SEBI's Cyber Security and Cyber Resilience Framework (CSCRF, August 2024) replaced and consolidated earlier broker/MII circulars. It defines a precise VAPT cadence per regulated-entity class. This is the operational summary.
The five regulated-entity classes under CSCRF
- Market Infrastructure Institutions (MIIs) — stock exchanges, clearing corporations, depositories.
- Qualified Regulated Entities (QREs) — large brokers, AMCs, KRAs, RTAs above defined thresholds.
- Mid-sized REs — brokers and AMCs above the basic threshold.
- Small-sized REs — smaller brokers, depository participants, investment advisers above the entry threshold.
- Self-certifying REs — sub-broker / authorised person tier.
Each class has a different VAPT cadence and a different scope — and the framework explicitly maps to standards including ISO 27001, NIST CSF, and CIS Controls.
VAPT cadence by class
| Class | External web/app VAPT | Internal network VAPT | Configuration audit |
|---|---|---|---|
| MII | Half-yearly | Half-yearly | Quarterly |
| QRE | Annual + on change | Annual | Half-yearly |
| Mid RE | Annual | Annual | Annual |
| Small RE | Annual | Annual (managed-service acceptable) | Annual |
| Self-certifying | Annual via SEBI-empanelled vendor | — | — |
Mandatory scope items
- Customer-facing trading platforms (web + mobile).
- Back-office systems handling client funds and securities.
- APIs to the exchange and clearing corporation.
- Wallet / fund-transfer integrations.
- Customer KYC and onboarding portals.
- Vendor-managed cloud assets — explicitly required to be tested even when outsourced.
Vendor requirements
SEBI requires CERT-In empanelment for the VAPT vendor and explicit declarations of vendor independence. The framework calls out methodology — manual testing is required, scanner-only is not acceptable for the annual VAPT artifact.
Reporting and submission
VAPT reports must be presented to the Standing Committee on Cyber Security and submitted via the SEBI compliance portal at the prescribed cadence. Critical findings have explicit closure timelines — typically 30 days for QREs and MIIs, 45 days for mid-sized REs.
Most Indian brokers we work with under CSCRF run a single combined VAPT engagement covering trading-platform web, mobile, API and back-office — with two engineer-pairs running in parallel — and split the deliverable into the artifacts SEBI expects. This is cheaper and faster than four separate engagements.
For the RBI equivalent, see VAPT for RBI-regulated entities.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.