The Indian Cybersecurity Landscape: Rapid Progress and Increased Vulnerabilities

India is at the forefront of a digital revolution, adapting to new technology and improving government services for its people. From pioneering instant payment systems such as UPI (Unified Payments Interface) ‒ which processes more than 16 billion transactions monthly ‒ to piloting central bank digital currencies, the country has cemented its leadership in digitalising financial ecosystems.

This rapid digitalisation, however, is a double-edged sword. As India accelerates its journey toward becoming a USD1 trillion digital economy by 2030, with digital services projected to contribute 20% of GDP by 2026, its expanding cyber frontier has become a magnet for malicious actors. Today, the nation accounts for 13.7% of global cyber-incidents.

The Indian government’s push to digitalise governance, healthcare, and critical infrastructure has undeniably improved accessibility and efficiency for millions. At the same time, it has also exposed systemic fragilities: a population still adapting to digital literacy, organisations lagging in cyberhygiene, and sectors such as healthcare and finance ‒ lifelines of the digital economy ‒ emerging as prime targets for ransomware and data extortion. Meanwhile, the rise of AI introduces new complexities, from ethically fraught dilemmas to sophisticated malware capable of evading traditional defences.

Against this backdrop, India’s cybersecurity landscape in 2025 is defined by a race between a relentless pace of innovation and an evolving sophistication of threats. While progressive legislation such as the Digital Personal Data Protection Act 2023 (DPDPA) and the updated National Cybersecurity Strategy aim to fortify defences, gaps persist.

Trends in cybersecurity incidents

The cybersecurity environment in India underwent notable changes in 2024, presenting a complex picture of challenges and improvements alike. According to the Data Security Council of India’s Cyber Threat Report 2025 (the “Report”), the country experienced significant malware activity while showing enhanced defensive capabilities. In 2024, India recorded 369.01 million malware detections across 8.44 million endpoints, averaging 702 detections per minute. This represents a reduction from 2023’s figures of 400 million detections across 8.5 million endpoints.

More significantly, the number of actual cybersecurity incidents decreased substantially, from approximately 10,500 in 2023 to 7,770 in 2024. Data suggests strengthened cybersecurity measures, as evidenced by an improved incident-to-detection ratio. In 2024, approximately one security incident occurred per 40,400 malware detections, compared to one per 38,000 detections in 2023.

However, the threat landscape has grown more sophisticated, as demonstrated by an increase in behaviour-based malware detections from 12.5% in 2023 to 14.5% in 2024. This indicates that attackers are employing more sophisticated malware and reflects their increasing use of malware that avoids traditional detection by constantly changing its code or hiding in legitimate processes.

Geographically, the threat landscape expanded beyond traditional tech hubs. While states such as Telangana and Tamil Nadu remained primary targets, there was a marked increase in activity in tier-two cities such as Surat and Ahmedabad.

The healthcare sector emerged as the most targeted industry, accounting for 21.82% of all attacks ‒ up from 15% in 2023. This rise is likely driven by the high value of medical data and the essential nature of healthcare systems, which may prompt organisations to be more inclined to pay ransoms. The hospitality (19.6%) and banking sectors (17.4%) also saw significant targeting, highlighting the focus on industries handling large volumes of personal and financial data.

India saw a rise in cloud-based detections, accounting for 62% of all detections, which reflects the broader digital transformation across Indian businesses. As more organisations move their operations to the cloud, they are creating new opportunities for attackers to exploit misconfigured or inadequately protected cloud resources.

In terms of malware types, Trojans and infectors remained the most prevalent, constituting 43.25% and 34.10% of detections respectively. These types of malwares often masquerade as legitimate software, tricking users into executing them and providing attackers with backdoor access to systems.

Ransomware attacks continue to pose one of the most acute cybersecurity threats. While the typical approach of stealing and encrypting data remains a primary tactic, there is an increasing trend towards threat actors adopting data extortion tactics whereby data is stolen but not encrypted. This shift reflects a change in the nature of ransomware attacks, moving from traditional encryption-based extortion to more sophisticated data theft and extortion methods.

Ransomware also persistently upholds its position as one of the most pernicious manifestations of cybercrime. A single ransomware security incident emerges for every cluster of 595 detections. That said, the occurrence of a malware incident is considerably less frequent ‒ materialising only once amid a staggering 40,400 detections.

The geopolitical landscape continued to influence cybersecurity threats, with hacktivist groups and state-sponsored actors targeting critical infrastructure and public utility services. The ongoing conflicts in the Middle East and other regions have also led to increased cyber-activity aimed at undermining India’s global standing. Additionally, cyber-activity around key national events (eg, Independence Day and Republic Day) reflects efforts to undermine India’s standing on the global stage.

One of the most revealing insights about India’s cybersecurity preparedness comes from the Cyber Security Maturity Survey (the “Survey”) conducted as part of the Report. The Survey, which involved organisations across India, offers a comprehensive look into critical areas such as cyber-resiliency, preparedness, and priorities. The Survey found that nearly 73% of organisations are unaware if they have ever been attacked and found that 57% lack cyberhygiene practices.

Impact of AI and other emerging technologies

In 2024, AI-driven threats became a significant challenge for Indian organisations owing to their scalability, ability to evade detection, and adaptability against conventional cybersecurity measures. The widespread availability of open-source AI tools and low-cost cloud computing enabled even less-skilled attackers to execute advanced cyber-attacks. Platforms accessible on the dark web simplified the creation of phishing campaigns and business email compromise (BEC) attacks, reducing the technical expertise required for such activities.

By way of example, generative AI has been weaponised to craft hyper-personalised phishing emails by scraping publicly available data from social media and corporate websites. There has been a surge in fraud cases where AI-simulated voices mimicked executives to authorise fraudulent transactions, demonstrating the alarming precision of these tools.

AI-enhanced malware, such as BlackMamba, represents a paradigm shift in cybersecurity threats. Unlike traditional malware, BlackMamba leverages generative AI to dynamically rewrite its code, evading signature-based detection systems. This adaptability allows attacks to persist undetected, which complicates mitigation efforts for organisations.

Similarly, polymorphic ransomware employs reinforcement learning to alter its behaviour in real-time, targeting critical sectors such as healthcare and finance with increased efficiency. The healthcare sector, already strained by high-value data and operational criticality, witnessed a rise in automated attacks on exposed internet of things (IoT) devices in 2024.

Emerging technologies such as data-centric ransomware signify a strategic shift in attacker priorities. Instead of encrypting data, adversaries now use AI to identify and exfiltrate high-value information, threatening public disclosure unless ransoms are paid. This approach ‒ observed in the 2024 attack on C-Edge Technologies, which disrupted 300 rural banks ‒ minimises detection risks while maximising extortion leverage. Concurrently, supply chain compromises through third-party AI vendors and open-source libraries have expanded the attack surface, with malicious code injected via compromised updates or dependencies.

Indian government’s efforts

To counter these threats, the Indian government has prioritised regulatory and institutional reforms. The DPDPA mandates stringent safeguards for AI training datasets, requiring explicit consent for data collection and imposing penalties of up to USD30 million. Complementing this, the Indian Computer Emergency Response Team (CERT-In)’s AI Security Advisory recommends measures to mitigate AI-related threats, including educating users, verifying domains, securing data, and preventing misuse.

International collaboration has also been prioritised, with India’s membership in the Global Partnership on AI (GPAI) facilitating cross-border threat intelligence sharing and ethical AI standardisation.

India’s position on the global stage: pivotal role of CERT-in

India has claimed a spot in the Tier-1 category in the latest Global Cybersecurity Index (GCI) 2024, released by the International Telecommunication Union. With a score of 98.49, India is one of 47 countries to be adjudged as a leading nation that has demonstrated commitment to robust cybersecurity practices. Central to this success are the country’s progressive legislative frameworks and the operational efficacy of CERT-In.

Among such frameworks, India’s legal framework for cybersecurity has also evolved significantly and contributed to this success, anchored by the Information Technology Act 2000 (the “IT Act”) and its subsequent amendments. The introduction of the DPDPA further strengthened this framework. By establishing stringent guidelines for data controllers, enforcing organisational and technical safeguards and standards, and imposing penalties for non-compliance, the DPDPA addresses growing concerns around data security in the digitised economy. These legislative measures have been instrumental in aligning India’s cybersecurity governance with global standards, earning high marks in the GCI’s legal pillar.

India’s technical capabilities, particularly through CERT-In, have been pivotal to its Tier-1 status. Established in 2004, CERT-In operates as the national nodal agency for cybersecurity and is tasked with safeguarding India’s digital infrastructure, co-ordinating incident responses, and fostering a secure cyber ecosystem. Its mandate spans across threat analysis, vulnerability management, and collaboration with domestic and international stakeholders. CERT-In follows a structured approach to addressing reported incidents, which has significantly enhanced India’s capability to manage cybersecurity challenges, as follows.

Incident reporting 

As per the CERT-In Cyber Incident Reporting Guidelines, organisations are legally obligated to report certain types of high-severity cybersecurity incidents within six hours. Upon notification, CERT-In may request access to logs, system records, and other forensic data to assess the breach’s scope and impact. This process enables targeted mitigation strategies while maintaining a collaborative, non-punitive approach. By prioritising risk mitigation over penalties, CERT-In encourages transparency and proactive reporting among entities.

Proactive organisational engagement

Larger organisations with established cybersecurity practices and significant customer bases in India often proactively report incidents to CERT-In. This is driven by the recognition that timely reporting can help mitigate risks and prevent further damage. CERT-In’s responsive and supportive approach encourages organisations to engage with the agency.

Incident management support

CERT-In is known for its proactive and efficient approach to handling reported cybersecurity incidents. Upon receiving a notification, the agency typically acknowledges the incident promptly and provides a detailed response within 24 hours, thereby ensuring timely action. In certain cases, CERT-In officials often directly reach out to the reporting entity to gather additional information or offer immediate guidance.

Clearly, the agency’s support is comprehensive and multifaceted, encompassing technical assistance, remedial measures, and follow-up actions. By way of example, CERT-In provides technical expertise to help organisations contain and mitigate the impact of cyber-incidents. This includes identifying vulnerabilities, recommending patches, and guiding recovery efforts to restore normal operations.

Additionally, CERT-In issues specific recommendations to address incidents and prevent their recurrence. This was demonstrated during the 2017 WannaCry ransomware attack, where the agency played a pivotal role in co-ordinating the response and issuing advisories to affected organisations.

Multi-stakeholder co-ordination

To tackle cybercrimes effectively, CERT-In often works closely with law enforcement agencies to investigate incidents and take down malicious phishing websites. Additionally, CERT-In collaborates with sector-specific regulators, particularly in critical infrastructure sectors such as banking, healthcare, and energy.

Beyond national borders, CERT-In actively engages in international co-operation. It has signed memoranda of understanding (MoUs) with agencies in countries such as Singapore, Japan, and the UK.

Conclusion

India’s cybersecurity landscape in 2025 presents a dual narrative of progress and vulnerability. Advancements such as a 26% reduction in cybersecurity incidents and India’s Tier-1 ranking in the GCI highlight strides in policy and technical capabilities. Legislative frameworks and the operational efficiency of CERT-In reflect institutional efforts to align with global standards. These measures have strengthened incident response, particularly in critical sectors such as finance and healthcare, where mandatory reporting protocols have been put in place.

However, emerging threats ‒ particularly AI-driven attacks ‒ continue to challenge this progress. The rise of adaptive malware (eg, BlackMamba), AI-generated phishing campaigns, and data-centric ransomware underscores the ability of adversaries to exploit technological advancements. Sectors such as healthcare (targeted in 21.8% of attacks) with limited cybersecurity infrastructure remain disproportionately vulnerable. Geopolitical tensions and state-sponsored attacks further strain cybersecurity defences, as seen in incidents targeting critical infrastructure during national events.

The path forwards hinges on systemic collaboration. While CERT-In’s incident management framework and international partnerships demonstrate proactive governance, gaps persist. Bridging these gaps requires scaling capacity-building initiatives, enforcing regulatory mandates such as the DPDPA, and integrating AI-driven threat detection into national strategies. India’s cybersecurity future will depend on balancing innovation with equitable resilience to ensure that its digital ambitions are not derailed by evolving risks.