For years, “vulnerability assessment” in India’s securities market meant scheduling a penetration test once or twice a year, filing the report, and moving on. That cadence made sense in a world where threats moved at human speed, but that world is long gone now.
SEBI’s May 2026 cybersecurity advisory, triggered by the emergence of AI-driven vulnerability detection tools capable of scanning entire application stacks in minutes, doesn’t just add a new item to the compliance checklist. It fundamentally changes the tempo of what security is expected to look like. The word “continuous” appears deliberately, and it deserves to be taken seriously. This post breaks down what that world demands your security team operationally, not just on paper.
The Shift from Periodic to Continuous
Under SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF), regulated entities have long been required to conduct vulnerability assessments and security audits on a regular basis. The May 2026 advisory intensifies that obligation in two specific ways.
First, “regular” is now being read as “continuous.” A quarterly audit that clears you in January tells you nothing about a vulnerability introduced in February. Second, AI-based VA tools are now explicitly endorsed as part of the defender’s toolkit. The advisory states that assessments should be conducted “using conventional and suitable AI-based Vulnerability Assessment Tools where possible”, a direct regulatory signal that if attackers are using AI to find weaknesses at speed and scale, defenders must do the same.
This is the asymmetry SEBI that is trying to close. A regulated entity running annual VAPT against an adversary running continuous AI-powered scanning is not running a security program; it is running a disclosure program.
What the Threat Actually Looks Like: Real Breach Patterns
SEBI’s advisory is not written in a vacuum. The threats it describes have a documented track record in India’s financial sector.
Unmonitored API endpoints. In 2024, attackers targeted a vulnerability in a mobile lending application’s API, exposing customers’ loan details and PAN card information through unprotected endpoints that simply lacked access controls. This pattern is reproducible and scalable; an AI-driven scanning tool can enumerate thousands of API endpoints and test each one for broken access controls in the time it takes a human analyst to read a single VAPT report. In a market infrastructure context, an exposed API between a broker and an exchange carries significantly higher systemic risk than a consumer app.
Cloud misconfigurations. Angel One, one of India’s largest broking firms, suffered a breach in which attackers accessed an unsecured AWS storage bucket, exposing the sensitive data of approximately 7.9 million users, trading details, email addresses, and customer IDs. The vulnerability required no sophisticated exploit: the storage bucket was simply publicly accessible. Critically, the breach was discovered not by the firm’s own monitoring, but through external intelligence when the data surfaced on dark web marketplaces. Internal detection was absent.
Vendor supply chain pivots. In 2025, a malware incident targeting a third-party vendor portal associated with a major Indian private sector bank allowed the Bashe ransomware group to harvest credentials through the compromised vendor access point, without ever breaching the bank directly. The Signzy breach followed the same pattern: a single vendor compromise created downstream exposure across 600 financial institutions globally. Self-attestation from vendors is not evidence of security posture. These incidents demonstrate that vendors with long-standing trusted relationships can be compromised without the regulated entity’s knowledge.
The scale of the problem. From January to June 2025, India’s BFSI sector faced an average of 4.1 million attacks monthly, a 15% year-on-year increase. Indian organizations encountered nearly 1.2 billion attacks in Q3 2024 alone, up 92% from the same quarter the previous year. Cyber fraud losses in the first nine months of 2024 totalled ₹11,333 crore. This is the environment in which SEBI is asking regulated entities to move from periodic to continuous VAPT.
What Continuous VAPT Actually Requires
For a CISO or IT security head at a broker, AMC, depository, or exchange, “continuous vulnerability assessment” translates into four concrete operational demands.
Always on scanning. Continuous VAPT produces a live view, not a point-in-time report. Your attack surface changes every time a developer pushes code; a vendor updates a library, or a new API endpoint goes live. Continuous scanning catches these changes in near-real time rather than waiting for the next scheduled engagement.
Full-stack coverage. Continuous VA must cover web and mobile applications, internal and external APIs with regularly updated inventories, network infrastructure and cloud environments, third-party integrations, and open-source components tracked through a Software Bill of Materials.
SOC integration. A vulnerability finding that sits in a report is inert. Findings must be directly directed into your Security Operations Centre and into the Market SOC (M-SOC) run jointly by NSE and BSE. SEBI’s advisory is explicit that all SOC alerts, including low-priority ones, must be properly investigated, not suppressed.
Vendor assurance. Your continuous VA program is only as strong as its weakest integration. A broker may have excellent internal security posture and still be exposed through a KYC vendor or a trading platform provider that hasn’t been assessed in eighteen months. Under the advisory, third-party VAPT assurance is a direct compliance obligation, not optional due diligence.
Periodic vs. Continuous VAPT: Key Differences
| Dimension | Periodic VAPT | Continuous VAPT |
| Frequency | Quarterly or annual | Always-on, real-time |
| Trigger | Calendar schedule | Every environment change |
| Coverage | Point-in-time snapshot | Live attack surface view |
| API inventory | Static, defined scope | Dynamic, including shadow APIs |
| Vendor assurance | Self-attestation | Evidence-based testing |
| SOC integration | Report delivered separately | Findings feed directly into SOC |
| Cloud posture | Assessed at engagement | Assessed at every config change |
| Remediation tracking | Next engagement confirms | Verified within same cycle |
| CSCRF posture | Satisfies minimum threshold | Satisfies intent and letter |
What is Mirror? How it Fulfills the Requirement for Continuous VAPT Operationally?
This is exactly the problem Ampcus Cyber’s Mirror platform is built to address. Mirror is a VAPT platform, which is designed for the operational reality of continuous security testing, not the compliance theatre of annual assessments. Its capabilities map directly to the breach of patterns and advisory obligations described above.
- Continuous penetration testing: Mirror runs ongoing VAPT across web applications, APIs, and network infrastructure as a persistent function, not a scheduled engagement. Every environment change is evaluated against your overall security posture. Findings surface in real time, not in a quarterly PDF describing a system that no longer exists in its assessed form.
- API discovery and security testing: Given that unmonitored API endpoints are among the most common breach vectors in India’s financial sector, Mirror treats API security as a first-class capability. Mirror continuously maps your API inventory, including shadow APIs created outside formal governance and legacy endpoints left running after migrations, and tests each one against the OWASP API Security Top 10: broken object-level authorization, broken authentication, excessive data exposure, lack of rate limiting, and more. You cannot secure APIs you don’t know exist.
- Cloud configuration assessment: The Angel One breach was a misconfiguration, not a sophisticated exploit. Mirror’s continuous cloud posture assessment evaluates AWS, Azure, and GCP environments against security benchmarks, flagging publicly exposed storage, excessive IAM permissions, and unencrypted data at rest. New misconfigurations introduced during routine infrastructure changes are caught within the same cycle, not at the next scheduled assessment.
- Vendor and third-party VAP: Rather than relying on vendor self-attestation, Mirror extends penetration testing to vendor-facing environments, testing API connections, access points, and integration layers for authentication of weaknesses, data exposure, and privilege escalation paths. This produces evidence-based assurance that satisfies CSCRF documentation requirements.
- SOC-integrated findings: Mirror findings feed directly into SOC workflows with exploitability context, business impact mapping, and specific remediation guidance, not generic CVE descriptions. Each finding is tracked through remediation verification. Mirror doesn’t just identify vulnerabilities; it confirms that fixes are effective.
- Audit-ready CSCRF reporting: Every Mirror cycle produces structured output mapped to CSCRF control requirements, formatted for IT committee presentation, regulatory documentation, and audit response. The compliance question and the security question get answered together, in the same artefact.
The Compliance Posture Is Now the Security Posture
SEBI has, in effect, collapsed the distinction between compliance and security. Meeting the CSCRF used to mean demonstrating that you ran an assessment. Meeting it now means demonstrating that your defences are active, continuous, and capable of keeping pace with the threat.
The breach patterns above, unmonitored APIs, cloud misconfigurations, vendor supply chain pivots, were not prevented by the regulated entities’ existing security programs. In most cases, they weren’t even detected internally. The Angel One breach surfaced on dark web marketplaces before it surfaced in the firm’s own SOC. The ICICI vendor portal incident was flagged by an external threat intelligence group, not the bank’s internal monitoring. Continuous VAPT is the mechanism SEBI is prescribing to close that detection and prevention gap.
There is also a practical risk management argument beyond compliance. India’s capital markets processed over ₹330 lakh crore in equity turnover in FY2024-25. The interconnected infrastructure supporting that volume, investor data, fund assets, and settlement obligations, is a high-value, high-consequence target. The cost of a major breach is not just a regulatory penalty. It is operational disruption, reputational damage, investor harm, and potential systemic market risk. Continuous VAPT is not an expense to be minimized; it is risk management at the scale the market now demands.
The entities that respond to this advisory by upgrading their security cadence, not just checking a box, will be better positioned against the next threat, not just the current one.
Next Step: Know Where You Stand
If you are a CISO, IT head, or compliance officer at a SEBI-regulated entity, the first step is an honest gap assessment, not against what you have in policy documentation, but against what your security program actually does, at what cadence, and with what coverage.
Ampcus Cyber offers a complimentary SEBI Advisory Compliance Readiness Assessment through Mirror. We will map your current VAPT program against the eight Annexure-A obligations, identify specific coverage gaps in application, API, and vendor security testing, and provide a prioritized remediation roadmap.
This is a working session, not a sales call. You will leave with a clear picture of what continuous looks like for your specific environment.
Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
