● Powered by AI

Turn risk data into regulator-ready decisions.

RiskSage is CreativeCyber's AI-native Cyber Risk Brain — dynamic dashboards, predictive risk modeling, evidence intelligence, and board/regulator-ready narratives mapped to RBI · SEBI · IRDAI · DPDP · CERT-In.

Submit Enterprise Enquiry → Explore Capabilities

Or reach us directly: info@creativecyber.in · Response within 2 business days

Invite-only onboarding. Enterprise access via structured business engagement. Tenant provisioning by CreativeCyber. User access managed via tenant administrator invitations.

Platform Overview

From compliance obligation to board-level assurance.

→UNIFIED RISK GRAPH

Single risk intelligence layer

Every initiative, system, vendor, control, evidence, finding, and obligation connected in a living graph — changes propagate instantly.

150+ Prisma models · 440+ API endpoints

→AI COPILOT

Natural language GRC reasoning

AI generates narratives, classifies initiatives, parses VAPT reports, drafts CERT-In notifications, and surfaces remediation paths.

AI-powered · Confidence-scored

→EVIDENCE INTELLIGENCE

Traceability from artifact to obligation

Evidence freshness tracking, control linkage, gap surfacing, and audit-ready export bundles with RSA-SHA256 signatures.

Deterministic signed exports

→BOARD & REGULATOR PACKS

Defensible narratives, signed PDFs

Board cyber packs with maturity tier, traffic-light scorecard, top-5 risks in ₹ crore, incident SLA status, and IRDAI attestation evidence.

IRDAI · SEBI quarterly · RBI master directions

Core Capabilities

Every BFSI cyber obligation. One platform.

🛡️

CERT-In Incident Response

Multi-regulator deadline engine: CERT-In 6hr · RBI 6hr · IRDAI 6hr · SEBI 4hr · DPBI 72hr. AI-drafted initial report in prescribed 9-field format. 30-minute overdue escalation. 180-day log retention tracker across 13 log sources.

CERT-In 2022/2025 RBI IRDAI DPDP

🔍

VAPT Management + AI Parser

Upload any VAPT report — Nessus, Burp Suite, OpenVAS, Qualys. AI extracts every finding, maps CVSS/CVE, sets severity deadlines (CRITICAL: 7 days), links to UCL controls. IRDAI.AUDIT.1 auto-compliant on clean closure.

IRDAI.AUDIT.1 RBI Patch Mgmt SEBI CSCRF

🏛️

IRDAI Regulatory Pack

Complete IRDAI_CYBER_2023 framework: 45 controls across 8 domains. Board attestation workflow with IRDAI submission tracking. AI-proposed crosswalks to RBI, ISO 27001, DPDP, SEBI CSCRF.

IRDAI 2023 Mar 2025 Revision 45 Controls

📊

CISO Command Dashboard

NIST CSF 2.0 maturity radar (6 functions, 4 tiers), live incident countdown, VAPT tracker, drift alerts, evidence heatmap, AI daily brief. Role-gated RISK_MANAGER view.

NIST CSF 2.0 SEBI CSCRF RBI

💼

Board Cybersecurity Dashboard

Traffic-light scorecard per framework, top-5 risks in ₹ crore, incident SLA adherence, attestation calendar, signed PDF board pack — IRDAI attestation evidence. EXECUTIVE_VIEWER role.

IRDAI Attestation SEBI Quarterly RBI Board

📐

AI-driven SAR

Upload architecture diagrams (PNG, PDF, SVG). AI extracts components, traces PII data flows, flags RBI/SEBI/IRDAI baseline gaps. SAR findings block initiative gates until resolved.

RBI IT Security IRDAI Data Residency SEBI

📋

Audit Program Management

Full audit lifecycle: plan → execute → document → report. 29 seeded procedures across ITGC, AppSec, SDLC, Vendor templates. State machine: DRAFT → VALIDATED → MANAGEMENT_RESPONSE → REMEDIATION → CLOSED. Board-grade 7-section PDF.

ITGC AppSec SDLC Vendor

₹

CRQ Engine — 4 Models

FAIR v3.0 Monte Carlo, FAIR-MAM (maturity→₹ reduction), NIST 800-30 ALE, Probabilistic VaR (99th pct). 100 seeded use cases. All 6 FAIR loss forms including DPDP ₹250Cr fine ceiling.

FAIR v3.0 SEBI Investment Justification RBI Board

📄

Contract/DPA + SBOM

28-field vendor contract model with DPA tracking and RBI IT outsourcing clauses. CONTRACT_EXPIRY alerts 60 days ahead. SBOM import (CycloneDX/SPDX) with CVE cross-reference and automatic VaptFinding creation on match.

DPDP §8 DPA RBI IT Outsourcing SEBI CSCRF

🎯

Threat Modelling — STRIDE + PASTA

Integrated STRIDE and PASTA threat modelling connected to the risk graph, SAR findings, VAPT assessments, and UCL controls. Component extraction, PII data flow tracing, stride entry classification, pasta stage analysis, and mitigation mapping — all linked. Initiative gates stay open until threat model findings are resolved.

STRIDE PASTA RBI TRA SEBI CSCRF SDLC IRDAI IS Audit

📡

Regulatory Change Tracking

Daily AI-powered monitoring of RBI, SEBI, IRDAI, DPDP, CERT-In, and MeitY circulars. New updates auto-matched to affected UCL controls. TENANT_ADMIN and POLICY_OWNER notified immediately. One-click incorporate workflow with full audit trail — so your control library stays current with every regulator update.

RBI Circulars SEBI IRDAI DPDP CERT-In MeitY

Framework	Regulator	Controls	AI Mapping	Board Pack	Posture API	Status
RBI_CYBER	RBI	✓	✓	✓	✓	Live
SEBI CSCRF	SEBI	✓	✓	✓	✓	Live
IRDAI_CYBER_2023	IRDAI	✓ 45 controls	✓ 10 crosswalks	✓	✓	Live
DPDP Act 2023	MeitY/DPBI	✓	✓	✓	✓	Live
ISO 27001	ISO/IEC	✓	✓	✓	✓	Live
NIST CSF 2.0	NIST	✓	✓	✓	✓	Live
SOC 2	AICPA	✓	✓	—	✓	Live

Who Uses RiskSage

Built for every stakeholder in the governance chain.

For the CISO

Command & Control

→ CERT-In 6hr deadline engine with overdue escalation
→ VAPT AI parser — CVSS, CVE, severity deadlines
→ SAR diagram analysis for every new initiative
→ NIST CSF 2.0 maturity radar with target tiers
→ Evidence heatmap: systems × frameworks freshness

For Compliance & GRC

Posture & Evidence

→ UCL — Unified Control Library with AI crosswalks
→ IRDAI board attestation + submission tracking
→ Contract/DPA tracker — DPDP §8 compliance
→ Regulatory change feed — daily AI-powered watch
→ Policy lifecycle with evidence-gated exception closure

For the Board

Governance & Assurance

→ Traffic-light scorecard per regulatory framework
→ Top-5 risks in ₹ crore — FAIR v3.0 Monte Carlo
→ CRQ investment ROI: 100 use case library
→ IRDAI/SEBI attestation calendar + signed PDF
→ Audit findings summary + management response SLA

Get Started

Invite-only enterprise access.

How onboarding works

Submit a Business Enquiry

Share regulatory focus, organisation type, compliance objectives.

CreativeCyber provisions your tenant

Frameworks seeded, RBAC configured, first tenant admin set up.

Your Tenant Admin invites users

Role-gated access: RISK_MANAGER, AUDITOR, EXECUTIVE_VIEWER, POLICY_OWNER and more.

Submit Enterprise Enquiry → Tenant Login

Data hosted in India. Invite-only SaaS. No self-serve risk.

Questions before submitting an enquiry?

info@creativecyber.in

Data hosted in India · Invite-only SaaS · Response within 2 business days · No implementation overhead

FAQ

Frequently asked questions.

Do you offer a free trial or beta access?

No. RiskSage is invite-only. Access is provisioned by CreativeCyber based on approved business enquiries. This ensures every tenant is correctly configured for their regulatory context from day one.

Which regulators and frameworks are supported out of the box?

RBI_CYBER, SEBI CSCRF, IRDAI_CYBER_2023 (March 2025 revision), DPDP Act 2023, ISO 27001, NIST CSF 2.0, and SOC 2 — all seeded natively. Custom framework import with AI-proposed control mappings is available for enterprise needs.

How does the CERT-In 6-hour deadline engine work?

When a cyber incident is logged with a detection timestamp, RiskSage automatically calculates regulatory deadlines for every applicable regulator (CERT-In, RBI, IRDAI, SEBI, DPBI) simultaneously. AI drafts the initial CERT-In report in the prescribed 9-field format. 30-minute escalation alerts fire for overdue notifications.

What types of VAPT reports can be parsed?

Nessus, Burp Suite, OpenVAS, Qualys, and manual penetration test reports uploaded as text. Severity-based deadlines: CRITICAL = 7 days, HIGH = 30 days, MEDIUM = 90 days.

What is the IRDAI board attestation workflow?

RiskSage supports the full IRDAI board attestation lifecycle — compliance posture to board, formal recording, signed PDF generation, and IRDAI submission tracking within the 90-day FY-end / 30-day audit completion deadline.

Is data hosted in India?

Yes. Aligned with RBI data localisation requirements and DPDP cross-border transfer restrictions. AES-256 at rest, TLS 1.3 in transit, multi-tenant row-level isolation, full audit logging.

What happens after I submit a business enquiry?

CreativeCyber reviews your enquiry and responds within 2 business days to schedule a short discovery call. We discuss your regulatory focus, organisation type, team structure, and compliance objectives. If RiskSage is the right fit, your tenant is provisioned within 5 business days — frameworks seeded to your regulatory context, RBAC configured, and your first Tenant Admin account set up. There is no lengthy implementation cycle, no consulting dependency, and no professional services cost to get started. Your Tenant Admin then invites the rest of your team with appropriate roles.

How is RiskSage priced?

Pricing is structured around your organisation type and the regulatory scope you need covered — a bank with RBI + DPDP obligations has a different configuration to an insurer with IRDAI + CERT-In focus. Pricing is agreed during the business engagement process and is not published as a self-serve rate card. To start the conversation, submit a business enquiry at creativecyber.in/business-enquiry or email info@creativecyber.in.

Who within our organisation should submit the enquiry?

Typically the CISO, CTO, Head of Compliance, DPO, or whoever owns the regulatory compliance and cyber risk function. RiskSage serves multiple stakeholders — CISO, Compliance, GRC, Risk, Audit, and the Board — so the initial enquiry works best when initiated by someone with a cross-functional view. We are happy to support internal presentations and business case preparation for your leadership or procurement team.