SEBI CSCRF DEADLINE — 1 APR 2025 PASSED · INSPECTIONS UNDERWAY

CSCRF compliance, audit-ready in 30 days.

सनद — हर अनुपालन का प्रमाणिक रिकॉर्ड।

Sanad is the only India-built compliance platform with a hardware-attested endpoint agent, dual-audit verification, and a tamper-evident chain that maps directly to all four parts of SEBI's Cyber Security & Cyber Resilience Framework — for stock brokers, AMCs, custodians, and KRAs.

Schedule a Readiness Assessment →Take Free 10-min CSCRF Self-Check →

No obligation. Scored against all 4 CSCRF parts. Report delivered to your inbox.

SEBI Circular · Aug 2024

"All SEBI-registered intermediaries shall be in compliance with the Cyber Security and Cyber Resilience Framework."

SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113
100%
of brokers, AMCs, custodians, KRAs are in scope. SEBI inspections began Q4 2025.
Built For
SEBI Stock BrokersMutual Fund AMCsCustodiansKRAsDepository Participants

CSCRF Coverage

All four parts of the framework. One platform.

Sanad maps every CSCRF control to a deterministic Boolean check — auto-monitored where possible, attested where required. Evidence is signed at the endpoint with TPM-rooted cryptography and chained in a tamper-evident ledger that any external auditor can independently re-verify.

PART I

Governance & Risk Management

Cyber security policy, board-approved framework, designated CISO, periodic risk assessments. Sanad ships a CISO-ready policy template and tracks board approval cycles automatically.

12 controls · 9 auto-tracked · 3 attested
PART II

Identification, Protection & Detection

Asset inventory, access control, endpoint protection, network segmentation, vulnerability scanning, security event logging with 180-day retention. Sanad's Sentinel agent monitors all endpoints continuously and ships HMAC-signed logs to your nominated storage.

28 controls · 22 auto-tracked · 6 attested
PART III

Response & Recovery

Incident response procedures with 6-hour reporting to CERT-In and SEBI, business continuity testing, periodic recovery drills. Sanad routes incidents to both CERT-In and SEBI SCORES portals from a single console.

14 controls · 8 auto-tracked · 6 attested
PART IV

Audit, Assurance & Reporting

Annual third-party VAPT, half-yearly cyber audit by SEBI-empanelled auditor, hardware-rooted evidence chain. Sanad generates a SEBI-format compliance report and an auditor-ready evidence pack with one click.

9 controls · all evidence-anchored to TPM chain

See Sanad In Action

The CSCRF dashboard your CISO presents to the board.

Live control status across all four CSCRF parts. Continuously-updated evidence chain. One-click auditor pack. Your Risk Committee reviews posture in minutes, not weeks.

cognoshift.in/portal — CSCRF Command Center
Your tenant · live

SEBI CSCRF Compliance Posture

94/100
Last updated: 3 min ago
PART I
Governance
12/12
PART II
Protection
26/28
PART III
Response
14/14
PART IV
Audit
8/9
!
2 endpoints missing Windows Update KB5068865
CSCRF Part II §3.4(b) — patch management. Affects 2/127 endpoints. Auto-remediation available.
127 endpoints monitoredTPM-signed last 5 minChain intact

Live preview from our test tenant. Your tenant will look like this on Day 1.

Deployment in 30 Days

From contract to auditor-ready. In 30 days.

You sign Monday. Your auditor has evidence by end of month. Here's how.

Day 1-3

Onboard

License key emailed. Sanad portal provisioned. CISO + IT admin user setup. 45-minute kickoff call with our engineering team.

Day 4-10

Deploy Sentinel

Sentinel.exe pushed to all endpoints via your MDM (Intune, GPO, JAMF). No manual install. First heartbeats within hours of deployment.

Day 11-20

Close Gaps

Dashboard surfaces every gap mapped to CSCRF sub-clauses. Work with our team to remediate. Self-attest controls where auto-monitoring isn't applicable.

Day 21-30

Audit Ready

Generate auditor-pack PDF. Share read-only audit view link with your SEBI-empanelled auditor. Present board-level dashboard to Risk Committee.

Pricing

Annual contracts. No per-endpoint surprises.

Pricing scales with regulatory tier, not user count. All tiers include the Sentinel endpoint agent for unlimited endpoints within your registered legal entity, the full CSCRF Part I-IV control set, and an auditor-ready evidence pack.

Sanad CSCRF Lite

Tier-3 brokers · < ₹500 cr daily turnover

₹2.4 L

per year · annual upfront · + GST

  • Up to 25 endpoints
  • CSCRF Part I-IV control coverage
  • Sentinel agent · 180-day log retention
  • Auditor-ready evidence pack (annual)
  • Email support · 48-hour SLA
Schedule Assessment
MOST CHOSEN

Sanad CSCRF Standard

Tier-2 brokers · ₹500-5,000 cr daily turnover

₹6 L

per year · annual upfront · + GST

  • Up to 100 endpoints
  • CSCRF Part I-IV + tamper-evident evidence chain
  • Hardware-rooted TPM signing
  • Tamper-evident audit chain
  • Half-yearly evidence pack + VAPT scope export
  • Priority support · 24-hour SLA
Schedule Assessment

Sanad CSCRF Pro

KRAs, mid-size AMCs, depository participants

₹12 L

per year · annual upfront · + GST

  • Unlimited endpoints
  • Full CSCRF + RBI / IRDAI multi-framework
  • Dedicated Sanad portal sub-domain
  • Quarterly compliance review with engineer
  • Direct CERT-In + SEBI SCORES integration
  • Phone support · 4-hour SLA
Schedule Assessment

How Sanad Compares

Honest comparison. Including the alternatives.

CSCRF compliance is usually built one of four ways. Here's where each approach wins and where it falls short.

ApproachAnnual CostTime to ReadyEvidence DepthCSCRF-specific
Sanad CSCRF
Purpose-built, India-made
₹2.4-12 L30 daysHardware-attested100%
Enterprise SOC Vendor
Sequretek, SecureLayer7, K7
₹15-40 L60-90 daysLog-basedPartial · generic SOC
Big 4 Consulting
PwC, KPMG, Deloitte, EY
₹30-80 L90-180 daysManual documentation100% · human-led
In-house Build
Internal IT + SIEM setup
₹20-60 L6-12 monthsVaries wildlyDIY mapping burden

Where Sanad loses: very large entities (>1,000 endpoints) may prefer a full-service SOC. Where Sanad wins: purpose-built CSCRF mapping + hardware attestation + 5-10x lower price. We'll tell you honestly if Sanad isn't the right fit.

Three Ways to Procure

Flexible procurement. Choose your path.

1

Direct Purchase

Email sanad@cognoshift.in. Signed MSA + PO within 7 days. GST invoice from COGNOSHIFT PRIVATE LIMITED (CIN, GSTIN verified). Annual upfront payment via Razorpay or NEFT.

7 days · signed
2

Via Your CERT-In Auditor

Most CERT-In empanelled cyber audit firms can bundle Sanad into their annual CSCRF audit engagement. We pay referral, you get single invoice. Contact us for auditor firm list.

14 days · bundled
3

Government e-Marketplace

GeM listing coming Q3 2026 for PSU brokers, public-sector AMCs, and government-held institutions requiring GeM procurement. Join waitlist for GeM availability.

Q3 2026 · GeM

Frequently Asked Questions

What compliance buyers ask us first.

What is your data residency? Can you attest to India-only hosting?+
100% India-hosted. Our Supabase Postgres runs in ap-south-1 (Mumbai), Vercel deployments route through Indian POPs, and all backups stay within India. We can sign a data-residency attestation as part of your MSA. No data leaves Indian soil, ever.
Do you have SOC 2, ISO 27001, or CERT-In empanelment?+
CognoShift is CERT-In compatible (our platform implements the same controls we help you comply with). SOC 2 Type I and ISO 27001 certifications are in progress — target completion Q3 2026. We can share our current security posture documentation during your due diligence. For auditors, our hash-chained audit ledger provides cryptographic proof independent of our certification status.
How does Sanad compare to Sequretek or other enterprise SOC vendors?+
Sequretek, SecureLayer7, and similar vendors provide broad SOC services including 24x7 monitoring, SIEM tuning, and human analyst response. Sanad is purpose-built for CSCRF compliance — narrower scope, deeper mapping, 5-10x lower price. For brokers under 500 endpoints who need audit-ready evidence fast, Sanad is designed for you. For large AMCs needing continuous human SOC, a traditional SOC vendor may fit better. We'll tell you honestly during the assessment call.
Can I integrate with my existing SIEM (Splunk, ArcSight, Elastic)?+
Yes. Sanad Sentinel ships HMAC-signed logs in NDJSON format that any SIEM can ingest. For the Pro tier, we provide dedicated log-forwarding endpoints. For Lite/Standard, logs are available via API pull. Your SIEM keeps being the system of record for real-time detection; Sanad is the system of record for compliance evidence.
How is Sanad deployed to endpoints? Does it work with Intune / GPO?+
Sentinel ships as a signed Windows executable (Linux support in Pro tier). Deployment methods: (1) Microsoft Intune MDM push, (2) Active Directory Group Policy, (3) JAMF for macOS environments, (4) manual install for small deployments. A single PowerShell script (deploy.ps1) handles silent rollout across your fleet. First heartbeats appear within 10 minutes of deployment.
What happens when I renew? Are there lock-ins?+
Annual contracts with 60-day renewal reminder. No automatic renewal without explicit consent. If you choose to leave, we provide a complete data export (audit logs, TPM public keys, chain verification manifest) that any future vendor or auditor can consume. No dark patterns, no surprise charges.
What's the SLA on uptime and support response?+
Portal uptime SLA: 99.5% on Lite, 99.9% on Standard, 99.95% on Pro. Support response: 48-hour on Lite (email), 24-hour on Standard (email + Slack), 4-hour on Pro (email + Slack + phone). Platform outages are rare — our infrastructure runs on Vercel + Supabase with multi-AZ deployment.
Who actually owns the CognoShift company? Is there a real team?+
CognoShift Private Limited is incorporated in Haryana, India (CIN: U85499HR2025PTC130446). Founded by Anupam Kumar, backed by personal capital plus DPIIT startup recognition. Sanad is our flagship product. We're a small focused team — if you sign up, you'll get direct access to the founder for the first 90 days. We consider that a feature, not a limitation.
What if I'm not ready to commit to a contract yet?+
Take our free 10-minute CSCRF Readiness Assessment. We score your current posture against all four CSCRF parts, identify your top 5 gaps, and deliver a prioritized remediation report to your inbox. No sales call required. If you like what you see, we can talk. If not, keep the report.
Do you have reference customers we can speak with?+
As of April 2026, we are in pilot deployments with a Mumbai-based Tier-2 broker and a South Indian KRA. Reference calls with our design-partner customers are available after you sign an NDA and pass initial qualification. We prefer honesty here over manufactured references.

Next Step

Two ways to start. Pick the one that fits.

Soft start · Free

Take the 10-min CSCRF Self-Check

Answer 10 questions. Get a readiness score across all 4 CSCRF parts. Receive a prioritized gap report in your inbox. No sales call, no obligation.

Start the Self-Check →
Ready to buy · Full assessment

Schedule a 45-min Readiness Call

Direct call with our engineering team. We'll review your current CSCRF posture, map gaps to specific SEBI sub-clauses, and walk through deployment. Signed MSA possible same week.

Email sanad@cognoshift.in →

What happens after you email us

  1. 01We reply within 4 business hours with a calendar link.
  2. 0245-min readiness call with the founder + one engineer. Bring your latest VAPT report if you have one.
  3. 03You receive a written gap report within 48 hours. Free. Yours to keep either way.
  4. 04If you decide to proceed: MSA signed, first invoice raised, onboarding begins the same week.