July
This month- 14 Jul Patch Microsoft Patch Tuesday
- Jul-Sep Window IT-Department refund phishing peak [source]
- 26 Jul Window Kargil Vijay Diwas (reactive window if tension)
- Late Jul Event Monsoon Session likely begins (dates TBA)
Enterprise platforms
Learning environments
Talk to sales
For enterprise
Explore Consulting
Engage with us
More from Consulting
Explore Tracks
More from Training
Featured insights
Read by topic
More from Insights
About Cyberange
Get involved
A month-by-month read of the regulatory beats, adversary cadence, and seasonal patterns Indian defenders should plan against in 2026 — across nine critical sectors. Not a prediction of when specific incidents will land. A planning artefact, corrected monthly as the year unfolds.
Published
February 2026
Updated
29 June 2026
Next revision
31 July 2026
Sectors
9 covered
What's queued · next 30 days
Pulled from July and August. This section always shows the current month and the next, and updates automatically each month — so what's on this page today is your team's planning horizon for the next 30 days. Leave us a feedback on linkedin if this works for you.
July
This monthAugust
Up nextHow this calendar works
01 · Deterministic
CERT-In, SEBI, RBI, IRDAI, MeitY, DoT and CEA publish their dates. We surface them; we do not invent them.
02 · Statistical
Festive UPI fraud, ITR-refund phishing, exam-result lures, IPL scams — multi-year curves, anchored to RBI and CERT-In data.
03 · Reactive
APT36, SideCopy, TAG-38 / RedEcho, Lazarus, MuddyWater. Operational tempo from Mandiant, Talos, Recorded Future, ESET, Seqrite.
04 · Cyclical
Patch Tuesday, Oracle's quarterly CPU, Cisco semi-annual, and the monthly Siemens and Schneider ProductCERT drops. The vendor calendar is public — plan to it.
05 · Corrected
Every month, we mark what landed against what was forecast, and reissue the calendar with corrections. No prophecy required.
Year at a glance
01 / 12 · January
Fixed beats
The month at a glance
Republic Day is the centre of gravity this month.
Hacktivist DDoS, defacement and exfil campaigns concentrate around 26 January.
NIC issued a 7 January 2026 advisory.
The pattern has held three consecutive years per CloudSEK.
[source]Pre-position for the bigger I-Day window in August.
Use January to lock down public surfaces and verify NCIIPC protected-system inventories.
By sector — what to drill
Capital-markets DDoS posture review ahead of Budget Day (1 Feb). Finalise CSCRF FY 25-26 audit scoping; the master circular requires annual VAPT and SOC-monitoring sign-off.
Drill Tabletop: simulated DDoS on retail-banking and trading portals during Budget Day. Validate failover and customer-comms playbook.
[source]SLDC perimeter hardening. CEA Cyber Security Regulations 2025 expected to be notified later in 2026 — start gap-analysis against the draft published 6 Oct 2025.
Drill Pre-Republic-Day perimeter audit of all NCIIPC-notified Protected Systems; ensure CSIRT-Power reporting flows are tested.
[source]CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
DoT Telecom Cyber Security Amendment Rules 2025 fully in force; non-telco "Telecommunication Identifier User Entity" (TIUE) onboarding into the Mobile Number Validation Platform continues.
Drill TIUE-class platforms: verify number-based identifier flows are MNV-compliant; document evidence of IMEI verification on refurbished-handset channels.
[source]Highest hacktivist-correlation month. State CEO portals, central service domains and IndiaStack-adjacent platforms are the lead targets.
Drill WAF rule-pack refresh for R-Day; pre-rendered static failovers for high-traffic .gov.in properties.
Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Year-opening ransomware risk continues — Polycab (Mar 2024) and Tata Technologies (Feb 2025) are the recent comparables.
Drill OT/IT segmentation review at one plant; verify air-gap or DMZ between historian and corporate.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
Content-takedown window collapses from 36 hours to three.
MeitY IT Rules Amendment effective 20 Feb. Synthetic-media labelling becomes mandatory.
[source]S4x26 sets the OT-disclosure cycle for the year.
Pharma, auto, and defence-electronics OEMs should track Dragos and Claroty briefs from Miami.
APT36 / SideCopy surge with kinetic events, not anniversaries.
CTI data supports reactivity, not date-fixed clustering. Pre-stage forensic retainers.
[source]By sector — what to drill
Budget-day capital-markets surface monitoring (prudential — widely cited, not regulator-evidenced). Plan ratio of fraud-helpdesk capacity to IPL/festive call volumes that arrive March onward.
Drill Budget-day TTX: NSE/BSE volumetric anomaly + brokerage portal DDoS playbook.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
PNGRB has no notified standalone cyber regulation; obligations flow through CERT-In + NCIIPC. Use Q1 to confirm Protected-System designations for refineries and pipelines.
Drill Document NCIIPC reporting workflow at one refinery and one pipeline operations centre.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Significant social media intermediaries and OTT/digital-news publishers now operate under a 3-hour takedown clock for lawful orders, 2 hours for specified complaints. Synthetic-Generated-Information labelling is mandatory.
Drill Stand up an SLA-tracked takedown-request console; tag all SGI ingress endpoints; rehearse a 3-hour content escalation with legal.
[source]Reactive APT window. APT36 / Transparent Tribe operationally couples to India-Pakistan kinetic events within days, per Seqrite. No fixed-date spike — the trigger is the event, not the calendar.
Drill Pre-stage forensics retainer; rehearse spear-phish triage on Pahalgam-style decoys.
[source]Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
New ICS tradecraft surfaces at S4x26 — pharma, auto and defence-electronics OEMs should track Dragos and Claroty disclosures from the conference for proofs-of-concept.
Drill Map any S4-disclosed PLC/HMI advisories against your asset inventory within two weeks.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
ECI’s 15 March schedule announcement opens a six-week disinformation window.
Cyfirma and SOCRadar tracked the deepfake + DDoS pattern through LSE 2024.
[source]IPL drags 600+ fake-ticketing and 400+ streaming-scam domains.
Customer-care call surge for BFSI starts now; phishing-IOC feed needs a top-up.
[source]FY-end ransomware tail historically hits manufacturing and pharma.
Polycab India (Mar 2024) is the in-sector reference. Verify offline backups now.
By sector — what to drill
IPL fraud cluster opens — fake ticketing, streaming, fantasy-sports phishing. Customer-care call surge starts.
Drill Stand up an IPL-themed phishing-IOC feed; brief contact-centre on common lures.
[source]NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
TCCCPR-3 consultation opens — AI/ML-based UCC detection, inter-operator intelligence sharing, ₹50L/LSA/month financial-disincentive cap.
Drill Draft TCCCPR-3 compliance plan; map A2P/P2P traffic-declaration architecture.
Election-cycle disinformation window opens. Deepfake-audio against political figures historically peaks in the 4–6 week run-up to polling.
Drill Stand up a deepfake-detection panel covering CM-level political figures in poll-bound states; share artefacts with ECI.
[source]Sun Pharma (Mar 2023) and Granules India (May–Jun 2023) are recent listed-entity comparables. Pre-summer ransomware risk elevated in pharma.
Drill Air-gap restoration drill on one ERP/MES system; document RTO/RPO.
FY-end ransomware tail. Listed Indian manufacturers have disclosed multiple incidents in March across 2023–2025.
Drill Verify offline backups for two production-critical systems; tabletop with finance on year-end disclosure obligations.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
Three regulatory dates land inside the same month.
1 Apr RBI medium-PSO compliance, 6 Apr IRDAI 2026 Guidelines, FY 26-27 audit cycle opens.
State polls on 9, 23 and 29 April.
State CEO portals, ECI-vendor systems and disinformation amplification all peak.
[source]Insurers begin a 90-day clock on the first Annexure III audit.
Scoping and auditor procurement cannot wait — the meter starts at FY-end.
By sector — what to drill
Critical: 1 April compliance for medium non-bank PSOs. Card networks, payment aggregators, PPI issuers, white-label ATM operators, TReDS, BBPOUs and cross-border money-transfer entities must demonstrate compliance.
Drill Compliance attestation package delivered to RBI DPSS; gap-list of any control still pending with remediation dates.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
SMS-template approval load peaks for political parties; UCC volume from spoofed sender-IDs surges. TCCCPR-3 consultation continues.
Drill Audit DLT registrations for poll-bound state party headers; check sender-ID misuse log.
Poll-day infrastructure stress on three dates (9, 23, 29 Apr). State CEO portals, ECI-adjacent vendor systems and disinformation-amplification monitoring all peak.
Drill Pre-position ECI liaison; 24×7 SOC presence on poll days; rehearse takedown of impersonation domains.
[source]IRDAI 2026 Guidelines effective from FY 2026-27 (issued 6 Apr) — first Annexure III audit report due within 90 days of FY-end. CBSE result-lure phishing window opens mid-month.
Drill Insurers: scope first Annexure III audit. Health-network CISOs: pre-position CBSE-result phishing detections.
FY-end book-closing window — Tata Technologies-style ransomware tail (Feb–Apr 2025 comparable).
Drill Final FY-25-26 backup-restoration sign-off; verify cyber-insurance renewal documentation.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
A 1–2 week post-counting hacktivist window opens 4 May.
Both winning and losing political ecosystems generate traffic. WAF posture stays elevated through 18 May.
CBSE results + IPL finals collide late month.
Fake-DigiLocker and fake-ticketing clusters peak concurrently for two weeks.
[source]MeitY has named impersonation domains explicitly in past years.
Use that precedent to push for fast take-down channels with registrars.
Supply-chain compromise is now an India-relevant operational risk, not a US-only story.
CERT-In issued a Critical advisory on Mini Shai-Hulud (CIAD-2026-0026) within 48 hours of the 19 May burst. Build-pipeline credential audits + npm/PyPI lockfile reviews belong in the operating cadence; this won't be the last wave.
[source]By sector — what to drill
IPL finale draws the year's largest concurrent payments-fraud peak — fantasy-sports KYC scams, fake-merchandise phishing, betting-tip schemes.
Drill Customer-comms blitz before finals weekend; tighten velocity rules on small-value first-time UPI transactions.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Sender-ID misuse around result-day SMS traffic; volumetric anomalies on transactional templates.
Drill Sender-ID anomaly detection across CBSE-themed template approvals.
Post-counting DDoS on state CEO portals continues for 1–2 weeks. ECI grievance redressal sees impersonation phishing.
Drill Maintain heightened WAF posture through 18 May; brief comms team on impersonation domains.
CBSE/CISCE result phishing peaks — fake-DigiLocker domains, Aadhaar-OTP harvesting via "result-checker" APKs.
Drill Publicly amplify official-channel-only messaging via your education and parent-engagement comms.
OT/IT segmentation; vendor-RMM tool inventory; ransomware-recovery drill quarterly.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
Pre-monsoon load stresses the grid; reactive APT window.
TAG-38 / RedEcho intrusions historically concentrate on SLDCs in this window.
[source]Take June Patch Tuesday seriously — CERT-In rates it Critical, and 1 of 6 zero-days is being actively exploited.
198 CVEs, 32 critical incl. CVE-2026-42985 (RDP RCE) and CVE-2026-47291 (HTTP.sys unauth RCE). Prioritise internet-facing assets and RDP infrastructure. Oracle CPU lands the same week (CIAD-2026-0032).
[source]ITR filing opens; the phishing wave is 4–6 weeks away.
Pre-position fraud-helpdesk capacity and customer-comms playbooks now.
A regulatorily quieter month — use it to drill.
Restoration, OT-IT segmentation, and offline-backup verification while load is low.
By sector — what to drill
IT-refund phishing campaigns surface; brokerages and banks brace customer-communications. Separately, 2026 has seen a sharp rise in deepfake BEC impersonating Indian CEOs/CFOs via AI-generated voice + video — 76% of Indian CISOs rank AI-enabled attacks as a top priority (BCG/DSCI 2026).
Drill Customer-bulletin on official-domain (incometax.gov.in) only; brief contact-centre on common refund lures. Out-of-band verification protocol for any payment instruction received via voice/video — never authorise from a single channel.
[source]China-aligned reactive APT cadence around Galwan-anniversary window has been documented across multiple years; treat as elevated probability, not certainty.
Drill SLDC / RLDC perimeter audit; verify CSIRT-Power reporting flows; review NCIIPC Protected-System inventory.
Cyclone-season pre-positioning; offshore platforms exposed to combined cyber + physical risk.
Drill Verify out-of-band comms with at least one offshore facility; test SCADA failover.
Monsoon-onset operational stress on SCADA-heavy water utilities. Bangalore Water (Oct 2024) and Delhi Jal Board (2024-25) are recent points of reference.
Drill Verify offline storage of OT configurations; rehearse manual operations for one pumping station.
DoT Cyber Security Rules 2024 + 2025 Amendment compliance; MNV Platform feed validation.
APT36 has expanded tradecraft to Linux — BOSS Linux specifically (widely deployed across Indian government). SideCopy actively running cross-platform RAT campaigns. Treat as elevated probability through the Galwan-window (10–20 Jun) and the broader Independence-Day run-up.
Drill Verify BOSS Linux endpoint coverage; refresh APT36 / SideCopy YARA + sigma rules on email + endpoint; brief defence-liaison teams on Xeno RAT and DeskRAT indicators.
[source]Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
MuddyWater (Iranian) pharma-targeting baseline historically active here — though India-specific signal is from a single ESET window (Oct 2023 – Apr 2024).
Drill RMM-tool inventory audit (Atera, ScreenConnect, SimpleHelp) — flag any non-sanctioned remote-access software.
GNSS jamming / GPS spoofing on Indian commercial aviation remains an open threat surface — seven major airports (IGI, Mumbai, Kolkata, Hyderabad, Bengaluru, Amritsar, Chennai) reported interference per the Civil Aviation Minister's Parliament disclosure (Dec 2025). NSA office investigating; airport CISOs + DGCA + BCAS coordinating. Treat as a year-round vigilance posture, not a single-window event.
Drill Confirm runway approach contingency procedures for GNSS-unavailable scenarios; verify CISO escalation chain to BCAS for GNSS-anomaly reports; cross-rehearse with the airline operator on the same field.
[source]Fixed beats
The month at a glance
IT-refund phishing is the dominant fraud class for 60 days.
CERT-In Advisory 2025-IT-06 documents the pattern; use the official-domain-only customer line.
[source]Income Tax Department published a 7 August 2025 advisory.
Replicate the advisory verbatim in customer comms; brief contact-centre on refund-amount lures.
Kargil Vijay Diwas — reactive APT window if tension is high.
Vendor data supports India-Pakistan reactivity, not fixed-date clustering. Stay alert, not date-driven.
By sector — what to drill
IT-refund phishing is the highest-volume consumer-fraud class for the next 60 days. Bank fraud-helpdesks staff up.
Drill Run a customer-awareness campaign on the spoofed `incometaxindiafilling.gov.in` pattern; brief contact-centre on refund-amount common lures.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
Refinery turn-around season — change-windows are when ICS exposure is highest. Oil India ransomware (Apr 2022) is the in-sector comparable.
Drill Approve OT change-management exception process; verify no third-party VPN access stays open post-turnaround.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
DoT Cyber Security Rules 2024 + 2025 Amendment compliance; MNV Platform feed validation.
Kargil-window reactive APT activity possible if India-Pakistan tension is elevated. APT36 lure-volume baseline historically rises in border-anniversary months.
Drill Pre-rehearse spear-phish triage on defence-themed decoys; refresh staff awareness on PPAM/Crimson-RAT-style lures.
AIIMS Delhi (Nov 2022) sits in living memory — hospitals should keep restoration drills current.
Drill Tabletop: ransomware on the hospital information system; manual-fallback procedures for OPD/IPD validated.
OT/IT segmentation; vendor-RMM tool inventory; ransomware-recovery drill quarterly.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
Independence Day is the year’s strongest evidenced seasonal spike.
Cyble logged 4,000+ incidents in the August 2025 window — 404 defacements, 656 DDoS, 1,114 leak claims.
[source]Black Hat + DEF CON drop new tradecraft 1–9 August.
Subscribe team to Dragos / Claroty briefs; commit to a 2-week SLA on triaging disclosed advisories.
Q4 weaponisation planning starts now.
Canonical 4–12 week lag from Vegas disclosure to mass exploitation in the wild.
By sector — what to drill
I-Day weekend DDoS / leak-claim surge — even unverified claims drive customer panic and inbound contact-centre load.
Drill Volumetric DDoS exercise on retail-banking surface; comms-team script for "alleged leak" claims with no corroborating evidence.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
Same OT-disclosure exposure as manufacturing. Refinery and pipeline ICS proofs-of-concept routinely surface at DEF CON.
Drill Asset-inventory cross-reference with Aug-disclosed CVEs by 1 September.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Carrier-grade DDoS volumetric peaks. TIUE-class platforms (Zomato, Paytm, etc.) inherit telecom-style abuse load on top of platform-level pressure.
Drill Scrubbing-centre capacity verified; TIUE-class platforms: customer-comms script tested.
Highest-load hacktivist month. State, education and BFSI surfaces dominated the 2025 target list. Pro-Palestine, pro-Pakistan and religious-ideology groups historically coordinate within the I-Day window.
Drill 24×7 SOC presence 13–17 Aug; rehearsed defacement-recovery; pre-staged static failovers for content-driven .gov.in domains.
Education + healthcare were 32.5% / unspecified-but-high share of 2024 hacktivist targets per CloudSEK.
Drill Hospital-network defacement TTX; pre-validated content recovery in <2 hours.
New ICS tradecraft from Black Hat / DEF CON lands. Dragos, Claroty, Team82 typically publish synthesis briefs first week of September.
Drill Subscribe team to S4 / Dragos / Claroty mailing lists; commit to a 2-week SLA on triaging Aug-disclosed PLC/HMI advisories.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Fixed beats
The month at a glance
India hosts BRICS in New Delhi on 12–13 September.
Host-nation infrastructure, transport, hotels and MEA vendors draw elevated APT + hacktivist attention.
[source]The festive cycle opens late September.
Cloned-storefront waves and fake-merchant QR codes ramp into October.
Amazon India ran “Scam-Free September” with I4C in 2025.
The brand-impersonation pattern they targeted recurs annually. Coordinate take-downs early.
By sector — what to drill
Late-Sep festive cluster opens — cloned-storefront waves, fake-merchant QR codes, "delivery delayed" SMS phishing.
Drill Update fraud-rule velocity thresholds; refresh customer-bulletin templates for festive lures.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
SMS-template approval volume rises; A2P traffic from e-commerce merchants peaks; UCC complaints spike.
Drill Pre-stage extra DLT review headcount; tighten anomalous-template detection.
BRICS-window heightened APT attention. MEA-adjacent platforms, summit-management vendors, accreditation portals are primary targets.
Drill Locked-down access lists on summit-related staging environments; out-of-band channels with MEA SOC.
Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
September is when Aug-disclosed ICS tradecraft begins to be observed in the wild. Dragos / Claroty year-in-review preparation.
Drill Catalogue all Aug-disclosed PLC/HMI advisories you have not yet acted on.
Delegation-window operational-security spillover — airline ticketing, hotel booking, ride-hailing platforms see impersonation phishing.
Drill Brief customer-care on impersonation lures; rehearse account-takeover detection on premium-tier accounts.
Fixed beats
The month at a glance
Q4 mass-exploitation of August-disclosed tradecraft arrives.
Patch or mitigate any Black Hat 2026 / DEF CON 34 CVE still open in your environment.
CERT-In has named Amazon / Flipkart-mimicking domains.
The 2023 festive advisory pattern recurs every year. Pre-position registrar take-down channels.
Digital-payment fraud is 56.5% of all reported banking fraud.
RBI FY-25 aggregate: 13,516 cases, ₹520Cr. The festive window is the peak contributor.
[source]By sector — what to drill
Peak festive phishing and fake-deal traffic. UPI fraud risk rises into Diwali. RBI does not publish monthly Diwali-specific data — treat as elevated probability, not a regulator-confirmed spike.
Drill Festive-window fraud-rule pack; brief contact-centre on QR-swap and "payment-failed re-initiate" lures.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Post-monsoon SCADA review window. Bangalore Water (Oct 2024) is the in-sector benchmark — exposed .env files remain a common root-cause.
Drill Surface scan: any internet-exposed .env, .git, /admin paths on utility portals.
SMS-fraud volume highest of the year. TIUE-class e-commerce platforms inherit phone-number abuse load.
Drill Verify A2P traffic-declaration completeness; escalate template-misuse cases to TRAI per draft TCCCPR-3 cadence.
NIC advisory channel monitored; CERT-In Empanelled Auditor cycle on track.
Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Q4 weaponisation of Aug-disclosed ICS tradecraft begins. Dragos 2026 OT advisory typically lands here.
Drill Patch / mitigate any Black Hat 2026 / DEF CON 34-disclosed CVEs still open in your environment.
E-commerce parcel-tracking phishing peaks. Logistics carriers (Blue Dart, Delhivery, India Post) see brand-impersonation lures.
Drill Coordinate take-downs with logistics partners; publish official-domain whitelist for customer comms.
Fixed beats
The month at a glance
DPDP Phase 2 operationalises 14 November.
Consent Manager registration framework goes live; substantive Data Fiduciary obligations phase in.
[source]Full DPDP enforcement is targeted for 14 May 2027.
An 18-month implementation runway opens from this milestone. Plan SDF designation now.
Diwali / Dhanteras brings the year’s peak UPI-fraud window.
CISO + DPO load coincides. Staff and rota plans matter here more than usual.
By sector — what to drill
Diwali / Dhanteras peak — combined with DPDP Phase 2 makes this the busiest CISO and DPO month of the year. UPI-fraud aggregate volume highest.
Drill Publish first DPDP-aligned consent notice; CRO + DPO joint review of breach-reporting workflow.
NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
TIUE-class platforms inherit DPDP Data Fiduciary obligations alongside DoT identifier rules.
Drill Cross-walk DoT TIUE compliance with DPDP Data Fiduciary obligations; one unified record of processing.
State e-governance and IndiaStack-adjacent platforms must align consent UX with the 14 Nov framework.
Drill Map every PII collection point against DPDP's notice-and-consent rules; flag those still under IT Act §43A patterns.
Health data is sensitive personal data under DPDP; Consent Manager touchpoints across CoWIN-style platforms, hospital portals, lab results, insurance-claim flows.
Drill Inventory Data Fiduciary touchpoints; identify Consent Manager onboarding candidates.
OT/IT segmentation; vendor-RMM tool inventory; ransomware-recovery drill quarterly.
Logistics + ride-hail platforms process consent-heavy PII; TIUE + DPDP combined load.
Drill Stand up combined DoT + DPDP compliance owner; reconcile data-retention schedules.
Fixed beats
The month at a glance
Year-end fraud window — KYC-expiry SMS lures and “tax-saving” scams.
80C and ELSS deadline week drives the salaried-professional target list.
FY 26-27 H1 disclosure window for listed entities.
Verify CSCRF / ITGRCA / IRDAI audit-cycle completion before year-end.
Plan the 2027 calendar from December’s RBI Financial Stability Report.
The annual aggregates land in May 2027; FSR gives the leading indicator now.
By sector — what to drill
Year-end KYC-expiry SMS lures peak. "Tax-saving" scams target salaried professionals (ELSS / 80C deadline-driven).
Drill Customer-bulletin on KYC official-channels-only; pre-position fraud rules for 80C deadline week.
Peak winter-load season — northern grid stress; combined operational + cyber risk monitoring.
Drill Joint operations + SOC drill on simulated CSIRT-Power escalation.
CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Internet-exposed-surface scan monthly; OT segmentation review quarterly.
DoT Cyber Security Rules 2024 + 2025 Amendment compliance; MNV Platform feed validation.
Winter Session of Parliament — pre-session and budget-discussion media attention; protest-window hacktivism.
Drill Maintain heightened-monitoring posture through Parliament session dates; coordinate with sector CERT.
Pharma audit-cycle wrap; Sun Pharma (Mar 2023) and Granules India (May–Jun 2023) remain the listed-entity playbook references.
Drill Verify FY 26-27 H1 audit completion; document any open ransomware-related insurance claims.
Year-end ransomware tail — Hunters International on Tata Technologies (Feb 2025) and LockBit comparables continue to shape playbook.
Drill FY-26-27 H1 audit attestations; tabletop year-end book-closing ransomware scenario.
Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.
Caveats & sources
Spotted an error?
This is a living document. If a date is wrong, a regulator published late, a source URL has rotted, or we missed an event you tracked — drop us a note. Include the month, what we got wrong, and the primary source we should be citing instead.
The Phygital Range runs the scenarios highlighted in each month. Pick a sector — power, water, oil & gas, manufacturing — and book a tabletop or live-fire drill aligned to the month’s threat surface.