CERT-In incident reporting: the 6-hour rule, explained

The hard part of CERT-In compliance isn’t the report template — it’s the clock. You have six hours from noticing a reportable incident. If your detection and timeline aren’t already in place, six hours is not enough to reconstruct what happened.

What the directions require

CERT-In’s 2022 directions require organisations to report listed cyber incidents within 6 hours of noticing them. The list includes targeted scanning of critical systems, unauthorised access, website defacement, malware and ransomware, data breaches, and attacks on servers and network infrastructure. The directions also set expectations around log retention and synchronised clocks — both of which a SOC handles as a side effect of doing its job.

What makes the deadline survivable

You can’t shrink the six hours, so you front-load the work:

• Detection already running, so “when did we notice” is a timestamp, not a guess.
• An incident timeline assembled automatically, so the source IP, affected systems and sequence of events are already joined up.
• A report in CERT-In’s format, pre-wired, so you’re filling fields rather than designing a document under pressure.
• Retained logs with synchronised clocks, so the evidence stands up after the fact.

Hello SOC wires CERT-In-formatted reporting into the incident module and keeps the threat-intel feed current, so the report is a by-product of detection rather than a scramble. For banks, the same evidence feeds the RBI reporting requirements.