Cybersecurity Risk Assessment & Enterprise Security

A cybersecurity risk assessment is a structured evaluation of your attack surface, existing controls, and exposure across infrastructure, identity, cloud, vendors, and compliance. ITMTB delivers a prioritized risk register with severity-ranked findings, business impact per finding, a remediation roadmap with named owners, and a board-ready executive summary — typically within 2–4 weeks.

The Digital Personal Data Protection Act 2023 requires entities processing personal data to implement: a consent management system recording granular, purpose-specific consent from data principals; a data principal rights workflow to respond to access, correction, erasure, and grievance requests within prescribed timelines; breach notification capability — identifying breaches and notifying the Data Protection Board and affected data principals; and technical and organisational measures proportionate to the data volume and sensitivity being processed. For most enterprises, DPDP compliance requires changes to your data collection pipelines, CRM or customer database, and incident response procedures. We scope these changes during the discovery sprint and implement them in a defined, auditable sequence.

CERT-In's April 2022 directive requires Indian entities to report cybersecurity incidents within 6 hours of detecting them. 'Detection' begins when your monitoring systems generate the first alert — not when your security team confirms the breach. To comply, you need: a SIEM or monitoring system that generates a timestamped alert when a qualifying incident is detected; a defined escalation path so the alert reaches someone with authority to file the CERT-In report within the 6-hour window; a pre-prepared report template; and clarity on what counts as a qualifying incident under the directive (data breaches, unauthorised access, malware, DDoS, attacks on critical infrastructure). We implement the monitoring, process, and documentation required to meet the 6-hour requirement — and to demonstrate compliance if audited.

RBI and SEBI have distinct but overlapping cybersecurity requirements for organisations in their regulatory perimeter. RBI's IT Framework for NBFCs and Payment System Operators mandates a board-approved IT and cybersecurity policy, defined incident response and recovery timelines, IS Audit by a qualified firm, and specific controls for internet banking and payment systems. SEBI's cybersecurity circular for market intermediaries requires an annual comprehensive cyber audit, specific network architecture controls, and defined RTO/RPO for critical systems. We scope the exact applicable controls for your entity type during the discovery sprint, implement them in a defined sequence, and produce the audit-ready documentation you need to demonstrate compliance to your regulator.

Traditional software has deterministic inputs and outputs — you can test every code path. AI agents have non-deterministic behaviour: the same input can produce different outputs, and adversarial inputs (prompt injection attacks) can redirect agent behaviour in ways that don't trigger conventional anomaly detection. Specific risks in production AI agents include: prompt injection — malicious content in agent inputs redirects the agent to take unintended actions; excessive tool access — an agent with overly broad permissions can be manipulated into exfiltrating data or executing unauthorised actions; model poisoning — if the agent's knowledge base or fine-tuning data is compromised, its responses are systematically biased. We address each of these by reviewing tool permission scopes, implementing output validation schemas, isolating agent execution environments, and building human-in-the-loop checkpoints for high-stakes decisions.

Pricing follows the engagement model. Discovery sprints are fixed-price for a fixed timebox. Build engagements are scoped after discovery — fixed-scope, time-and-materials, or outcome-linked. Managed services are billed monthly with defined SLAs. Total cost depends on scope, integration complexity, QA depth, and post-launch support — we publish a transparent breakdown for buyers evaluating their options.

Every engagement starts with a fixed-scope, fixed-price discovery sprint — typically 2 weeks. You leave with a written roadmap, risk register, cost estimate, and timeline before committing to a build. We then offer four engagement models: fixed-scope builds, time-and-materials, outcome-linked retainers, and managed services post-launch. If discovery doesn't justify proceeding, you can stop there — no obligation.