DFIR Services in Mumbai · BFSI Incident Response

When a Mumbai bank or NBFC is breached, the clock that matters is regulatory, not just operational. CERT-In Direction 20(3)/2022 expects a cybersecurity incident reported within six hours of awareness, and RBI supervision expects evidence that you contained, investigated and learned. Macksofy's DFIR practice runs that response from our BKC office — a forensic and incident-response bench that has handled ransomware, payment fraud and account-takeover incidents for RBI- and SEBI-regulated firms, on retainer and on emergency call-out.

The first six hours decide the engagement. Our triage protocol runs in parallel, not in sequence: a responder scopes blast radius and preserves volatile evidence while a second drafts the CERT-In notification and a third opens the containment plan with your SOC. We move to forensically-sound acquisition immediately — memory, disk and cloud-snapshot images with hashes and chain-of-custody — because in a BFSI incident the same artifacts that drive your investigation will be examined by an RBI inspector, a forensic auditor, and potentially a court. Containment is calibrated to keep money-movement systems safe without destroying the evidence that explains how the attacker got in.

Mumbai BFSI incidents cluster into a few patterns, and we scope to them. Ransomware and pre-ransomware intrusions (the human-operated kind that dwell for weeks via valid accounts and living-off-the-land tooling) demand AD-forest forensics — Kerberoasting and ADCS-abuse traces, golden/silver-ticket detection, lateral-movement timelines. Payment and SWIFT-adjacent fraud demands transaction-flow forensics tied to the reconciliation layer. Account-takeover and insider cases demand identity, session and access-log reconstruction. Each gets a documented timeline, a root-cause narrative, and an indicator set the SOC can hunt against across the rest of the estate.

The output is built for the people who will read it under pressure. The technical report carries the timeline, the forensic findings with evidence references, the malware and TTP analysis mapped to MITRE ATT&CK, and the root cause. The regulator-facing pack carries the CERT-In six-hour notification record and follow-up, the RBI-facing incident note in the language the CSITE Cell expects, and — where personal data is implicated — the DPDP breach-notification trail to the Data Protection Board and affected principals. The board pack carries the one-page narrative, the financial and reputational exposure, and the remediation commitments the audit committee will track.

Eradication and recovery are part of the engagement, not a hand-off. We verify the attacker is fully evicted before you rebuild — no half-cleaned forest, no surviving backdoor or rogue trust — and we pair recovery with hardening so the same path can't be re-walked: identity tightening, ADCS template fixes, segmentation, and detection-engineering so the indicators from this incident become permanent SOC coverage. For retainer clients we run a post-incident tabletop and feed the lessons into your IR playbook.

Retainer is the right posture for Mumbai BFSI, and we structure it that way. A Macksofy IR retainer guarantees response SLAs, pre-agreed RoE and legal/forensic readiness, named responders who already know your environment, and — critically — a banked block of hours that converts an emergency procurement scramble into a phone call. Onsite response is same-day across BKC, Lower Parel and the wider MMR, with remote forensic acquisition starting within the hour while a responder travels. We are CERT-In empanelled, so the same firm that responds can stand behind the incident in your supervisory follow-up.