C
COGNOSHIFT

Sanad · Sovereign Attestation Rail

Signed, verifiable evidence for India’s regulated software supply chain.

Sanad Sign is the India-hosted attestation rail for SBOMs, AIBOMs, and compliance evidence — anchored to hardware identity, chained in a tamper-evident Postgres ledger, and verifiable by any auditor without touching our servers. Mandated by CERT-In v2.0 (July 2025), extended across SEBI CSCRF and RBI guidelines. Built for the era where software and AI models both need provenance.

Request Early AccessSEBI CSCRF Module →

Status: early access · First design partners onboarding Q2 2026 · CERT-In empanelment application in progress

Why Now

Four mandates converging, one sovereign rail.

01

CERT-In SBOM v2.0 (July 2025)

Government, essential services, software exporters, and BFSI must generate + maintain SBOMs across QBOM, CBOM, AIBOM, HBOM. Living documents, not one-off artefacts. Enforcement active.

02

SEBI CSCRF + RBI supply chain

SEBI CSCRF 2024 and RBI 2024 circulars extend SBOM requirements across banks, NBFCs, AMCs, RTAs, custodians. Every BFSI dev pipeline needs signed SBOM output.

03

Sovereign hosting requirement

Chainguard and Sigstore are US-hosted. Indian government, PSUs, critical infrastructure, and DPDP-constrained BFSI cannot legally use them for sensitive software. India needs its own rail.

04

AI provenance is coming

EU AI Act, India AI governance, DPDP §12/§13 all point to model bill-of-materials. AIBOM is SBOM with a schema extension. We ship one rail that handles both.

How It Works

Generate → Sign → Register → Verify.

1

Generate

CycloneDX 1.4-1.6 from Docker/OCI containers, npm / pip / maven / NuGet lockfiles, or Sentinel endpoint inventory. One CLI command, one GitHub Action, or one API call. Every major regulated software stack covered.

2

Sign

Cosign-compatible signed attestations, anchored to TPM 2.0 hardware identity where available. Every signature chained into a tamper-evident Postgres ledger (SHA-256, genesis-anchored). Independently verifiable without querying our database.

3

Register

Public or private SBOM registries per tenant. Auditors receive 30-day read-only share links. Sub-second verification across the registry.

4

Verify

Open-source verifier SDK (JS / Python / Go) lets auditors, regulators, and downstream consumers recompute the entire chain locally. Zero dependency on Sanad servers at verification time.

One Platform, Pluggable Modules

Sanad Sign today. CSCRF, DPDP, RBI and Enforce when you need them.

Every regulated framework becomes an activatable module on the same tenant. You pay for what you need, plug in the next module the day a new mandate enforces. No second integration. No rip-and-replace.

PrimaryACTIVE

Sanad Sign

SBOM + AIBOM generation, signing, registry, verification.

BFSIACTIVE

Sanad CSCRF

SEBI CSCRF compliance — 20 directives, auditor evidence pack.

EndpointACTIVE

Sanad CERT-In

CERT-In CISG-2024-03 directive tracker + Sentinel agent.

PrivacyACTIVE

Sanad DPDP

DPDP §6/§8/§11-16 controls, consent records, breach tracker.

Consent2026

Sanad Consent

DPDP Rule 4 consent-manager infrastructure (go-live 2026-11-13).

BankingSoon

Sanad RBI

RBI IT Framework for banks, NBFCs, payment systems.

InsuranceSoon

Sanad IRDAI

IRDAI Cybersecurity Framework for insurers.

KernelRoadmap

Sanad Enforce

Ring-0 WFP driver for hardware-enforced DPDP §16 residency.

About Sanad

Built by CognoShift. Seed-funded by Startup Haryana. DPIIT-recognised.

Sanad is the flagship product of COGNOSHIFT PRIVATE LIMITED · CIN U85499HR2025PTC130446 · GSTIN 06AAMCC6054B1ZW · Haryana, India. Infrastructure: Supabase ap-south-1 (Mumbai), Vercel edge in Mumbai, all customer data resident in India by default.

Comprehensive patent filing Jan-Feb 2027 · P1 Kernel-Level Sovereign Ingress Filter · P2 Architecture-Agnostic TPM Attestation