Cybersecurity8 min read

CERT-In's 6-Hour Reporting Mandate: What Your IT Team Must Do Before the Next Incident

India's CERT-In directive requires enterprises to report cybersecurity incidents within 6 hours. Most IT teams are not prepared. Here is a practical guide to meeting the mandate — and what happens if you don't.

Cognexa Security Team

Surakshitam Platform · 15 June 2026

In April 2022, India's Computer Emergency Response Team (CERT-In) issued a directive that changed the compliance landscape for every enterprise operating in the country. The mandate: report cybersecurity incidents to the government within six hours of detection. Not 24 hours. Not 72 hours. Six.

Two years on, a large number of Indian enterprises still do not have a structured process that meets this requirement. Many have awareness of the rule — but awareness and operational readiness are not the same thing. When an incident occurs at 2 AM on a Sunday, the clock starts ticking regardless of who is awake.

What the CERT-In Mandate Actually Requires

The directive covers a broad range of incidents, including data breaches, ransomware attacks, identity theft, DDoS attacks, website defacements, unauthorised access to IT systems, and attacks on critical infrastructure. If any of these occur within your environment — or within a third-party system you operate — you are required to report it to CERT-In within six hours.

  • Report within 6 hours of detecting the incident — not within 6 hours of confirming it
  • Maintain logs for 180 days and provide them to CERT-In upon request
  • VPN and cloud service providers must collect and store subscriber data for 5 years
  • All ICT systems must synchronise clocks with NTP servers of NIC or NPL
  • Non-compliance attracts penalties under the IT Act, 2000

The 6-hour clock starts from detection — not from confirmation or investigation. If your monitoring tool raises an alert at 11 PM, the reporting deadline is 5 AM. Your on-call process needs to be able to file a report while the investigation is still underway.

Why Most Enterprises Are Not Ready

We have assessed the security posture of dozens of Indian enterprises across BFSI, manufacturing, and healthcare over the past two years. The gap we see most consistently is not technical — it is procedural. The detection capability often exists. What is missing is a documented, tested process that turns a detection event into a filed report within six hours.

  • Alert fatigue: monitoring tools generate hundreds of alerts daily, making genuine incidents hard to identify quickly
  • No defined owner: it is unclear who has authority to file a CERT-In report at 2 AM
  • Poor log centralisation: pulling the required incident data from disparate systems takes hours
  • Lack of a pre-approved report template: writing the report from scratch under time pressure leads to errors and delays
  • No tested runbook: the process has never been rehearsed, so it breaks under real-world conditions

A 5-Step Framework for 6-Hour Compliance

Step 1: Define what constitutes a reportable incident

Not every security alert is a CERT-In reportable incident. Document a clear classification matrix that maps alert types to reporting obligations. Your SOC team should be able to apply this without escalating to legal counsel at 3 AM.

Step 2: Assign a 24/7 reporting owner

Designate an incident reporting officer with authority to file reports. Create an on-call rotation. Ensure this person has direct access to CERT-In's reporting portal and a pre-populated report template with your organisation's details.

Step 3: Centralise your logs

CERT-In will ask for logs. If those logs are spread across firewall management consoles, endpoint agents, cloud portals, and application servers, you will not be able to compile them in time. A SIEM or centralised log management system is not optional — it is what makes the 6-hour window achievable.

Step 4: Build and automate the runbook

A compliance runbook for CERT-In reporting should include: detection trigger criteria, initial containment steps, log collection procedure, report filing steps, internal notification chain, and evidence preservation protocol. With automation, steps 1-3 can execute in minutes rather than hours.

Step 5: Drill it quarterly

A runbook that has never been tested is a plan on paper. Run a tabletop exercise every quarter. Inject a simulated incident on a Friday evening. See how long it takes your team to reach the reporting stage. Compress that time with each drill.

Organisations using automated runbooks for incident response consistently reduce their mean time to report by 65-80% compared to manual processes. The investment in automation pays for itself the first time you face a real incident.

How Surakshitam Addresses This

Cognexa's Surakshitam platform integrates Kavach (managed firewall), Durg (continuous vulnerability scanning), and our 24/7 security operations team into a single managed service. For CERT-In compliance specifically, Surakshitam provides pre-built incident classification matrices, automated log centralisation, a maintained CERT-In report template, and a tested escalation runbook — all included in the standard deployment. Clients have used this to file accurate CERT-In reports within 90 minutes of detection.

If you are not currently certain your team could file a complete CERT-In report within six hours of a major incident, that is the right starting point for a conversation. The penalty for non-compliance is real. More importantly, the damage from an incident that is not contained quickly is worse.