CERT-In's directions require reportable incidents to be notified within 6 hours of discovery. This single-page checklist gives IR commanders a clear path through that window — what counts as reportable, what to gather, and the format CERT-In expects.

1. Is it reportable?

Targeted scanning / probing of critical networks or systems
Compromise of critical systems / information
Unauthorised access to IT systems / data
Defacement of website / intrusion into a website + suspicious or hidden inserts
Malicious code attacks (virus, worm, trojan, bots, spyware, ransomware, cryptominers)
Attack on servers (database, mail, DNS) and network devices (routers)
Identity theft, spoofing and phishing attacks
DoS and DDoS attacks
Attacks on critical infrastructure, SCADA, industrial control systems
Data breach + data leak
Attacks on IoT devices and associated systems / networks / software / servers
Attacks impacting digital payment systems
Attacks via malicious mobile apps
Fake mobile apps
Unauthorised access to social media accounts
Attacks / suspicious activities affecting cloud computing systems / servers / software / applications
Attacks / breach / suspicious activity related to BGP, DNS protocols
Attacks and incidents impacting cyber-physical / robotics / drones systems
Attacks on systems / networks of identified critical sectors (BFSI, telecom, transport, power, healthcare, etc.)
Data breach involving personal / sensitive personal information

2. The 6-hour window — what to gather

Time + date of detection · with timezone
Time + date of suspected first compromise · with timezone
Description of incident (1-paragraph factual)
Affected systems / networks / data (categories, no customer-PII)
Source of attack (IP, indicators) — only if known
Suspected method / vector
Indicators of Compromise (IOCs) collected so far
Containment actions already taken
Reporter name + designation + organisation + 24×7 contact

3. How to file

Email: incident@cert-in.org.in
Phone (24×7): +91 1800-11-4949
Online: cert-in.org.in (incident report form)
Fax: +91 1800-11-6969 (yes, still listed)
Subject line format: '[Org Name] [Incident Type] · [Detection Time IST]'

Pre-fill the report skeleton today.

Every line above except 'time of detection' can be pre-filled and reviewed by Legal in calm circumstances. Doing this now turns a chaotic 6-hour window into a 30-minute editing exercise during a real incident.

4. Common pitfalls

Including customer PII in the initial report — CERT-In does not need it; provide via secure channel if requested.
Marking 'detection time' as the time IT was paged — use the time the first signal landed in any monitoring system.
Filing late and trying to backdate — CERT-In's portal timestamps automatically; document the delay openly.
Forgetting to update — file an updated report when material new facts emerge (scope, IOCs, attribution).

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Digital Forensics & Incident Response (DFIR) →

Or talk to a senior consultant — fixed-price proposal in 48 hours.