The Securities and Exchange Board of India (SEBI) has formulated the Cybersecurity and Cyber Resilience Framework (CSCRF) to strengthen the cybersecurity posture of Regulated Entities (REs) in the Indian securities market.
A key component of this framework is Threat Hunting under SEBI CSCRF, which mandates proactive threat detection to strengthen security postures and defend against sophisticated cyber threats.
What is Threat Hunting and Why is it Crucial under SEBI CSCRF?
Threat hunting is a proactive cybersecurity measure that goes beyond traditional security monitoring and incident response. It involves actively searching for and identifying potential threats that may have already bypassed existing security controls. Unlike incident response, which reacts to known alerts or incidents, threat hunting starts with a hypothesis or an indication of compromise and involves searching for evidence of malicious activity that may not have triggered any alarms.
Want to know more about Threat Hunting? Read our detailed blog: 2025 Threat Hunting Guide – Stay Ahead of Threats
As per the framework, Market Infrastructure Institutions (MIIs) and Qualified REs are mandated to conduct threat hunting and compromise assessment regularly.
Threat Hunting Requirements under SEBI CSCRF
Under the CSCRF, SEBI mandates that Market Infrastructure Institutions (MIIs) and Qualified REs must:
- Conduct periodic threat hunting and compromise assessments
- Maintain a Security Operations Centre (SOC) for continuous monitoring
- Leverage threat intelligence to guide hunting activities
- Document and report findings as part of compliance
This ensures that REs stay ahead of evolving threats and demonstrate cybersecurity maturity.
How to Achieve Compliance with Threat Hunting under SEBI CSCRF?
The CSCRF recommends that REs establish and maintain appropriate security mechanisms, such as a Security Operations Centre (SOC), to facilitate continuous monitoring of security events and timely detection of anomalous activities. It also recommend using various threat intelligence sources to guide threat hunting efforts. These intelligence sources can provide insights into the latest attack techniques, adversary tactics, and indicators of compromise (IOCs), which can be used to develop hypotheses and guide the search for potential threats.
How CyberNX Supports Threat Hunting under SEBI CSCRF?
CyberNX can help REs meet their threat hunting requirements and achieve overall CSCRF compliance:
- Threat Hunting Expertise: CyberNX can conduct periodic Threat Hunting Activities through its experienced threat hunters with deep knowledge of adversary TTPs and advanced threat hunting techniques. These experts can help REs establish a threat hunting program tailored to their specific environment and risk profile.
- Use of Existing Tools : CyberNX can leverage on existing tools such as SIEM, EDR or log sources to build a threat hunting framework and provide insights into emerging threats and enable proactive threat detection and response.
- Develop a Threat Hunting Program: To comply with SEBI CSCRF’s periodic threat hunting requirements, CyberNX can design and implement a tailored threat hunting program on a monthly, quarterly, or semi-annual basis. This program will focus on the latest attack vectors and indicators of compromise (IOCs) while formulating relevant hypotheses to guide threat-hunting activities according to the specified frequency.
Pre-Requisites for Effective Threat Hunting
To execute a successful threat hunting program, organizations must provide access to:
- SIEM Infrastructure: To analyze ingested logs, apply threat-hunting use cases, and develop relevant hypotheses for identifying potential threats.
- EDR/XDR Infrastructure: To process logs and execute targeted threat-hunting use cases.
- Access to Critical Logs: From firewalls, endpoints, servers, and network devices
- Custom Tool Support: To enhance hypothesis development and hunting accuracy
Threat Hunting Use Cases for Financial Institutions
- Credential Dump Monitoring: Proactively hunt for leaked employee or customer credentials on the dark web.
- Anomalous Trading Activity: Investigate unusual API or user behavior in trading platforms.
- Targeted Malware Campaigns: Detect advanced persistent threats (APTs) targeting financial data repositories.
- Supply Chain Risk: Hunt for indicators of compromise stemming from third-party fintech or broker-dealer integrations.
- Lateral Movement Detection: Use behavioral analytics to find stealthy lateral movements within critical systems like SWIFT or core banking.
Threat Hunting Integration Checklist:
- Have dedicated resources with threat intel and incident response training
- Set hunting hypotheses based on your environment’s unique risk profile
- Use MITRE ATT&CK framework to map detection coverage
Bonus: Schedule periodic threat-hunting reports to share with management and demonstrate compliance with SEBI’s “Detection” objectives.
Threat Hunting under SEBI CSCRF isn’t just about ticking a compliance box—it’s about building a proactive defense strategy. With CyberNX as your cybersecurity partner, you gain access to expert-driven, intelligence-led threat hunting tailored to your environment.
Contact us to start your threat hunting journey or learn more about how we help with SEBI CSCRF compliance.
FAQS
What is Threat Hunting under SEBI CSCRF?
It refers to a proactive cybersecurity practice that involves actively searching for and identifying potential threats that may have already bypassed existing security controls, as required by SEBI’s Cybersecurity and Cyber Resilience Framework.
How often should threat hunting be conducted?
As per SEBI CSCRF, MIIs and Qualified REs should conduct threat hunting at least quarterly. However, high-risk entities may consider monthly exercises.
What tools are used in threat hunting?
Key tools include SIEM, EDR/XDR, log aggregators, and threat intelligence platforms. CyberNX integrates these for a seamless hunting experience.
What is the role of threat intelligence in threat hunting?
Threat intelligence plays a crucial role in threat hunting by providing context and insights into the latest attack techniques, adversary tactics, and indicators of compromise (IOCs), which can be used to develop hypotheses and guide the search for potential threats.
