Skip to main content

SEBI CSCRF · CART · As of May 2026

Continuous Automated Red Teaming for SEBI Regulated Entities

CSCRF mandates half-yearly red teaming for MIIs and Qualified REs. ShadowMap CART provides continuous automated attack simulation between audit cycles — keeping your attack surface tested, not just assessed.

CSCRF's red teaming mandate

Per CSCRF §4 (DE.DP.S4), red teaming exercises are mandatory at the following cadences:

MIIs

Half-yearly red teaming. Full-scope, multi-stage, multi-vector attack simulation covering all critical systems.

Qualified REs

Half-yearly red teaming. Same scope and methodology as MIIs. External + internal attack simulation.

Mid-size and below

No mandatory red teaming. BAS/CART is recommended in consultation with IT Committee (per Aug 2025).

Red teaming under CSCRF is distinct from VAPT. It simulates a real-world adversarial campaign — multi-stage, multi-vector, with a defined objective (data exfiltration, trading-system compromise, clearing-settlement bypass). The deliverable is an attack-narrative report, not a vulnerability list.

ShadowMap CART — continuous between audits

What CART does

Automated attack simulations against your external attack surface — every day, not just twice a year. Multi-stage attack-chain mapping. Exploitability verification. Credential-stuffing and brute-force simulation. New-exposure triggered re-simulation.

How it complements SB red teaming

CART runs continuously — discovering new vulnerabilities, simulating attacks, flagging exploitable paths. When your half-yearly CERT-In empanelled red team engagement approaches, Security Brigade picks up CART's current-state data and conducts the full-scope manual red team — validating findings, executing the human-driven attack chain, and producing the audit-grade report.

CART capabilities

· Multi-stage attack-chain simulation

· Exploitability verification (not just detection)

· Credential-inventory testing (stealer-log integration)

· Multi-host asset tiering and targeting

· Lateral-movement path simulation

· Persistence and OPSEC isolation testing

· New-exposure triggered automatic re-simulation

· Attack-narrative export for audit evidence

· MITRE ATT&CK technique mapping

Aug 2025 clarification: BAS/CART now IT Committee-driven

Per CIR/2025/119, the original CSCRF language ("shall deploy BAS/CART") was softened to: "Recommended in consultation with the IT Committee."

What this means for MIIs and QREs

Half-yearly manual red teaming is still mandatory. CART/BAS is an additional IT Committee-recommended layer — continuous automated testing between the mandatory manual engagements.

What this means for Mid-size and below

No mandatory red teaming exists. CART/BAS can be recommended by the IT Committee as a proportionate control — providing automated attack-surface testing without the cost of a full manual red team.

Ready to deploy CART for your CSCRF compliance?

Run the SEBI Compliance Wizard Request a CART Demo

Security Brigade InfoSec Pvt. Ltd. · CERT-In Empanelled since 2008 · www.securitybrigade.com · www.shadowmap.com · [email protected]