Annual India Edition 2026

The 2026 Threat-Intel Calendar — India edition.

A month-by-month read of the regulatory beats, adversary cadence, and seasonal patterns Indian defenders should plan against in 2026 — across nine critical sectors. Not a prediction of when specific incidents will land. A planning artefact, corrected monthly as the year unfolds.

Published

February 2026

Updated

29 May 2026

Next revision

30 June 2026

Sectors

9 covered

Jump to current month How we built this

How this calendar works

It is a planning framework, not a forecast. Five inputs are knowable a year out.

01 · Deterministic

Regulatory beats

CERT-In, SEBI, RBI, IRDAI, MeitY, DoT and CEA publish their dates. We surface them; we do not invent them.

02 · Statistical

Seasonal patterns

Festive UPI fraud, ITR-refund phishing, exam-result lures, IPL scams — multi-year curves, anchored to RBI and CERT-In data.

03 · Reactive

Adversary cadence

APT36, SideCopy, TAG-38 / RedEcho, Lazarus, MuddyWater. Operational tempo from Mandiant, Talos, Recorded Future, ESET, Seqrite.

04 · Cyclical

Vendor patch cadence

Patch Tuesday, Oracle's quarterly CPU, Cisco semi-annual, and the monthly Siemens and Schneider ProductCERT drops. The vendor calendar is public — plan to it.

05 · Corrected

Monthly revisions

Every month, we mark what landed against what was forecast, and reissue the calendar with corrections. No prophecy required.

Year at a glance

Regulation

Event

Patch Tuesday

Seasonal window

Today (auto-updates on each visit)

Filter:

Jump: JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

01 / 12 · January

01 / 12

January

Past

Fixed beats

13 Jan Patch Microsoft Patch Tuesday
26 Jan Event Republic Day — hacktivist surge window [source]
28 Jan Event Budget Session Phase 1 opens [source]

The month at a glance

Republic Day is the centre of gravity this month.

Hacktivist DDoS, defacement and exfil campaigns concentrate around 26 January.
NIC issued a 7 January 2026 advisory.

The pattern has held three consecutive years per CloudSEK.
[source]
Pre-position for the bigger I-Day window in August.

Use January to lock down public surfaces and verify NCIIPC protected-system inventories.

By sector — what to drill

BFSI

Capital-markets DDoS posture review ahead of Budget Day (1 Feb). Finalise CSCRF FY 25-26 audit scoping; the master circular requires annual VAPT and SOC-monitoring sign-off.

Drill Tabletop: simulated DDoS on retail-banking and trading portals during Budget Day. Validate failover and customer-comms playbook.
[source]
Power

SLDC perimeter hardening. CEA Cyber Security Regulations 2025 expected to be notified later in 2026 — start gap-analysis against the draft published 6 Oct 2025.

Drill Pre-Republic-Day perimeter audit of all NCIIPC-notified Protected Systems; ensure CSIRT-Power reporting flows are tested.
[source]
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

DoT Telecom Cyber Security Amendment Rules 2025 fully in force; non-telco "Telecommunication Identifier User Entity" (TIUE) onboarding into the Mobile Number Validation Platform continues.

Drill TIUE-class platforms: verify number-based identifier flows are MNV-compliant; document evidence of IMEI verification on refurbished-handset channels.
[source]
GovTech

Highest hacktivist-correlation month. State CEO portals, central service domains and IndiaStack-adjacent platforms are the lead targets.

Drill WAF rule-pack refresh for R-Day; pre-rendered static failovers for high-traffic .gov.in properties.
Healthcare Baseline

Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Manufacturing

Year-opening ransomware risk continues — Polycab (Mar 2024) and Tata Technologies (Feb 2025) are the recent comparables.

Drill OT/IT segmentation review at one plant; verify air-gap or DMZ between historian and corporate.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

02 / 12

February

Past

Fixed beats

1 Feb Event Union Budget 2026-27 presented [source]
10 Feb Patch Microsoft Patch Tuesday
10 / 20 Feb Regulation MeitY IT Rules Amendment 2026 notified / effective — synthetic-media labelling, 3-hour content-takedown window [source]
23-26 Feb Event S4x26 (ICS / OT disclosures, Miami) [source]
25 Feb - 4 Mar Event Nullcon Goa 2026 [source]

The month at a glance

Content-takedown window collapses from 36 hours to three.

MeitY IT Rules Amendment effective 20 Feb. Synthetic-media labelling becomes mandatory.
[source]
S4x26 sets the OT-disclosure cycle for the year.

Pharma, auto, and defence-electronics OEMs should track Dragos and Claroty briefs from Miami.
APT36 / SideCopy surge with kinetic events, not anniversaries.

CTI data supports reactivity, not date-fixed clustering. Pre-stage forensic retainers.
[source]

By sector — what to drill

BFSI

Budget-day capital-markets surface monitoring (prudential — widely cited, not regulator-evidenced). Plan ratio of fraud-helpdesk capacity to IPL/festive call volumes that arrive March onward.

Drill Budget-day TTX: NSE/BSE volumetric anomaly + brokerage portal DDoS playbook.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G

PNGRB has no notified standalone cyber regulation; obligations flow through CERT-In + NCIIPC. Use Q1 to confirm Protected-System designations for refineries and pipelines.

Drill Document NCIIPC reporting workflow at one refinery and one pipeline operations centre.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

Significant social media intermediaries and OTT/digital-news publishers now operate under a 3-hour takedown clock for lawful orders, 2 hours for specified complaints. Synthetic-Generated-Information labelling is mandatory.

Drill Stand up an SLA-tracked takedown-request console; tag all SGI ingress endpoints; rehearse a 3-hour content escalation with legal.
[source]
GovTech

Reactive APT window. APT36 / Transparent Tribe operationally couples to India-Pakistan kinetic events within days, per Seqrite. No fixed-date spike — the trigger is the event, not the calendar.

Drill Pre-stage forensics retainer; rehearse spear-phish triage on Pahalgam-style decoys.
[source]
Healthcare Baseline

Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Manufacturing

New ICS tradecraft surfaces at S4x26 — pharma, auto and defence-electronics OEMs should track Dragos and Claroty disclosures from the conference for proofs-of-concept.

Drill Map any S4-disclosed PLC/HMI advisories against your asset inventory within two weeks.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

03 / 12

March

Past

Fixed beats

9 Mar - 2 Apr Event Budget Session Phase 2
10 Mar Patch Microsoft Patch Tuesday
13 Mar Regulation TRAI draft TCCCPR 3rd Amendment opens — mandatory AI/ML UCC detection [source]
15 Mar Event ECI announces state election schedule (TN, Kerala, WB, Assam, Puducherry) [source]
23-26 Mar Event RSA Conference 2026 (San Francisco) [source]

The month at a glance

ECI’s 15 March schedule announcement opens a six-week disinformation window.

Cyfirma and SOCRadar tracked the deepfake + DDoS pattern through LSE 2024.
[source]
IPL drags 600+ fake-ticketing and 400+ streaming-scam domains.

Customer-care call surge for BFSI starts now; phishing-IOC feed needs a top-up.
[source]
FY-end ransomware tail historically hits manufacturing and pharma.

Polycab India (Mar 2024) is the in-sector reference. Verify offline backups now.

By sector — what to drill

BFSI

IPL fraud cluster opens — fake ticketing, streaming, fantasy-sports phishing. Customer-care call surge starts.

Drill Stand up an IPL-themed phishing-IOC feed; brief contact-centre on common lures.
[source]
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

TCCCPR-3 consultation opens — AI/ML-based UCC detection, inter-operator intelligence sharing, ₹50L/LSA/month financial-disincentive cap.

Drill Draft TCCCPR-3 compliance plan; map A2P/P2P traffic-declaration architecture.
GovTech

Election-cycle disinformation window opens. Deepfake-audio against political figures historically peaks in the 4–6 week run-up to polling.

Drill Stand up a deepfake-detection panel covering CM-level political figures in poll-bound states; share artefacts with ECI.
[source]
Healthcare

Sun Pharma (Mar 2023) and Granules India (May–Jun 2023) are recent listed-entity comparables. Pre-summer ransomware risk elevated in pharma.

Drill Air-gap restoration drill on one ERP/MES system; document RTO/RPO.
Manufacturing

FY-end ransomware tail. Listed Indian manufacturers have disclosed multiple incidents in March across 2023–2025.

Drill Verify offline backups for two production-critical systems; tabletop with finance on year-end disclosure obligations.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

04 / 12

April

Past

Fixed beats

1 Apr Regulation RBI: medium non-bank PSOs full compliance with Cyber Resilience & Digital Payment Security Master Direction [source]
6 Apr Regulation IRDAI Information & Cyber Security Guidelines 2026 issued [source]
9 / 23 / 29 Apr Event State assembly polls — Assam, Kerala, Pondy (9); TN (23); WB (23 + 29) [source]
14 Apr Patch Microsoft Patch Tuesday

The month at a glance

Three regulatory dates land inside the same month.

1 Apr RBI medium-PSO compliance, 6 Apr IRDAI 2026 Guidelines, FY 26-27 audit cycle opens.
State polls on 9, 23 and 29 April.

State CEO portals, ECI-vendor systems and disinformation amplification all peak.
[source]
Insurers begin a 90-day clock on the first Annexure III audit.

Scoping and auditor procurement cannot wait — the meter starts at FY-end.

By sector — what to drill

BFSI

Critical: 1 April compliance for medium non-bank PSOs. Card networks, payment aggregators, PPI issuers, white-label ATM operators, TReDS, BBPOUs and cross-border money-transfer entities must demonstrate compliance.

Drill Compliance attestation package delivered to RBI DPSS; gap-list of any control still pending with remediation dates.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

SMS-template approval load peaks for political parties; UCC volume from spoofed sender-IDs surges. TCCCPR-3 consultation continues.

Drill Audit DLT registrations for poll-bound state party headers; check sender-ID misuse log.
GovTech

Poll-day infrastructure stress on three dates (9, 23, 29 Apr). State CEO portals, ECI-adjacent vendor systems and disinformation-amplification monitoring all peak.

Drill Pre-position ECI liaison; 24×7 SOC presence on poll days; rehearse takedown of impersonation domains.
[source]
Healthcare

IRDAI 2026 Guidelines effective from FY 2026-27 (issued 6 Apr) — first Annexure III audit report due within 90 days of FY-end. CBSE result-lure phishing window opens mid-month.

Drill Insurers: scope first Annexure III audit. Health-network CISOs: pre-position CBSE-result phishing detections.
Manufacturing

FY-end book-closing window — Tata Technologies-style ransomware tail (Feb–Apr 2025 comparable).

Drill Final FY-25-26 backup-restoration sign-off; verify cyber-insurance renewal documentation.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

05 / 12

May

Current

Fixed beats

4 May Event State election counting & results
12 May Patch Microsoft Patch Tuesday
Mid-May Window IPL playoffs and finale
May Window CBSE / state-board results window [source]

The month at a glance

A 1–2 week post-counting hacktivist window opens 4 May.

Both winning and losing political ecosystems generate traffic. WAF posture stays elevated through 18 May.
CBSE results + IPL finals collide late month.

Fake-DigiLocker and fake-ticketing clusters peak concurrently for two weeks.
[source]
MeitY has named impersonation domains explicitly in past years.

Use that precedent to push for fast take-down channels with registrars.

By sector — what to drill

BFSI

IPL finale draws the year's largest concurrent payments-fraud peak — fantasy-sports KYC scams, fake-merchandise phishing, betting-tip schemes.

Drill Customer-comms blitz before finals weekend; tighten velocity rules on small-value first-time UPI transactions.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

Sender-ID misuse around result-day SMS traffic; volumetric anomalies on transactional templates.

Drill Sender-ID anomaly detection across CBSE-themed template approvals.
GovTech

Post-counting DDoS on state CEO portals continues for 1–2 weeks. ECI grievance redressal sees impersonation phishing.

Drill Maintain heightened WAF posture through 18 May; brief comms team on impersonation domains.
Healthcare

CBSE/CISCE result phishing peaks — fake-DigiLocker domains, Aadhaar-OTP harvesting via "result-checker" APKs.

Drill Publicly amplify official-channel-only messaging via your education and parent-engagement comms.
Manufacturing Baseline

OT/IT segmentation; vendor-RMM tool inventory; ransomware-recovery drill quarterly.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

06 / 12

June

Upcoming

Fixed beats

9 Jun Patch Microsoft Patch Tuesday
15 Jun Window Galwan anniversary — reactive APT window [source]
June Window ITR filing season opens; pre-monsoon power-load peak

The month at a glance

Pre-monsoon load stresses the grid; reactive APT window.

TAG-38 / RedEcho intrusions historically concentrate on SLDCs in this window.
[source]
ITR filing opens; the phishing wave is 4–6 weeks away.

Pre-position fraud-helpdesk capacity and customer-comms playbooks now.
A regulatorily quieter month — use it to drill.

Restoration, OT-IT segmentation, and offline-backup verification while load is low.

By sector — what to drill

BFSI

IT-refund phishing campaigns surface; brokerages and banks brace customer-communications.

Drill Customer-bulletin on official-domain (incometax.gov.in) only; brief contact-centre on common refund lures.
[source]
Power

China-aligned reactive APT cadence around Galwan-anniversary window has been documented across multiple years; treat as elevated probability, not certainty.

Drill SLDC / RLDC perimeter audit; verify CSIRT-Power reporting flows; review NCIIPC Protected-System inventory.
O&G

Cyclone-season pre-positioning; offshore platforms exposed to combined cyber + physical risk.

Drill Verify out-of-band comms with at least one offshore facility; test SCADA failover.
Water

Monsoon-onset operational stress on SCADA-heavy water utilities. Bangalore Water (Oct 2024) and Delhi Jal Board (2024-25) are recent points of reference.

Drill Verify offline storage of OT configurations; rehearse manual operations for one pumping station.
Telecom Baseline

DoT Cyber Security Rules 2024 + 2025 Amendment compliance; MNV Platform feed validation.
GovTech Baseline

NIC advisory channel monitored; CERT-In Empanelled Auditor cycle on track.
Healthcare Baseline

Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Manufacturing

MuddyWater (Iranian) pharma-targeting baseline historically active here — though India-specific signal is from a single ESET window (Oct 2023 – Apr 2024).

Drill RMM-tool inventory audit (Atera, ScreenConnect, SimpleHelp) — flag any non-sanctioned remote-access software.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

07 / 12

July

Upcoming

Fixed beats

14 Jul Patch Microsoft Patch Tuesday
Jul-Sep Window IT-Department refund phishing peak [source]
26 Jul Window Kargil Vijay Diwas (reactive window if tension)
Late Jul Event Monsoon Session likely begins (dates TBA)

The month at a glance

IT-refund phishing is the dominant fraud class for 60 days.

CERT-In Advisory 2025-IT-06 documents the pattern; use the official-domain-only customer line.
[source]
Income Tax Department published a 7 August 2025 advisory.

Replicate the advisory verbatim in customer comms; brief contact-centre on refund-amount lures.
Kargil Vijay Diwas — reactive APT window if tension is high.

Vendor data supports India-Pakistan reactivity, not fixed-date clustering. Stay alert, not date-driven.

By sector — what to drill

BFSI

IT-refund phishing is the highest-volume consumer-fraud class for the next 60 days. Bank fraud-helpdesks staff up.

Drill Run a customer-awareness campaign on the spoofed `incometaxindiafilling.gov.in` pattern; brief contact-centre on refund-amount common lures.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G

Refinery turn-around season — change-windows are when ICS exposure is highest. Oil India ransomware (Apr 2022) is the in-sector comparable.

Drill Approve OT change-management exception process; verify no third-party VPN access stays open post-turnaround.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom Baseline

DoT Cyber Security Rules 2024 + 2025 Amendment compliance; MNV Platform feed validation.
GovTech

Kargil-window reactive APT activity possible if India-Pakistan tension is elevated. APT36 lure-volume baseline historically rises in border-anniversary months.

Drill Pre-rehearse spear-phish triage on defence-themed decoys; refresh staff awareness on PPAM/Crimson-RAT-style lures.
Healthcare

AIIMS Delhi (Nov 2022) sits in living memory — hospitals should keep restoration drills current.

Drill Tabletop: ransomware on the hospital information system; manual-fallback procedures for OPD/IPD validated.
Manufacturing Baseline

OT/IT segmentation; vendor-RMM tool inventory; ransomware-recovery drill quarterly.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

08 / 12

August

Upcoming

Fixed beats

1-6 Aug Event Black Hat USA 2026 (Mandalay Bay) [source]
6-9 Aug Event DEF CON 34 (Las Vegas) [source]
11 Aug Patch Microsoft Patch Tuesday
13-17 Aug Window Independence Day hacktivist surge — strongest evidenced seasonal pattern [source]

The month at a glance

Independence Day is the year’s strongest evidenced seasonal spike.

Cyble logged 4,000+ incidents in the August 2025 window — 404 defacements, 656 DDoS, 1,114 leak claims.
[source]
Black Hat + DEF CON drop new tradecraft 1–9 August.

Subscribe team to Dragos / Claroty briefs; commit to a 2-week SLA on triaging disclosed advisories.
Q4 weaponisation planning starts now.

Canonical 4–12 week lag from Vegas disclosure to mass exploitation in the wild.

By sector — what to drill

BFSI

I-Day weekend DDoS / leak-claim surge — even unverified claims drive customer panic and inbound contact-centre load.

Drill Volumetric DDoS exercise on retail-banking surface; comms-team script for "alleged leak" claims with no corroborating evidence.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G

Same OT-disclosure exposure as manufacturing. Refinery and pipeline ICS proofs-of-concept routinely surface at DEF CON.

Drill Asset-inventory cross-reference with Aug-disclosed CVEs by 1 September.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

Carrier-grade DDoS volumetric peaks. TIUE-class platforms (Zomato, Paytm, etc.) inherit telecom-style abuse load on top of platform-level pressure.

Drill Scrubbing-centre capacity verified; TIUE-class platforms: customer-comms script tested.
GovTech

Highest-load hacktivist month. State, education and BFSI surfaces dominated the 2025 target list. Pro-Palestine, pro-Pakistan and religious-ideology groups historically coordinate within the I-Day window.

Drill 24×7 SOC presence 13–17 Aug; rehearsed defacement-recovery; pre-staged static failovers for content-driven .gov.in domains.
Healthcare

Education + healthcare were 32.5% / unspecified-but-high share of 2024 hacktivist targets per CloudSEK.

Drill Hospital-network defacement TTX; pre-validated content recovery in <2 hours.
Manufacturing

New ICS tradecraft from Black Hat / DEF CON lands. Dragos, Claroty, Team82 typically publish synthesis briefs first week of September.

Drill Subscribe team to S4 / Dragos / Claroty mailing lists; commit to a 2-week SLA on triaging Aug-disclosed PLC/HMI advisories.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

09 / 12

September

Upcoming

Fixed beats

8 Sep Patch Microsoft Patch Tuesday
12-13 Sep Event BRICS Summit New Delhi (India hosting) [source]
Sep-Oct Window Big Billion Days / Great Indian Festival prep window

The month at a glance

India hosts BRICS in New Delhi on 12–13 September.

Host-nation infrastructure, transport, hotels and MEA vendors draw elevated APT + hacktivist attention.
[source]
The festive cycle opens late September.

Cloned-storefront waves and fake-merchant QR codes ramp into October.
Amazon India ran “Scam-Free September” with I4C in 2025.

The brand-impersonation pattern they targeted recurs annually. Coordinate take-downs early.

By sector — what to drill

BFSI

Late-Sep festive cluster opens — cloned-storefront waves, fake-merchant QR codes, "delivery delayed" SMS phishing.

Drill Update fraud-rule velocity thresholds; refresh customer-bulletin templates for festive lures.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

SMS-template approval volume rises; A2P traffic from e-commerce merchants peaks; UCC complaints spike.

Drill Pre-stage extra DLT review headcount; tighten anomalous-template detection.
GovTech

BRICS-window heightened APT attention. MEA-adjacent platforms, summit-management vendors, accreditation portals are primary targets.

Drill Locked-down access lists on summit-related staging environments; out-of-band channels with MEA SOC.
Healthcare Baseline

Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Manufacturing

September is when Aug-disclosed ICS tradecraft begins to be observed in the wild. Dragos / Claroty year-in-review preparation.

Drill Catalogue all Aug-disclosed PLC/HMI advisories you have not yet acted on.
Transport

Delegation-window operational-security spillover — airline ticketing, hotel booking, ride-hailing platforms see impersonation phishing.

Drill Brief customer-care on impersonation lures; rehearse account-takeover detection on premium-tier accounts.

10 / 12

October

Upcoming

Fixed beats

13 Oct Patch Microsoft Patch Tuesday
Mid-Oct Window Big Billion Days + Great Indian Festival peak (Sep-Oct) [source]
Late Oct Window Dussehra; payment-fraud uptick begins

The month at a glance

Q4 mass-exploitation of August-disclosed tradecraft arrives.

Patch or mitigate any Black Hat 2026 / DEF CON 34 CVE still open in your environment.
CERT-In has named Amazon / Flipkart-mimicking domains.

The 2023 festive advisory pattern recurs every year. Pre-position registrar take-down channels.
Digital-payment fraud is 56.5% of all reported banking fraud.

RBI FY-25 aggregate: 13,516 cases, ₹520Cr. The festive window is the peak contributor.
[source]

By sector — what to drill

BFSI

Peak festive phishing and fake-deal traffic. UPI fraud risk rises into Diwali. RBI does not publish monthly Diwali-specific data — treat as elevated probability, not a regulator-confirmed spike.

Drill Festive-window fraud-rule pack; brief contact-centre on QR-swap and "payment-failed re-initiate" lures.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water

Post-monsoon SCADA review window. Bangalore Water (Oct 2024) is the in-sector benchmark — exposed .env files remain a common root-cause.

Drill Surface scan: any internet-exposed .env, .git, /admin paths on utility portals.
Telecom

SMS-fraud volume highest of the year. TIUE-class e-commerce platforms inherit phone-number abuse load.

Drill Verify A2P traffic-declaration completeness; escalate template-misuse cases to TRAI per draft TCCCPR-3 cadence.
GovTech Baseline

NIC advisory channel monitored; CERT-In Empanelled Auditor cycle on track.
Healthcare Baseline

Hospital BCM/DR drills quarterly; pharma listed-entity disclosure readiness verified.
Manufacturing

Q4 weaponisation of Aug-disclosed ICS tradecraft begins. Dragos 2026 OT advisory typically lands here.

Drill Patch / mitigate any Black Hat 2026 / DEF CON 34-disclosed CVEs still open in your environment.
Transport

E-commerce parcel-tracking phishing peaks. Logistics carriers (Blue Dart, Delhivery, India Post) see brand-impersonation lures.

Drill Coordinate take-downs with logistics partners; publish official-domain whitelist for customer comms.

11 / 12

November

Upcoming

Fixed beats

10 Nov Patch Microsoft Patch Tuesday
Nov Window Diwali / Dhanteras (date varies — UPI fraud peak window)
14 Nov Regulation DPDP Phase 2 — Consent Manager registration framework operationalises [source]

The month at a glance

DPDP Phase 2 operationalises 14 November.

Consent Manager registration framework goes live; substantive Data Fiduciary obligations phase in.
[source]
Full DPDP enforcement is targeted for 14 May 2027.

An 18-month implementation runway opens from this milestone. Plan SDF designation now.
Diwali / Dhanteras brings the year’s peak UPI-fraud window.

CISO + DPO load coincides. Staff and rota plans matter here more than usual.

By sector — what to drill

BFSI

Diwali / Dhanteras peak — combined with DPDP Phase 2 makes this the busiest CISO and DPO month of the year. UPI-fraud aggregate volume highest.

Drill Publish first DPDP-aligned consent notice; CRO + DPO joint review of breach-reporting workflow.
Power Baseline

NCIIPC Protected-System audit cadence; CSIRT-Power channel testing; CEA 2021 Guidelines compliance.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom

TIUE-class platforms inherit DPDP Data Fiduciary obligations alongside DoT identifier rules.

Drill Cross-walk DoT TIUE compliance with DPDP Data Fiduciary obligations; one unified record of processing.
GovTech

State e-governance and IndiaStack-adjacent platforms must align consent UX with the 14 Nov framework.

Drill Map every PII collection point against DPDP's notice-and-consent rules; flag those still under IT Act §43A patterns.
Healthcare

Health data is sensitive personal data under DPDP; Consent Manager touchpoints across CoWIN-style platforms, hospital portals, lab results, insurance-claim flows.

Drill Inventory Data Fiduciary touchpoints; identify Consent Manager onboarding candidates.
Manufacturing Baseline

OT/IT segmentation; vendor-RMM tool inventory; ransomware-recovery drill quarterly.
Transport

Logistics + ride-hail platforms process consent-heavy PII; TIUE + DPDP combined load.

Drill Stand up combined DoT + DPDP compliance owner; reconcile data-retention schedules.

12 / 12

December

Upcoming

Fixed beats

8 Dec Patch Microsoft Patch Tuesday
14-15 Dec Event G20 Miami Summit (India participating)
Late Nov - Dec Event Winter Session of Parliament (dates TBA)
Dec Window Year-end financial cycles; year-end ransomware tail

The month at a glance

Year-end fraud window — KYC-expiry SMS lures and “tax-saving” scams.

80C and ELSS deadline week drives the salaried-professional target list.
FY 26-27 H1 disclosure window for listed entities.

Verify CSCRF / ITGRCA / IRDAI audit-cycle completion before year-end.
Plan the 2027 calendar from December’s RBI Financial Stability Report.

The annual aggregates land in May 2027; FSR gives the leading indicator now.

By sector — what to drill

BFSI

Year-end KYC-expiry SMS lures peak. "Tax-saving" scams target salaried professionals (ELSS / 80C deadline-driven).

Drill Customer-bulletin on KYC official-channels-only; pre-position fraud rules for 80C deadline week.
Power

Peak winter-load season — northern grid stress; combined operational + cyber risk monitoring.

Drill Joint operations + SOC drill on simulated CSIRT-Power escalation.
O&G Baseline

CERT-In incident-reporting workflow tested at each operating site; NCIIPC liaison maintained.
Water Baseline

Internet-exposed-surface scan monthly; OT segmentation review quarterly.
Telecom Baseline

DoT Cyber Security Rules 2024 + 2025 Amendment compliance; MNV Platform feed validation.
GovTech

Winter Session of Parliament — pre-session and budget-discussion media attention; protest-window hacktivism.

Drill Maintain heightened-monitoring posture through Parliament session dates; coordinate with sector CERT.
Healthcare

Pharma audit-cycle wrap; Sun Pharma (Mar 2023) and Granules India (May–Jun 2023) remain the listed-entity playbook references.

Drill Verify FY 26-27 H1 audit completion; document any open ransomware-related insurance claims.
Manufacturing

Year-end ransomware tail — Hunters International on Tata Technologies (Feb 2025) and LockBit comparables continue to shape playbook.

Drill FY-26-27 H1 audit attestations; tabletop year-end book-closing ransomware scenario.
Transport Baseline

Passenger PII surface map; supply-chain (SITA-style) dependencies catalogued.

Caveats & sources

Read these before you act on the calendar.

Editorial constraints

Not a forecast. Specific incidents on specific dates are not predictable. The calendar surfaces elevated-probability windows from deterministic, statistical and reactive inputs.
Anniversary correlation is reactive. CTI vendor data supports India-Pakistan and India-China APT reactivity to events, not fixed-date anniversary spikes.
Denied breaches are flagged as such. CoWIN (Jun 2023), ICMR (Oct 2023) and Airtel (Jul 2024) were officially denied; we cite the claim window, not the scope.
Water and Transport are under-disclosed. Indian utilities and transport operators rarely publish incident detail. Absence of data is not absence of risk.
Budget-day and salary-day patterns are behavioural hypotheses, widely cited in vendor research but not isolated in RBI or CERT-In time-series data.

Primary sources

CERT-In Directions and Technical Guidelines — cert-in.org.in
SEBI CSCRF circulars — sebi.gov.in/legal/circulars
RBI Master Directions — rbi.org.in
IRDAI Cyber Security Guidelines — irdai.gov.in
MeitY DPDP Rules & IT Rules — meity.gov.in
NCIIPC — nciipc.gov.in
CEA Cyber Security in Power Sector — cea.nic.in
DoT Telecom Cyber Security Rules — dot.gov.in
ECI — eci.gov.in
Seqrite / Mandiant / Recorded Future / ESET / CloudSEK / Cyble for CTI cadence (cited inline)

Spotted an error?

Help us keep the calendar honest.

This is a living document. If a date is wrong, a regulator published late, a source URL has rotted, or we missed an event you tracked — drop us a note. Include the month, what we got wrong, and the primary source we should be citing instead.

Suggest a correction

Translate the calendar into drills your team can run.

The Phygital Range runs the scenarios highlighted in each month. Pick a sector — power, water, oil & gas, manufacturing — and book a tabletop or live-fire drill aligned to the month’s threat surface.

Book a walkthrough See the Phygital Range