CERT-In 6 hour incident reporting: how an MSP helps

CERT-In requires reportable cyber incidents to be notified within six hours of detection. For most Indian enterprises this is a demanding timeline that requires continuous monitoring, defined runbooks and a named incident commander. A managed service provider with CERT-In aligned processes can take responsibility for detection, evidence assembly, report drafting and submission, leaving the customer to handle business communication and regulatory follow up.

What CERT-In requires

The Indian Computer Emergency Response Team issued directions in April 2022 requiring service providers, intermediaries, data centres, body corporates and government organisations to report specified cyber incidents within six hours of noticing them. Reportable incidents include data breaches, ransomware, attacks on critical infrastructure, identity theft and unauthorised access. The report must be submitted in a prescribed format with technical detail. For broader background on managed services see what do MSPs do.

The six hour clock in practice

How an MSP supports each phase

• Detection: continuous SIEM and EDR monitoring across cloud and on premises estates.
• Triage: trained SOC analysts who follow tested classification runbooks aligned to CERT-In categories.
• Containment: automated playbooks for credential rotation, network isolation and snapshot preservation.
• Evidence assembly: centralised logging with chain of custody, preserved snapshots and structured impact assessment templates.
• Draft report: pre built CERT-In format templates that pull data from the SIEM and ITSM systems.
• Submission: coordinated handoff to the customer's authorised reporter or direct submission under delegated authority.

Practical guidance for Indian buyers

1. Decide who the authorised CERT-In reporter is inside your organisation. The MSP can prepare the report but a customer authorised person must usually submit it.
2. Run quarterly tabletop exercises against the six hour clock to validate the runbook.
3. Pre register on the CERT-In portal so submissions can be filed without administrative delay during a real incident.
4. Document escalation paths for board notification, customer communication and law enforcement engagement.
5. Integrate the MSP's SIEM with your ITSM platform so incident tickets and CERT-In submissions stay synchronised.

How Opsio helps

Opsio runs a 24x7 SOC and NOC from Bangalore and Stockholm and supports Indian customers with CERT-In aligned incident response runbooks. For broader context see our 24x7 NOC and incident response India pillar and our managed 24/7 troubleshooting service, or contact us via the India contact page.

Frequently asked questions

Which incidents are reportable under CERT-In directions?

The CERT-In directions list around twenty categories including targeted scanning, compromise of critical systems, unauthorised access, ransomware attacks, attacks on identity systems, data breaches and attacks on critical sectors. Confirm the current list on the official CERT-In portal.

Can the MSP submit the report on our behalf?

Often yes, if you delegate authority in writing. Many Indian enterprises prefer that the MSP prepares the report and a named internal officer submits it. Either pattern works as long as the six hour deadline is met.

What happens if we miss the six hour deadline?

CERT-In can impose enforcement action under the IT Act provisions that underpin the directions. Beyond legal exposure, missing the deadline signals poor security maturity to regulators, customers and the board.

How does CERT-In reporting interact with RBI breach reporting?

For banks, RBI has its own incident reporting expectations that may run in parallel with CERT-In. Build runbooks that satisfy both. The same evidence usually feeds both reports with different framing.

How often should we test the runbook?

Quarterly at minimum, with at least one full simulation per year that involves the board level communication path as well as the technical response. Treat it like a fire drill.