application. Open-source dependency scan report.
IT-committee guidance + long-term AI plan (shall)
MIIs and REs shall seek IT-committee guidance. All REs must prepare a long-term plan for AI in detection and autonomous/agentic mitigation. Recalibrate risks. Plan AI-augmented SOC transformation and continuous VA using AI tools.
GV.PO (Policy) + GV.OV (Oversight)
Binding for ALL tiers. MIIs + QREs + Mid-size: IT Committee must ratify. Small + Self-cert: MD/CEO/Board must approve. Deliverable: a documented long-term AI strategy.
IT Committee minutes addressing AI plan. Long-term AI strategy document. Risk recalibration memo.
Per-tier readiness roadmaps
MII
Priority
Highest. Items 3, 6c, 10: binding shall language. M-SOC workshops (item 6c) are your additional obligation. COTS vendor direction (item 3).
Timeline
Weeks 1-4: gap assessment + AI VA tool evaluation. Weeks 5-8: SOAR/SIEM integration + M-SOC workshop design. Weeks 9-12: long-term AI plan + IT Committee submission.
Qualified RE
Priority
High. Items 3, 6c, 10: binding. Item 7: AI scenario in risk assessment. Item 2: evaluate AI VA tools. M-SOC onboarding acceleration.
Timeline
Weeks 1-4: AI VA tool evaluation + vendor risk letters. Weeks 5-8: M-SOC onboarding + SBOM generation. Weeks 9-12: AI plan + risk recalibration.
Mid-size
Priority
Moderate. Items 6, 7, 10: primary. IT Committee must ratify AI plan (item 10). Item 2: evaluate AI VA tools. Item 9: SBOM for critical apps.
Timeline
Weeks 1-4: asset inventory + SBOM + AI VA evaluation. Weeks 5-8: AI risk scenario in assessment + SOAR integration. Weeks 9-12: IT Committee AI plan submission.
Small-size + Self-cert
Priority
Focused. Item 6c: M-SOC onboarding is TIME-SENSITIVE. Item 10: AI plan (MD/CEO approval, not IT Committee). Item 7: AI risk scenario.
Timeline
Weeks 1-4: M-SOC onboarding kickoff + asset inventory. Weeks 5-8: SBOM + API inventory + AI risk scenario. Weeks 9-12: AI plan submission.
90-day readiness checklist
Weeks 1–4: Gap assessment
☐ Map current cyber posture against 10 Annexure-A directives
☐ Inventory APIs, COTS vendors, AI/ML pipelines, and SOC log sources
☐ Identify M-SOC onboarding eligibility and gaps
☐ Surface long-term AI plan stakeholders (IT Committee, CISO, board)
☐ Generate SBOM for critical applications
☐ Confirm CSCRF tier classification (use wizard → /compliance/sebi/wizard)
Weeks 5–8: Implementation
☐ AI-augmented VAPT cycle (B-52 or equivalent AI-based VA tool)
☐ Third-party vendor risk assessment letters
☐ API inventory completed + authN/Z audit
☐ M-SOC onboarding: log-source inventory + SIEM integration
☐ SOAR playbooks designed and tested
☐ AI-attacker scenario added to risk register
Weeks 9–12: Submission
☐ Long-term AI plan drafted (Annexure-A item 10 deliverable)
☐ AI plan ratified by IT Committee (or MD/CEO for Small/Self-cert)
☐ Risk register recalibrated for AI-accelerated threats
☐ SOAR/SIEM integration validated
☐ Evidence pack compiled for every Annexure-A item
☐ Board / IT Committee submission packaged
Ready to scope your combined CSCRF + AI Advisory readiness?
Security Brigade has been CERT-In empanelled since 2008. We deliver B-52 powered VAPT, AI-system-defender testing, M-SOC readiness support, and Annexure-A evidence packs.
Source. CSCRF: SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 (20-Aug-2024) read with amendments. AI Advisory: HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 (5-May-2026). Reviewed: 2026-05-06. Informational, not legal advice.