Cybersecurity blog

SEBI CSCRF Compliance Guide 2026: Everything Regulated Entities Must Know

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

SEBI CSCRF Compliance Guide 2026: A Complete Reference for Market Intermediaries

India's securities markets process millions of transactions every day across stock exchanges, brokers, depositories, and asset management companies. The systemic risk posed by a single cyber incident at any major market intermediary can cascade across the entire financial ecosystem. Recognising this, the Securities and Exchange Board of India (SEBI) introduced the Cyber Security and Cyber Resilience Framework (CSCRF) — a comprehensive, risk-tiered cybersecurity mandate that every regulated entity in the Indian capital markets must now follow. This guide is written for CISOs, compliance heads, and technology leaders at stock brokers, AMCs, depositories, and stock exchanges who need a clear, practical reference for achieving and maintaining SEBI CSCRF compliance in 2026.

What Is SEBI CSCRF?

The SEBI Cyber Security and Cyber Resilience Framework, commonly abbreviated as CSCRF, is a regulatory mandate issued by SEBI to establish minimum cybersecurity standards across all entities operating in the Indian securities market. It draws on international frameworks such as NIST CSF, ISO 27001, and the guidelines issued by CERT-In, while being specifically tailored to the operational realities of Indian capital markets.

SEBI first issued cybersecurity guidelines in 2015, but the modern CSCRF in its current form was significantly overhauled and expanded through circulars issued in 2023 and further refined in 2024-25. The framework is not a static checklist — it is a living document that SEBI updates as the threat landscape and technology environment evolve.

At its core, CSCRF requires regulated entities to identify their critical systems, protect them with layered controls, detect anomalies in real time, respond to incidents in a defined timeframe, and recover to normal operations with documented recovery objectives. The framework is enforced through mandatory audits, periodic reporting to SEBI, and significant penalties for non-compliance.

Who Must Comply with SEBI CSCRF?

SEBI CSCRF applies to all SEBI-regulated entities (REs) operating in the Indian securities market. The framework uses a tiered categorisation system based on the entity's systemic importance, data sensitivity, and transaction volumes. Understanding which category your organisation falls into is the first step in determining your compliance obligations.

  • Stock Exchanges — BSE, NSE, MCX, and other recognised exchanges
  • Depositories — CDSL and NSDL
  • Clearing Corporations — NSCCL, BSE Clearing, and others
  • Stock Brokers and Sub-Brokers — including large discount brokers and full-service firms
  • Depository Participants (DPs) — banks and non-bank entities offering demat services
  • Asset Management Companies (AMCs) — managing mutual fund assets
  • Portfolio Managers and Investment Advisers registered with SEBI
  • Registrars and Transfer Agents (RTAs) — including CAMS and KFin Technologies
  • Research Analysts and other market infrastructure institutions

The compliance burden varies significantly across these categories. Market Infrastructure Institutions (MIIs) such as exchanges and depositories face the most stringent requirements, while smaller intermediaries in lower tiers have proportionally scaled obligations. However, no regulated entity is exempt from the fundamental requirements of the CSCRF.

Understanding the Four-Category Classification

SEBI CSCRF classifies all regulated entities into four categories based on their systemic importance and scale of operations. This tiered approach ensures that compliance obligations are proportionate to risk while maintaining a consistent baseline across the industry.

Category 1: Market Infrastructure Institutions (MIIs)

Category 1 covers the most systemically critical entities — stock exchanges, depositories, and clearing corporations. These institutions form the backbone of Indian capital markets and are subject to the highest level of scrutiny. They must maintain a dedicated Security Operations Centre (SOC), implement 24x7 monitoring, conduct quarterly vulnerability assessments and penetration tests (VAPT), and report cyber incidents to SEBI within a defined window.

Category 2: Large Intermediaries

Category 2 typically includes large stock brokers with high client volumes, major AMCs, and prominent RTAs. These entities must implement robust security controls, conduct bi-annual VAPT, maintain incident response plans, and submit compliance reports to SEBI on a regular basis. The threshold for Category 2 classification is defined by SEBI based on client count, asset under management, and transaction volumes.

Category 3: Mid-Size Intermediaries

Category 3 covers mid-size stock brokers, smaller AMCs, and portfolio managers with moderate scale operations. These entities have simplified but still meaningful compliance requirements — including annual VAPT, basic SOC capabilities or managed SOC arrangements, and documented security policies aligned with CSCRF principles.

Category 4: Small Intermediaries

Category 4 applies to smaller registered entities such as investment advisers, research analysts, and small sub-brokers. While their requirements are the lightest, they still must implement fundamental controls: access management, data protection policies, basic incident response procedures, and annual self-assessments against SEBI-defined baselines.

The Six Governance Principles of SEBI CSCRF

SEBI CSCRF is organised around six overarching governance principles that form the structural foundation of the framework. These principles are not independent silos — they are interconnected, and a weakness in one undermines the effectiveness of the others.

Principle 1: Governance

Every regulated entity must establish a formal cybersecurity governance structure. This includes appointing a Chief Information Security Officer (CISO) or an equivalent role with direct reporting to the Board or a Board-level committee. The Board must approve the cybersecurity policy annually, and senior management must be accountable for implementation. Entities must maintain an updated asset inventory and classify information assets by criticality.

Principle 2: Identification

Entities must systematically identify and document all critical systems, data assets, and third-party dependencies. This includes conducting business impact analyses (BIAs) to understand which systems are operationally critical and maintaining a current risk register. Threat modelling exercises should be conducted at least annually to account for emerging attack vectors relevant to the Indian financial sector.

Principle 3: Protection

The protection principle covers the full spectrum of preventive controls — network segmentation, endpoint security, access management (including multi-factor authentication for privileged users), encryption of data at rest and in transit, patch management, and secure configuration management. SEBI emphasises that protection measures must extend to third-party vendors and cloud service providers used by regulated entities.

Principle 4: Detection

Regulated entities must implement continuous monitoring capabilities to detect cyber threats and anomalies in real time. For Category 1 and Category 2 entities, this means operating a Security Operations Centre (SOC) — either in-house or through an empanelled third-party SOC provider. Detection mechanisms must cover network traffic analysis, log management, Security Information and Event Management (SIEM), and user behaviour analytics.

Principle 5: Response

Every regulated entity must have a documented and tested Incident Response Plan (IRP). The IRP must define roles, responsibilities, escalation paths, and communication protocols for cyber incidents. Tabletop exercises and simulated attack drills must be conducted periodically. Critically, entities must follow SEBI's prescribed incident reporting timelines, which differ based on incident severity.

Principle 6: Recovery

The recovery principle requires entities to define and test their ability to restore critical systems following a cyber incident. This includes maintaining tested backup and recovery procedures, documenting Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical system, and ensuring that Disaster Recovery (DR) sites can be activated within SEBI-mandated timeframes. Business Continuity Plans (BCPs) must be reviewed and tested at least annually.

Cyber Capability Index: Measuring Your Maturity

One of the distinctive features of SEBI CSCRF is the Cyber Capability Index (CCI) — a maturity assessment framework that allows regulated entities to measure and benchmark their cybersecurity posture against SEBI's expectations. The CCI is not merely a self-assessment tool; it forms the basis for regulatory scrutiny and is used by auditors during CSCRF audits.

The CCI evaluates entities across multiple dimensions including governance maturity, technical control implementation, incident response readiness, and third-party risk management. Each dimension is scored on a defined scale, and entities are expected to demonstrate progressive improvement over successive assessment cycles. SEBI uses CCI scores to prioritise supervisory attention and to determine enhanced monitoring requirements for entities that fall below expected maturity levels.

For CISOs preparing for CSCRF audits, the CCI framework provides a structured way to identify gaps, prioritise remediation efforts, and document improvement trajectories. Organisations that can demonstrate consistent improvement in their CCI scores — even if they have not yet reached the highest maturity level — are viewed more favourably by SEBI than those who show static or declining performance.

Mandatory Technical Controls Under SEBI CSCRF

Beyond governance and policy requirements, SEBI CSCRF mandates a set of specific technical controls. The exact set of mandatory controls depends on the entity's category, but the following controls are broadly applicable across Categories 1 through 3.

  • Multi-Factor Authentication (MFA) for all privileged and remote access
  • Network segmentation separating critical trading systems from corporate networks
  • Encryption of client data at rest and in transit using approved cryptographic standards
  • Patch management with defined SLAs for critical vulnerabilities (typically 15-30 days)
  • Endpoint Detection and Response (EDR) on all endpoints accessing critical systems
  • Data Loss Prevention (DLP) controls for sensitive financial data
  • Privileged Access Management (PAM) for administrator-level accounts
  • Vulnerability Assessment and Penetration Testing (VAPT) by CERT-In empanelled auditors
  • Security Operations Centre (SOC) with defined monitoring coverage
  • Log management and SIEM with minimum 12-month retention for security logs
  • Third-party risk assessment for all critical vendors and cloud service providers
  • Application security controls including secure coding practices and web application firewalls

Category 1 MIIs face additional requirements including real-time threat intelligence integration, red team exercises, supply chain security assessments, and cyber insurance with SEBI-approved coverage levels. These requirements reflect the outsized systemic risk that a compromise of a major exchange or depository would pose to the broader Indian financial market.

RTO and RPO Requirements Under SEBI CSCRF

SEBI CSCRF prescribes specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems. These are not aspirational targets — they are regulatory thresholds that must be demonstrated through periodic DR drills and documented test results.

RTO and RPO for Market Infrastructure Institutions

For Category 1 MIIs — exchanges, depositories, and clearing corporations — SEBI requires extremely aggressive recovery objectives given their systemic importance. Trading systems and core settlement systems must typically achieve RTOs of 2-4 hours and RPOs of 30 minutes or less. Any significant deviation from these targets must be documented, reported to SEBI, and accompanied by a remediation roadmap.

RTO and RPO for Large and Mid-Size Intermediaries

Category 2 and Category 3 entities — including large stock brokers and AMCs — are required to define and test RTOs and RPOs for their critical systems. While the specific thresholds may be less aggressive than MIIs, they must be realistic, based on business impact analysis, and consistently achieved in DR tests. SEBI auditors will examine DR test records as part of CSCRF compliance assessments.

Incident Reporting Requirements and Timelines

One of the areas where non-compliance risk is highest is cyber incident reporting. SEBI CSCRF mandates that regulated entities report cyber incidents to SEBI within defined timeframes. Failure to report, or delayed reporting, can attract significant penalties even if the underlying incident was well-managed.

Reporting to SEBI

SEBI requires initial notification of significant cyber incidents within 6 hours of detection. This is followed by a detailed incident report — covering scope, impact, root cause, and remediation steps — within 24 hours. A final closure report, including lessons learned and preventive measures, must be submitted within a timeframe specified by SEBI, typically within 21 days of incident closure.

Reporting to CERT-In

In parallel with SEBI reporting, regulated entities must also comply with CERT-In's incident reporting mandate under the IT Amendment Act and CERT-In Directions 2022. CERT-In requires reporting of specific types of cyber incidents within 6 hours of detection. Since SEBI-regulated entities are typically large organisations processing sensitive financial data, most significant incidents will trigger CERT-In reporting obligations as well. Entities must maintain clear internal protocols to ensure dual reporting to both SEBI and CERT-In without duplication or inconsistency.

Escalation Within the Organisation

The CISCF requires that incident escalation paths be clearly defined and tested. The CISO must be notified of significant incidents immediately, and the Board or relevant Board committee must be briefed within a defined period. For publicly listed entities, there may also be disclosure obligations under SEBI's listing regulations if the incident has material impact on operations or client data.

Audit and Compliance Reporting Requirements

SEBI CSCRF mandates periodic audits by qualified, CERT-In empanelled cybersecurity auditors. The frequency and scope of audits depend on the entity's category. Understanding these requirements in advance allows organisations to plan audit cycles, budget appropriately, and avoid last-minute scrambles.

  • Category 1 (MIIs): Bi-annual VAPT, annual comprehensive CSCRF audit, quarterly internal reviews
  • Category 2 (Large Intermediaries): Bi-annual VAPT, annual CSCRF compliance audit
  • Category 3 (Mid-Size Intermediaries): Annual VAPT, annual compliance self-assessment reviewed by auditor
  • Category 4 (Small Intermediaries): Annual self-assessment with documentation submitted to SEBI

Audit reports must be submitted to SEBI through the designated portal within specified timelines after the audit is completed. SEBI reviews these reports and may call for additional information, re-audits, or corrective action plans based on the findings. CISOs should treat audit preparation as a continuous process rather than a periodic fire drill.

Third-Party and Cloud Risk Management

Modern capital markets operations are heavily dependent on third-party service providers — cloud platforms like AWS, Azure, and GCP; trading platform vendors; data analytics providers; and outsourced operations teams. SEBI CSCRF requires regulated entities to extend their cybersecurity due diligence to these third parties.

Entities must maintain a register of all critical third-party service providers and conduct periodic security assessments. Vendor contracts must include security clauses covering data protection, incident notification, and the right to audit. Where third parties have access to critical systems or sensitive client data, enhanced controls such as privileged access management and activity monitoring must be applied.

For cloud deployments, SEBI expects regulated entities to conduct cloud security assessments covering shared responsibility models, data residency requirements, and exit strategy planning. Data localisation requirements for sensitive financial data must be adhered to, with client data stored on servers within India unless SEBI has granted specific exemptions.

Data Protection and Privacy Obligations

SEBI CSCRF's data protection requirements must be read in conjunction with the Digital Personal Data Protection Act, 2023 (DPDPA), which applies to all organisations processing personal data of Indian citizens. For stock brokers and AMCs handling millions of investor records, the intersection of SEBI CSCRF and DPDPA creates a comprehensive data governance obligation.

Regulated entities must classify their data assets, implement data minimisation principles, maintain records of processing activities, and implement appropriate technical and organisational measures to protect personal financial data. Breach notification requirements under both SEBI CSCRF and the DPDPA must be harmonised in the entity's incident response procedures to avoid conflicting or delayed notifications.

SEBI CSCRF Compliance Timeline and Key Milestones

SEBI has issued phased implementation timelines for CSCRF compliance, with different deadlines for different categories of entities and different control categories. CISOs should map these timelines against their current maturity gaps to develop a realistic remediation roadmap.

Immediate Priorities (Baseline Controls)

The baseline controls — including governance policy adoption, CISO appointment, asset inventory creation, and incident response plan documentation — were expected to be in place for most entities by 2024. If your organisation has not completed these foundational steps, they should be treated as the highest-priority items regardless of other compliance activities.

2025-2026 Focus Areas

Advanced controls including SOC establishment or engagement, full VAPT cycles, third-party risk programmes, and DR testing must be operationalised and evidenced through documentation. Entities must be ready to demonstrate these capabilities to SEBI auditors. The Cyber Capability Index assessments being conducted in 2025-2026 are being used to baseline the industry and identify entities requiring enhanced supervisory attention.

Ongoing Compliance Obligations

Compliance with SEBI CSCRF is not a one-time project — it is a continuous programme. Annual audits, periodic reporting, quarterly reviews for Category 1 entities, and ongoing monitoring create a permanent compliance cadence. Organisations that treat CSCRF as a project with a finish line, rather than an operational programme, consistently struggle with audit findings and regulatory queries.

Penalties for Non-Compliance with SEBI CSCRF

SEBI has wide powers to take enforcement action against regulated entities that fail to comply with CSCRF requirements. These powers include monetary penalties, operational restrictions, suspension of registration, and public censure. Understanding the consequences of non-compliance is essential context for CISOs making the case for cybersecurity investment to their boards.

Under the SEBI Act 1992 and related regulations, SEBI can impose monetary penalties of up to Rs 25 crore or three times the profit made from the violation, whichever is higher. For systemic failures — such as a regulated entity's negligence contributing to a major market disruption — penalties can be compounded by operational restrictions including suspension of trading rights or client onboarding.

Beyond formal penalties, SEBI regularly issues advisory letters and calls entities for informal guidance meetings following audit findings. Entities that receive multiple advisories without demonstrating remediation progress are at elevated risk of formal enforcement action. Public disclosures of enforcement actions also pose significant reputational risk — particularly for entities listed on Indian stock exchanges.

Building a SEBI CSCRF Compliance Programme: Practical Roadmap

For organisations beginning or strengthening their SEBI CSCRF compliance journey, a structured approach reduces both the time to compliance and the risk of gaps. The following roadmap provides a practical starting point for CISOs at stock brokers, AMCs, and other regulated entities.

Step 1: Gap Assessment Against CSCRF Requirements

Begin with a comprehensive gap assessment mapping your current controls against all applicable CSCRF requirements for your entity's category. This assessment should be conducted by a qualified cybersecurity firm — ideally one that is CERT-In empanelled and has direct experience with SEBI-regulated entities. The output is a prioritised list of gaps ranked by regulatory risk and remediation complexity.

Step 2: Governance and Policy Framework

Establish or update your cybersecurity governance structure. Ensure the CISO has appropriate authority, board-level visibility, and adequate resources. Draft or revise your Information Security Policy, Acceptable Use Policy, Incident Response Plan, and Business Continuity Plan to align with CSCRF requirements. These documents should not be generic templates — they should reflect your organisation's specific systems, risks, and operational context.

Step 3: Technical Control Implementation

Address technical control gaps in a risk-prioritised order. MFA for privileged access, network segmentation, and endpoint security typically offer the highest risk reduction per unit of effort and should be implemented early. More complex controls such as PAM platforms and SIEM tuning require longer implementation timelines and should be planned accordingly.

Step 4: SOC Establishment or Engagement

For Category 1 and Category 2 entities, establishing effective SOC coverage is a critical compliance requirement. Organisations that cannot build an in-house SOC should engage a CERT-In empanelled managed SOC provider. The SOC engagement must be structured with clear SLAs covering detection time, alert handling, escalation procedures, and reporting to the CISO.

Step 5: VAPT and Audit Readiness

Engage a CERT-In empanelled firm to conduct your VAPT and, subsequently, your CSCRF compliance audit. Prepare your evidence documentation in advance — audit trails, policy documents, training records, VAPT reports, DR test results, and incident logs. Auditors will request specific evidence for each control domain, and having this organised in advance significantly reduces audit duration and stress.

Common Gaps Found in SEBI CSCRF Audits

Based on industry experience and SEBI's own observations, certain gaps appear consistently in CSCRF audits across Indian market intermediaries. Being aware of these common findings allows CISOs to proactively address them before the auditor arrives.

  • Incomplete or outdated asset inventories — especially for cloud-hosted and shadow IT assets
  • MFA not implemented for all privileged accounts and remote access channels
  • Patch management processes not meeting SEBI's defined remediation SLAs
  • Incident response plans that have never been tested through drills or tabletop exercises
  • Third-party vendor assessments not conducted or not documented adequately
  • DR test results showing RTOs that do not meet SEBI's prescribed thresholds
  • Log retention periods shorter than SEBI's minimum 12-month requirement
  • Board-level cybersecurity governance not formalised or documented
  • VAPT conducted by non-CERT-In empanelled vendors — results not accepted by SEBI auditors
  • Incident reporting procedures not aligned with SEBI's 6-hour notification requirement

Why Choose CyberSigma for SEBI CSCRF Compliance?

CyberSigma is a CERT-In empanelled cybersecurity firm with deep experience serving India's regulated financial sector. We have supported stock brokers, AMCs, depository participants, and RTAs across Mumbai, Delhi, Bengaluru, and Hyderabad in achieving and maintaining SEBI CSCRF compliance. Our team includes former SEBI technology specialists, certified ethical hackers, and compliance professionals who understand both the regulatory intent and the operational reality of Indian capital markets.

Our SEBI CSCRF services are end-to-end: we begin with a structured gap assessment, support policy and governance framework development, implement technical controls, conduct CERT-In empanelled VAPT and security audits, help establish or augment SOC capabilities, and provide ongoing compliance programme management. We do not drop a report and walk away — we stay engaged through your audit cycle and help you respond to SEBI queries if they arise.

  • CERT-In empanelled for VAPT, IS audits, and incident response
  • Dedicated practice for SEBI, RBI, and IRDAI regulated entities
  • Track record across brokers, AMCs, DPs, and RTAs
  • Audit-ready documentation support — policies, evidence packs, and audit trails
  • Managed SOC services aligned with SEBI's detection and reporting requirements
  • Ongoing compliance retainer — monthly reporting, advisory, and rapid incident support
  • India-based team with offices in Mumbai and Bengaluru

Whether you are approaching your first SEBI CSCRF audit, remediating findings from a previous cycle, or building a long-term cybersecurity programme that keeps pace with SEBI's evolving requirements, CyberSigma is equipped to be your compliance partner. Contact our team at tech@cybersigmacs.com to schedule a no-obligation CSCRF readiness discussion.

Frequently Asked Questions

What is the difference between SEBI CSCRF and CERT-In guidelines?

SEBI CSCRF is a sector-specific regulatory framework issued by SEBI and applicable only to entities regulated by SEBI in the Indian securities market. CERT-In guidelines — including the CERT-In Directions 2022 on incident reporting — apply broadly to all organisations in India that operate IT infrastructure. SEBI-regulated entities must comply with both: SEBI CSCRF for their sector-specific cybersecurity posture, and CERT-In directions for general cybersecurity incident reporting obligations. The two frameworks are complementary, not alternative.

Can a non-CERT-In empanelled vendor conduct our SEBI CSCRF audit?

No. SEBI mandates that VAPT and formal CSCRF compliance audits be conducted by CERT-In empanelled information security auditing organisations. Audit reports from non-empanelled vendors are not accepted by SEBI. Before engaging an auditor, always verify their current empanelment status on the CERT-In website, as empanelment is time-limited and must be renewed periodically.

What are the incident reporting timelines under SEBI CSCRF?

SEBI CSCRF requires initial notification of significant cyber incidents within 6 hours of detection. A detailed incident report must follow within 24 hours, and a final closure report is due within the timeline specified by SEBI after the incident is resolved — typically 21 days. In parallel, entities must meet CERT-In's 6-hour reporting requirement for applicable incident categories. Internal escalation to the CISO and Board must also follow defined timelines documented in the entity's incident response plan.

How often must SEBI-regulated entities conduct VAPT?

The VAPT frequency depends on the entity's CSCRF category. Category 1 MIIs must conduct bi-annual VAPT — that is, twice per year. Category 2 large intermediaries must also conduct bi-annual VAPT. Category 3 mid-size intermediaries are required to conduct VAPT at least annually. Category 4 small entities may meet their requirements through annual self-assessments. Additionally, VAPT should be triggered after significant changes to IT systems, regardless of the scheduled cycle.

What happens if our organisation misses a SEBI CSCRF audit deadline?

Missing a SEBI CSCRF audit submission deadline is a compliance violation that can attract formal enforcement action. SEBI may issue a show-cause notice, impose monetary penalties under the SEBI Act, or require the entity to submit an enhanced remediation plan. Repeat violations or patterns of non-compliance significantly increase the risk of more severe enforcement action, including suspension of registration. If your organisation anticipates a delay, it is advisable to proactively communicate with SEBI and submit a timeline for compliance.

Is cyber insurance mandatory under SEBI CSCRF?

SEBI CSCRF recommends that regulated entities, particularly Category 1 MIIs, maintain cyber insurance as part of their overall cyber risk management programme. While the framework does not impose a blanket mandatory insurance requirement for all categories, SEBI has issued guidance indicating that MIIs should have cyber insurance commensurate with their risk exposure. For other categories, cyber insurance is a strongly recommended best practice that also demonstrates risk governance maturity to auditors and regulators.

Does SEBI CSCRF apply to cloud-hosted systems?

Yes. SEBI CSCRF explicitly extends to cloud-hosted systems used by regulated entities. Entities must conduct cloud security assessments, ensure data residency requirements are met with financial data stored within India (unless exempted), apply appropriate security controls in line with the shared responsibility model, and include cloud providers in their third-party risk management programme. Cloud adoption does not reduce your compliance obligations — it changes how those obligations are implemented and evidenced.

Naveen Kumar

Naveen Kumar

CyberSigma is a CERT-In empanelled cybersecurity firm helping Indian businesses with VAPT, ISO 27001, PCI DSS, SOC 2 and DPDP compliance — delivered by senior auditors, not juniors.

Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Leave A Comment

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205