SEBI issued its Cybersecurity and Cyber Resilience Framework (CSCRF) in August 2024 ( circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113), setting enforceable requirements for six categories of regulated entities. Most are still catching up.
In May 2026, SEBI raised the bar again. A new advisory specifically named AI-driven vulnerability detection tools, citing Claude Mythos as an example, as an emerging threat to the securities market ecosystem. It constituted a task force (cyber-suraksha.ai) and directed all regulated entities to plan for autonomous and agentic mitigation.
This guide covers the key application security requirements under CSCRF, what the Mythos advisory adds, where most regulated entities are falling short, and how AppTrana WAAP addresses all of it in one platform.
Where Do You Stand? A 60-Second Check
| Control Area | CSCRF + SEBI AI Advisory Requirement | AppTrana Capability |
| Threat Detection | ML-driven adaptive detection — EV.ST.S1–S3. Risk assessments must be recalibrated for AI-accelerated threats. | Continuous DAST on AI application surfaces, real-time threat detection on AI interfaces, 24×7 expert support |
| API Security | Mandatory above self-certification — PR.AA.S16. API inventory, rate limiting, OWASP API Top 10, whitelist-based access. | Continuous API discovery, shadow API detection, rate limiting, positive security model automation, OWASP API Top 10 enforcement |
| WAF | Explicitly mandated — PR.AA.S1. Configuration must be documented and audit-ready — PR.IP.S15. | Inline WAAP in full block mode from day one, zero false positive guarantee, audit ready. |
| VAPT and Patching | Continuous DAST, major-release VAPT — PR.IP.S15. High severity: 1-week window. Virtual patching endorsed as compliant interim measure. | Built-in AI DAST + integrated AI pen testing for business-logic flaws; SwyftComply autonomous remediation; audit-ready zero-vulnerability report |
| Managed Protection | Managed Protection: 24x7x365 SOC mandatory; Annexure-N scores % of systems integrated per SOC technology (WAF, EDR, DLP, etc.). SOAR–SIEM integration and AI-augmented SOC transformation also required |
24×7 managed service, named expert ownership. AI-driven anomaly detection across WAF, DDoS, bot, and API traffic, tuned and escalated by experts in real time. Native SIEM integration and 1 year log retention for audit-ready coverage evidence |
| Incident Response | 6 hours to notify SEBI. 75-day forensic audit report for High and Critical incidents. | Real-time incident characterisation, 1-year full-verbosity log retention |
What SEBI’s AI Advisory Actually Requires
The May 2026 advisory is an operational directive with three obligations that land directly on top of existing CSCRF requirements.
Virtual patching is now formally endorsed – The circular states that where patches are not available, virtual patching can be considered for protecting systems and networks. Now, SEBI has explicitly named virtual patching in a regulatory directive. If your development team cannot ship a code fix within the CSCRF remediation window, a virtual patch at the WAF edge is the recognised path.
Continuous AI-based vulnerability assessment is now required – Annual scans are not enough. SEBI requires vulnerability assessment using conventional and suitable AI-based tools on a continuous basis.
Your security vendors are under scrutiny too – Exchanges and depositories must direct empaneled application vendors to assess risks from AI-led vulnerability detection tools and implement appropriate safeguards including patching, VAPT, continuous monitoring, and hardening.
Other CSCRF Requirements in Depth
Requirement 1: Automated Threat Detection (EV.ST.S1–S3, PR.AA.S17)
CSCRF Evolve standards require correlating security data using mathematical models and machine learning. Standard PR.AA.S17 adds a requirement most teams miss: a documented SOP(Standard Operating Procedure) covering risks from open-source software and emerging technologies including Generative AI. If your developers use AI coding tools and you have no auditable SOP governing how those tools interact with production systems, you are non-compliant today.
Where most teams fall short: The AI tool SOP gap blindsides most teams during audits. Every entity has developers using AI coding tools. Very few have a documented, auditable SOP. PR.AA.S17 makes that a compliance gap. The SEBI AI advisory makes it urgent.
Requirement 2: API Security (PR.AA.S16)
Above self-certification level, API security is mandatory across five areas: API discovery and inventory, rate limiting, strong authentication, OWASP API Top 10 mitigation, and whitelist-based access. APIs also get their own VAPT scope under Annexure-L. The SEBI AI advisory reinforces all five areas directly in Annexure-A Point 5.
Where most teams fall short: Shadow APIs are the most consistent finding in application security audits. Rate limiting configured at the infrastructure layer stops volumetric attacks but not business logic abuse, where individually valid requests are made at high volume to enumerate records or harvest data.
Requirement 3: WAF in Active Block Mode (PR.AA.S1, PR.IP.S15)
CSCRF explicitly mandates WAF for all internet-facing infrastructure. Standard PR.IP.S15 goes further: WAF configuration is within audit scope. Not just whether you have a WAF, but whether its configuration is documented, reviewed, and audit ready.
Where most teams fall short: The most common WAF gap is monitoring mode. A WAF sitting in monitor mode won’t satisfy PR.AA.S1’s protection mandate. Configuration audit documentation is the second gap, most teams discover it when the auditor asks for it.
Requirement 4: Continuous VAPT and Remediation Windows (PR.IP.S15, PR.MA.S3)
The annual VAPT model is gone. Every major release triggers an additional VAPT cycle. Continuous real-time DAST scanning against OWASP Top 10 and SANS Top 25 CWE is mandatory. Once VAPT completes, the compliance clock starts:
| Activity | Deadline |
| Submit VAPT report with MD/CEO declaration | Within 1 month of completion |
| Close all identified vulnerabilities | Within 3 months of report submission |
| Revalidation confirming all findings closed | Within 5 months of VAPT completion |
Remediation windows under PR.MA.S3: High severity findings must be closed within 1 week. This is where the SEBI AI advisory’s virtual patching endorsement matters most. AI models surface High severity findings in hours. Development teams patch in 60 to 180 days. Virtual patching at the WAF edge closes that gap as a formally compliant interim measure.
Where most teams fall short: Month-five revalidation is the most common audit gap for first-cycle entities. Findings are closed in the tracker, the report is submitted, the team moves on, and the revalidation deadline passes unnoticed.
Requirement 5: 24×7 Managed Protection (DE.CM.S1)
Standard DE.CM.S1 mandates 24x7x365 security operations coverage. The SEBI AI advisory strengthens this: day-to-day monitoring must include low-priority SOC alerts, not just high-severity events. SOAR playbooks integrated with SIEM are required.
Where most teams fall short: Most regulated entities treat 24×7 coverage as having someone on call. Annexure-N efficacy scoring does not care about rosters. It scores asset coverage rates, detection rates, and response times. AI-driven reconnaissance generates low-priority signals that look unconnected in isolation. Teams filtering to high-severity only miss the pattern entirely.
Requirement 6: The 6-Hour Clock and the 75-Day Forensic Report
Six hours to notify SEBI and CERT-In from the moment of detection. Twenty-four hours to submit full details on the SEBI Incident Reporting Portal. For High and Critical incidents, a full forensic audit report is due within 75 days.
Where most teams fall short: The 75-day forensic audit report creates a log retention problem, most teams only discover during an actual incident. A 30-day retention policy leaves no evidence to reconstruct the attack timeline. The 6-hour clock does not pause while you investigate.
Where AppTrana Maps to CSCRF and AI Advisory Obligation
AppTrana provides a single platform to address the key application security requirements outlined in SEBI’s CSCRF and AI advisory.
Threat Detection — Behavioural ML supportsorganizations meet EV.ST.S1–S3 requirements. AppTrana AI Shield adds runtime inspection of LLM interactions with audit-ready logs for PR.AA.S17 compliance.
API Security — Continuous discovery surfaces shadow APIs. Rate limiting and behavioural abuse detection cover volumetric attacks and business logic abuse. OWASP API Top 10 and whitelist-based access enforced across all surfaces, satisfying PR.AA.S16.
WAF — Inline in full block mode from day one with a zero false positive guarantee, satisfying PR.AA.S1. Audit-ready configuration reports address PR.IP.S15 directly.
VAPT and Patching — Built-in AI-powered DAST surfaces vulnerabilities continuously across OWASP Top 10 and OWASP API Top 10, with AI pen testing integrated into the platform to catch business-logic flaws and feed risk-based prioritization and protection. Authenticated scanning goes deeper into session and configuration vulnerabilities that surface-level scans miss. SwyftComply automatically applies virtual patches for identified vulnerabilities and delivers an expert-verified, clean, audit-ready report. Half-yearly VA and annual PT delivered by Indusface’s CERT-In empanelled security team keep the underlying statutory VAPT compliant, and the resulting report addresses the 1-month submission and 5-month revalidation deadlines.
Managed Protection — Supports DE.CM.S1 by providing 24×7 expert assistance. Provides security logs and SIEM integration that support compliance reporting for application security events.
Incident Response — Real-time incident characterisation preserves working space within the 6-hour window. One-year application security logs help support forensic investigations and audit evidence
Submission Is Just the Beginning
SEBI’s AI tools advisory is the clearest signal yet of where enforcement is heading continuous AI-driven discovery, virtual patching as a first-line compliance response, and autonomous mitigation as the long-term operational target. The regulated entities building the right foundation now will be ready. The ones still on annual audits and passive defences will be explaining gaps to auditors while attackers close the gap themselves.
Your next SEBI CSCRF audit starts today. Start a free trial with AppTrana and help address application security compliance gaps before your next SEBI audit.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.