Question 1

What does the DPDP Act 2023 require my company to implement technically?

Accepted Answer

The Digital Personal Data Protection Act 2023 requires entities processing personal data to implement: a consent management system recording granular, purpose-specific consent from data principals; a data principal rights workflow to respond to access, correction, erasure, and grievance requests within prescribed timelines; breach notification capability — identifying breaches and notifying the Data Protection Board and affected data principals; and technical and organisational measures proportionate to the data volume and sensitivity being processed. For most enterprises, DPDP compliance requires changes to your data collection pipelines, CRM or customer database, and incident response procedures. We scope these changes during the discovery sprint and implement them in a defined, auditable sequence.

Question 2

How are AI agents different from traditional software from a security perspective?

Accepted Answer

Traditional software has deterministic inputs and outputs — you can test every code path. AI agents have non-deterministic behaviour: the same input can produce different outputs, and adversarial inputs (prompt injection attacks) can redirect agent behaviour in ways that don't trigger conventional anomaly detection. Specific risks in production AI agents include: prompt injection — malicious content in agent inputs redirects the agent to take unintended actions; excessive tool access — an agent with overly broad permissions can be manipulated into exfiltrating data or executing unauthorised actions; model poisoning — if the agent's knowledge base or fine-tuning data is compromised, its responses are systematically biased. We address each of these by reviewing tool permission scopes, implementing output validation schemas, isolating agent execution environments, and building human-in-the-loop checkpoints for high-stakes decisions.

Question 3

What is a cyber risk assessment and what does it produce?

Accepted Answer

A cyber risk assessment is a structured evaluation of your attack surface, existing controls, and exposure to the most likely threat vectors for your industry and stack. The output is a risk register: a ranked list of findings with severity classification (critical, high, medium, low), a description of the attack vector and business impact for each, and recommended remediation steps. We also produce an executive summary suitable for your board or audit committee. The assessment covers: external attack surface (exposed services, certificates, DNS), application security (authentication, authorisation, API exposure, injection vectors), cloud configuration (IAM policies, network security groups, logging), and third-party vendor access and API credentials. An ITMTB risk assessment takes 2–4 weeks depending on scope and produces findings you can act on immediately.

Question 4

What does CERT-In's 6-hour breach reporting requirement mean in practice?

Accepted Answer

CERT-In's April 2022 directive requires Indian entities to report cybersecurity incidents within 6 hours of detecting them. 'Detection' begins when your monitoring systems generate the first alert — not when your security team confirms the breach. To comply, you need: a SIEM or monitoring system that generates a timestamped alert when a qualifying incident is detected; a defined escalation path so the alert reaches someone with authority to file the CERT-In report within the 6-hour window; a pre-prepared report template; and clarity on what counts as a qualifying incident under the directive (data breaches, unauthorised access, malware, DDoS, attacks on critical infrastructure). We implement the monitoring, process, and documentation required to meet the 6-hour requirement — and to demonstrate compliance if audited.

Question 5

How do you approach RBI and SEBI cybersecurity compliance for fintech organisations?

Accepted Answer

RBI and SEBI have distinct but overlapping cybersecurity requirements for organisations in their regulatory perimeter. RBI's IT Framework for NBFCs and Payment System Operators mandates a board-approved IT and cybersecurity policy, defined incident response and recovery timelines, IS Audit by a qualified firm, and specific controls for internet banking and payment systems. SEBI's cybersecurity circular for market intermediaries requires an annual comprehensive cyber audit, specific network architecture controls, and defined RTO/RPO for critical systems. We scope the exact applicable controls for your entity type during the discovery sprint, implement them in a defined sequence, and produce the audit-ready documentation you need to demonstrate compliance to your regulator.

Question 6

How does ITMTB price an engagement?

Accepted Answer

Pricing follows the engagement model. Discovery sprints are fixed-price for a fixed timebox. Build engagements are scoped after discovery — fixed-scope, time-and-materials, or outcome-linked. Managed services are billed monthly with defined SLAs. Total cost depends on scope, integration complexity, QA depth, and post-launch support — we publish a transparent breakdown for buyers evaluating their options.

Question 7

What does an engagement with ITMTB look like?

Accepted Answer

Every engagement starts with a fixed-scope, fixed-price discovery sprint — typically 2 weeks. You leave with a written roadmap, risk register, cost estimate, and timeline before committing to a build. We then offer four engagement models: fixed-scope builds, time-and-materials, outcome-linked retainers, and managed services post-launch. If discovery doesn't justify proceeding, you can stop there — no obligation.

Cybersecurity for Enterprise AI Deployments

Assess Your Cybersecurity Readiness

Selected work in cybersecurity

Comprehensive Fintech Audit Unveiled: Mastering Complex Tech Stacks for Strategic Excellence

Digitally Transforming Legacy and Startup Fintechs: A Journey Towards Innovation

Pioneering a New Era in Startup Investing: Streamlining Connections between Entrepreneurs and Investors

Trusted by

How an engagement works

Discovery sprint

Build

Operate

Our Capabilities

AI Agent Security Architecture

DPDP, CERT-In, RBI and SEBI Compliance

Cloud Security and Configuration Hardening

Application Security and Secure Development

Incident Response and Security Monitoring

Our Work

Frequently asked questions

How we work

What custom software costs in India