CERT-In Directions · 6-hour incident reporting · Criminal liability under IT Act §70B for non-compliance
SEBI CSCRF · Annual assessment mandatory for all Qualified REs · Continuous compliance from Apr 2025
IRDAI Cybersecurity 2023 · 6-hr incident reporting · Board attestation due within 90 days of FY end
DPDP Act 2023 · May 2027 enforcement · Up to ₹250 Crore per violation · Rules notified Nov 2025
CERT-In Directions · 6-hour incident reporting · Criminal liability under IT Act §70B for non-compliance
SEBI CSCRF · Annual assessment mandatory for all Qualified REs · Continuous compliance from Apr 2025
IRDAI Cybersecurity 2023 · 6-hr incident reporting · Board attestation due within 90 days of FY end
DPDP Act 2023 · May 2027 enforcement · Up to ₹250 Crore per violation · Rules notified Nov 2025
AI-native · India-hosted · Invite-only

Turn risk data into regulator-ready decisions.

RiskSage is CreativeCyber's AI-native Cyber Risk Brain — dynamic dashboards, predictive risk modeling, evidence intelligence, and board/regulator-ready narratives mapped to RBI · SEBI · IRDAI · DPDP · CERT-In.

Submit Enterprise Enquiry → Explore Capabilities

Or reach us directly: info@creativecyber.in  ·  Response within 2 business days

Invite-only onboarding. Enterprise access via structured business engagement. Tenant provisioning by CreativeCyber. User access managed via tenant administrator invitations.
RBI Cyber SEBI CSCRF IRDAI 2023 DPDP Act 2023 CERT-In Directions ISO 27001 NIST CSF 2.0 SOC 2 FAIR v3.0 CRQ India AI Gov (Advisory) RBI Cyber SEBI CSCRF IRDAI 2023 DPDP Act 2023 CERT-In Directions ISO 27001 NIST CSF 2.0 SOC 2 FAIR v3.0 CRQ India AI Gov (Advisory)
Built for
Banks & NBFCs · Insurance & Reinsurance · Stock Brokers & AMCs · FinTechs & Payments · TPAs & Web Aggregators
Request Access →
Platform Overview
From compliance obligation to board-level assurance.
UNIFIED RISK GRAPH
Single risk intelligence layer

Every initiative, system, vendor, control, evidence, finding, and obligation connected in a living graph — changes propagate instantly.

155+ Prisma models · 440+ API endpoints
AI COPILOT
Natural language GRC reasoning

AI generates narratives, classifies initiatives, parses VAPT reports, drafts CERT-In notifications, and surfaces remediation paths.

AI-powered · Confidence-scored
EVIDENCE INTELLIGENCE
Traceability from artifact to obligation

Evidence freshness tracking, control linkage, gap surfacing, and audit-ready export bundles with RSA-SHA256 signatures.

Deterministic signed exports
BOARD & REGULATOR PACKS
Defensible narratives, signed PDFs

Board cyber packs with maturity tier, traffic-light scorecard, top-5 risks in ₹ crore, incident SLA status, and IRDAI attestation evidence.

IRDAI · SEBI quarterly · RBI master directions
Scale & Coverage
Built for India's most regulated industries.
440+
API endpoints, multi-tenant
8
Compliance frameworks seeded
110
CRQ use cases (A–K categories)
45
IRDAI controls across 8 domains
Core Capabilities
Every BFSI cyber obligation. One platform.
🛡️
CERT-In Incident Response
Multi-regulator deadline engine: CERT-In 6hr · RBI 6hr · IRDAI 6hr · SEBI 4hr · DPBI 72hr. AI-drafted initial report in prescribed 9-field format. 30-minute overdue escalation. 180-day log retention tracker across 13 log sources.
CERT-In 2022/2025 RBI IRDAI DPDP
🔍
VAPT Management + AI Parser
Upload any VAPT report — Nessus, Burp Suite, OpenVAS, Qualys. AI extracts every finding, maps CVSS/CVE, sets severity deadlines (CRITICAL: 7 days), links to UCL controls. IRDAI.AUDIT.1 auto-compliant on clean closure.
IRDAI.AUDIT.1 RBI Patch Mgmt SEBI CSCRF
🏛️
IRDAI Regulatory Pack
Complete IRDAI Cybersecurity 2023 framework: 45 controls across 8 domains. Board attestation workflow with IRDAI submission tracking. AI-proposed crosswalks to RBI, ISO 27001, DPDP, SEBI CSCRF.
IRDAI 2023 Mar 2025 Revision 45 Controls
📊
CISO Command Dashboard
NIST CSF 2.0 maturity radar (6 functions, 4 tiers), live incident countdown, VAPT tracker, drift alerts, evidence heatmap, AI daily brief. Role-gated RISK_MANAGER view.
NIST CSF 2.0 SEBI CSCRF RBI
💼
Board Cybersecurity Dashboard
Traffic-light scorecard per framework, top-5 risks in ₹ crore, incident SLA adherence, attestation calendar, signed PDF board pack — IRDAI attestation evidence. EXECUTIVE_VIEWER role.
IRDAI Attestation SEBI Quarterly RBI Board
📐
AI-driven SAR
Upload architecture diagrams (PNG, PDF, SVG). AI extracts components, traces PII data flows, flags RBI/SEBI/IRDAI baseline gaps. SAR findings block initiative gates until resolved.
RBI IT Security IRDAI Data Residency SEBI
📋
Audit Program Management
Full audit lifecycle: plan → execute → document → report. 29 seeded procedures across ITGC, AppSec, SDLC, Vendor templates. State machine: DRAFT → VALIDATED → MANAGEMENT_RESPONSE → REMEDIATION → CLOSED. Board-grade 7-section PDF.
ITGC AppSec SDLC Vendor
CRQ Engine — 4 Models
FAIR v3.0 Monte Carlo, FAIR-MAM (maturity→₹ reduction), NIST 800-30 ALE, Probabilistic VaR (99th pct). 110 seeded use cases across categories A–K. All 6 FAIR loss forms including DPDP ₹250Cr fine ceiling.
FAIR v3.0 SEBI Investment Justification RBI Board
📄
Contract/DPA + SBOM
28-field vendor contract model with DPA tracking and RBI IT outsourcing clauses. CONTRACT_EXPIRY alerts 60 days ahead. SBOM import (CycloneDX/SPDX) with CVE cross-reference and automatic VaptFinding creation on match.
DPDP §8 DPA RBI IT Outsourcing SEBI CSCRF
⚖️
DPDP Gap Assessment
Score-based gap assessment against the Digital Personal Data Protection Act 2023 and Rules 2025. Maps every control gap to the specific DPDP Act section it implicates. Quantifies penalty exposure up to ₹250 crore per violation. Generates a board-ready assurance report with prioritised remediation actions — defensible evidence for the May 2027 compliance deadline.
DPDP Act 2023 DPBI Notification ₹250Cr Ceiling May 2027 Deadline
🤖
India AI Governance Pack
10-control framework aligned to India’s AI Governance Guidelines 2025 (MeitY / IndiaAI Mission). Covers AI risk classification (HIGH / MEDIUM / LOW), bias audit tracking, explainability logging, and AI incident management. Includes the K_AI_GOVERNANCE CRQ category for quantifying AI-specific cyber risk in ₹ crore. Advisory framework — binding AI obligations for BFSI come from your sector regulator (RBI FREE-AI, SEBI, IRDAI).
India AI Gov Guidelines 2025 Advisory RBI FREE-AI K_AI_GOVERNANCE CRQ
🎯
Threat Modelling — STRIDE + PASTA
Integrated STRIDE and PASTA threat modelling connected to the risk graph, SAR findings, VAPT assessments, and UCL controls. Component extraction, PII data flow tracing, stride entry classification, pasta stage analysis, and mitigation mapping — all linked. Initiative gates stay open until threat model findings are resolved.
STRIDE PASTA RBI TRA SEBI CSCRF SDLC IRDAI IS Audit
📡
Regulatory Change Tracking
Daily AI-powered monitoring of RBI, SEBI, IRDAI, DPDP, CERT-In, and MeitY circulars. New updates auto-matched to affected UCL controls. TENANT_ADMIN and POLICY_OWNER notified immediately. One-click incorporate workflow with full audit trail — so your control library stays current with every regulator update.
RBI Circulars SEBI IRDAI DPDP CERT-In MeitY
Framework Coverage
8 compliance frameworks. Native. Not retrofitted.
Framework Regulator Controls AI Mapping Board Pack Posture API Status
RBI Cyber Framework RBI Live
SEBI CSCRF SEBI Live
IRDAI Cybersecurity 2023 IRDAI ✓ 45 controls ✓ 10 crosswalks Live
DPDP Act 2023 MeitY/DPBI Live
ISO 27001 ISO/IEC Live
NIST CSF 2.0 NIST Live
SOC 2 AICPA Live
India AI Governance Guidelines 2025 MeitY / IndiaAI Mission ✓ 10 controls Live · Advisory
CISO Command Dashboard
Maturity, posture, incidents. One view.
risksage.creativecyber.in/dashboard
NIST CSF 2.0 Maturity
GOVERN
Tier 3
IDENTIFY
Tier 3
PROTECT
Tier 2
DETECT
Tier 2
RESPOND
Tier 3
RECOVER
Tier 2
Regulatory Posture
RBI_CYBER
84%
IRDAI_CYBER
61%
SEBI_CSCRF
79%
DPDP
55%
Live Incident Deadlines
INC-2026-041
CERT-In 6hr window
02:14:33
INC-2026-041
IRDAI 6hr window
04:52:17
INC-2026-039
DPBI 72hr (personal data)
61:09:44
// Free risk estimator

Try the FAIR engine — before you commit

Three sliders. Instant Annualised Loss Expectancy in rupees. This is the same FAIR engine that powers RiskSage's full risk quantification module — try it now, no login required.

Live tool — no login required — same FAIR engine as the full platform

RiskSage extends this to Monte Carlo simulation · full portfolio aggregation · SEBI CSCRF CRQ reporting

Who Uses RiskSage
Built for every stakeholder in the governance chain.
For the CISO
Command & Control
  • CERT-In 6hr deadline engine with overdue escalation
  • VAPT AI parser — CVSS, CVE, severity deadlines
  • SAR diagram analysis for every new initiative
  • NIST CSF 2.0 maturity radar with target tiers
  • Evidence heatmap: systems × frameworks freshness
For Compliance & GRC
Posture & Evidence
  • UCL — Unified Control Library with AI crosswalks
  • IRDAI board attestation + submission tracking
  • DPDP Gap Assessment — ₹250Cr penalty exposure mapping
  • Contract/DPA tracker — DPDP §8 compliance
  • Control drift detection — automatic posture degradation alerts
  • Regulatory change feed — daily AI-powered watch
  • Policy lifecycle with evidence-gated exception closure
For the Board
Governance & Assurance
  • Traffic-light scorecard per regulatory framework
  • Top-5 risks in ₹ crore — FAIR v3.0 Monte Carlo
  • CRQ investment ROI: 110 use case library
  • IRDAI/SEBI attestation calendar + signed PDF
  • Audit findings summary + management response SLA
Get Started
Invite-only enterprise access.

How onboarding works

1
Submit a Business Enquiry
Share regulatory focus, organisation type, compliance objectives.
2
CreativeCyber provisions your tenant
Frameworks seeded, RBAC configured, first tenant admin set up.
3
Your Tenant Admin invites users
Role-gated access: RISK_MANAGER, AUDITOR, EXECUTIVE_VIEWER, POLICY_OWNER and more.
Submit Enterprise Enquiry → Tenant Login
Data hosted in India. Invite-only SaaS. No self-serve risk.

Questions before submitting an enquiry?

info@creativecyber.in

Data hosted in India  ·  Invite-only SaaS  ·  Response within 2 business days  ·  No implementation overhead

FAQ
Frequently asked questions.
Do you offer a free trial or beta access?
No. RiskSage is invite-only. Access is provisioned by CreativeCyber based on approved business enquiries. This ensures every tenant is correctly configured for their regulatory context from day one.
Which regulators and frameworks are supported out of the box?
RBI Cyber Framework, SEBI CSCRF, IRDAI Cybersecurity 2023 (March 2025 revision), DPDP Act 2023, ISO 27001, NIST CSF 2.0, SOC 2, and India AI Governance Guidelines 2025 (Advisory) — all seeded natively. Custom framework import with AI-proposed control mappings is available for enterprise needs.
How does the CERT-In 6-hour deadline engine work?
When a cyber incident is logged with a detection timestamp, RiskSage automatically calculates regulatory deadlines for every applicable regulator (CERT-In, RBI, IRDAI, SEBI, DPBI) simultaneously. AI drafts the initial CERT-In report in the prescribed 9-field format. 30-minute escalation alerts fire for overdue notifications.
What types of VAPT reports can be parsed?
Nessus, Burp Suite, OpenVAS, Qualys, and manual penetration test reports uploaded as text. Severity-based deadlines: CRITICAL = 7 days, HIGH = 30 days, MEDIUM = 90 days.
What is the IRDAI board attestation workflow?
RiskSage supports the full IRDAI board attestation lifecycle — compliance posture to board, formal recording, signed PDF generation, and IRDAI submission tracking within the 90-day FY-end / 30-day audit completion deadline.
Is data hosted in India?
Yes. Aligned with RBI data localisation requirements and DPDP cross-border transfer restrictions. AES-256 at rest, TLS 1.3 in transit, multi-tenant row-level isolation, full audit logging.
How long does onboarding take?
Tenant provisioning takes 24–48 hours after a confirmed business enquiry. Frameworks are pre-seeded for your regulatory context — RBI, IRDAI, SEBI CSCRF depending on sector. Your Tenant Admin can invite users immediately after provisioning. Most teams reach their first board report within the first week.
What happens after I submit a business enquiry?
CreativeCyber reviews your enquiry and responds within 2 business days to schedule a short discovery call. We discuss your regulatory focus, organisation type, team structure, and compliance objectives. If RiskSage is the right fit, your tenant is provisioned within 5 business days — frameworks seeded to your regulatory context, RBAC configured, and your first Tenant Admin account set up. There is no lengthy implementation cycle, no consulting dependency, and no professional services cost to get started. Your Tenant Admin then invites the rest of your team with appropriate roles.
How is RiskSage priced?
Pricing is structured around your organisation type and the regulatory scope you need covered — a bank with RBI + DPDP obligations has a different configuration to an insurer with IRDAI + CERT-In focus. Pricing is agreed during the business engagement process and is not published as a self-serve rate card. To start the conversation, submit a business enquiry at creativecyber.in/business-enquiry or email info@creativecyber.in.
Who within our organisation should submit the enquiry?
Typically the CISO, CTO, Head of Compliance, DPO, or whoever owns the regulatory compliance and cyber risk function. RiskSage serves multiple stakeholders — CISO, Compliance, GRC, Risk, Audit, and the Board — so the initial enquiry works best when initiated by someone with a cross-functional view. We are happy to support internal presentations and business case preparation for your leadership or procurement team.