Cyberange

Insights DFIR

The CERT-In six-hour window: what your DFIR runbook needs to say

CERT-In Direction 20(3)/2022 requires reporting of certain cyber incidents within six hours of detection. A practical breakdown of what the clock actually measures, what your runbook needs to include, and where most organisations get the timeline wrong.

By Cyberange DFIR Consulting Published 26 May 2026
  • CERT-In
  • incident response
  • regulatory
  • BFSI
  • India

The headline is well-known. CERT-In’s April 2022 directions require reporting of a specific class of cyber incidents to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents. The detail is where most runbooks fall over.

What the clock measures

The six-hour window starts at notification, not at compromise. That distinction matters: an EDR alert that an analyst dismisses at 09:14 and re-opens at 14:20 starts the clock at 14:20. Brought to notice is the legal phrase; the SOC log is the evidence.

This is good news and bad news. Good — the clock is fair. Bad — the clock is unforgiving once it starts. A runbook that takes two hours to convene the right people has spent a third of its allowance before anyone has done any actual response work.

What needs to be in the report

CERT-In specifies fields that need to be in the report. Most are straightforward: incident type, severity, affected systems, timeline, IOCs. The fields that catch organisations out are:

  • Affected critical-information-infrastructure assets. This requires you to know which of your assets fall under the NCIIPC CII scope. The asset inventory must already exist, classified.
  • Cross-border data movement context. If exfiltration is suspected, what jurisdictions did the data touch? This is a question the runbook must be ready to answer at hour-five.
  • Mitigation and containment actions taken to date. Past tense. CERT-In wants evidence you weren’t waiting for them to tell you to act.

Where runbooks usually fail

In our DFIR engagements three patterns recur:

  1. No designated CERT-In point of contact. The runbook says “legal files the report”; the legal team has never filed one; the legal team is in another time zone at 02:00 local.
  2. No pre-cleared report template. Hour six is not the time to work out what fields the directions require. The template should be in the runbook, pre-filled with the generic fields, ready to take incident-specific content.
  3. No CERT-In communications cadence after hour six. The first report is not the last report. The runbook needs to say who sends updates, how often, and what closes the loop with CERT-In after eradication.

Worth a tabletop

If your organisation has CII assets and has never tabletop-tested the six-hour clock end-to-end, run one. The first time we ran the drill with a recent customer, the legal team needed seventeen minutes just to find the CERT-In notification email address. That’s seventeen minutes of an allowance that, on a real incident, would have been spent on actual response.

If you’d like Cyberange to run that tabletop, we have a retainer that includes them quarterly.

Back to Insights Pitch a post →