Latest Writing

The Digital Personal Data Protection (DPDP) Act 2023 is now in effect, and Indian startups — especially in fintech, edtech, and healthtech — need to understand what compliance actually looks like.

1. Audit Your Data Flows
Map what personal data you collect, where it's stored, who has access, and why you need it. Most startups fail here because they've never documented their data lifecycle.

2. Implement Consent Mechanisms
Users must give explicit, informed consent before you collect their data. Pre-ticked boxes don't count. Your consent flow must be clear, specific, and revocable.

3. Appoint a Data Protection Officer (if required)
If you process significant volumes of data, you'll need a designated DPO. Even if not mandated, having someone accountable is good practice.

4. Update Your Privacy Policy
Must explain what you collect and why, retention periods, user rights (access, correction, deletion), and your breach notification process.

5. Build a Breach Response Plan
DPDP requires breach notification to the Data Protection Board and affected users. You need a documented IR process — now, not when a breach happens.

6. Review Third-Party Vendors
Every SaaS tool, payment gateway, and analytics platform is a data processor. Ensure they're DPDP-compliant or you're liable for their violations.

Penalties? Up to ₹250 crore for violations. Timeline? Rules are still being drafted, but don't wait. Start with data mapping, consent flows, and breach response. These take months to implement properly.

After building detection rules for SOC environments, these 5 Splunk queries are non-negotiable. They catch the most common attack patterns seen in real incidents.

1. Brute Force Detection (RDP + SSH)

index=main sourcetype=WinEventLog:Security EventCode=4625
| stats count by src_ip, user, host
| where count > 10
| eval severity="HIGH"

2. After-Hours Admin Login

index=main sourcetype=WinEventLog:Security EventCode=4624
| eval hour=strftime(_time, "%H")
| where (hour < 8 OR hour > 20) AND match(user, "(?i)admin")
| table _time, user, src_ip, host

3. PowerShell Download Cradle

index=main sourcetype=WinEventLog:Security EventCode=4688
  New_Process_Name="*powershell*"
| where match(Process_Command_Line,
    "(?i)invoke-webrequest|iwr|downloadstring")
| table _time, user, Process_Command_Line, host

4. Large Data Exfiltration

index=network sourcetype=firewall_logs
| stats sum(bytes_out) as total_bytes by src_ip, dest_ip
| where total_bytes > 104857600
| eval total_mb=round(total_bytes/1024/1024, 2)

5. New Local Admin Account Created

index=main sourcetype=WinEventLog:Security EventCode=4720
| table _time, user, TargetUserName, host
| eval severity="CRITICAL"

These 5 rules cover MITRE ATT&CK techniques T1110 (Brute Force), T1059 (Execution), T1136 (Persistence), and T1041 (Exfiltration) — 80% of real-world incidents.
Pro tip: Map all rules to ATT&CK and test with Atomic Red Team before deploying to production.

You don't need expensive licenses to build a real SOC lab. Here's how I built mine using 100% free tools.

Stack: Wazuh (SIEM + HIDS) · Suricata (Network IDS) · VirtualBox · Kali Linux (attacker) · Windows 11 + Ubuntu 22.04 (victims)

Architecture — Host-Only Network 192.168.56.0/24:
• .10 — Wazuh Manager (Ubuntu)
• .20 — Windows 11 with Wazuh agent
• .30 — Ubuntu web server with agent
• .40 — Kali attacker

What you can practice:
✅ Brute force simulation (Hydra → Wazuh alert)
✅ Malware testing in isolated VM
✅ Incident response with real playbooks
✅ Custom MITRE ATT&CK mapped detection rules
✅ File integrity monitoring, process creation, network traffic analysis

Total cost: ₹0. Setup time: one weekend. Wazuh install takes 20 minutes, agents 5 minutes each.

Saying "I built a Wazuh SIEM that detected lateral movement using FIM alerts" in an interview beats "I know SIEM theory" every time. Build it. Document it. Put it on GitHub.

The Indian BFSI sector saw a 43% increase in cyber incidents in 2025. Here's what's actively targeting banks, fintechs, and insurance companies right now.

SideCopy (Pakistan-linked APT)
Target: Indian banks + government · TTPs: Spear phishing → malicious LNK files → RAT deployment · MITRE: T1566.001, T1204.002

Lazarus Group (North Korea)
Target: Banks (SWIFT fraud), cryptocurrency exchanges · TTPs: Supply chain, watering hole, social engineering · MITRE: T1195, T1078

Local Cybercrime Groups
Target: UPI users, retail banking customers · TTPs: Vishing, SIM swap, fake banking apps, QR code fraud

Top Attack Vectors 2026:
• Phishing — 44% of BFSI-targeted attacks
• Ransomware — LockBit 3.0, BlackCat, Cl0p active
• API attacks — BOLA/IDOR, OTP brute force, JWT manipulation (tripled since 2024)

Recommended actions: DMARC enforcement · MFA on all privileged accounts · BFSI-specific SIEM detection rules · DPDP Act gap assessment · Join BFSI-ISAC for threat intel sharing.

Full threat report with IOCs on my GitHub: bfsi-threat-intelligence

Most "SOC roadmaps" are written by people who've never worked in a SOC. Here's what actually works in India's job market.

Reality check: Entry-level pays ₹3.5–6 LPA. You'll start as L1. 80% is following playbooks, not hacking. Night shifts are common in year 1–2.

Phase 1 — Foundations (3 months): TCP/IP, DNS, HTTP/S · Windows + Linux basics · Reading logs (Event Logs, Syslog) · MITRE ATT&CK framework
Resource: Professor Messer's Security+ on YouTube (free)

Phase 2 — Core Skills (3–4 months): CompTIA Security+ · One SIEM (Splunk free trial or Wazuh) · Build a home lab · Write 5–10 ATT&CK-mapped detection rules · Document everything on GitHub

Phase 3 — Practice (2–3 months): TryHackMe SOC Level 1 · LetsDefend real scenarios · CyberDefenders blue team CTFs · Practice writing incident reports

Phase 4 — Apply: MSSPs (TCS, Accenture, IBM X-Force) · Banks (HDFC, ICICI, SBI internal SOCs) · Product companies (Zscaler, Palo Alto, Crowdstrike India)

Resume tip:
❌ "Knowledge of SIEM tools"
✅ "Built Wazuh SIEM with 15 custom detection rules covering MITRE T1110, T1566, T1059"

Timeline: 8–12 months from zero to first SOC role if consistent. Questions? DM me — I was exactly where you are 3 years ago.

131 new CVEs are disclosed every day in 2026. The median time to exploit is now under 5 days. 32.1% of vulnerabilities are weaponized on or before CVE disclosure day. Here are the ones actively being exploited that every SOC team must know.

CVE-2026-33017Langflow RCE — CVSS: Critical
Unauthenticated remote code execution in the open-source AI platform Langflow via the /api/v1/build_public_tmp/ endpoint. Attackers exploited this within 20 hours of disclosure — before any public PoC existed. They built working exploits directly from the advisory.
MITRE: T1190 · Action: Upgrade to Langflow 1.9.0+. Restrict public endpoint access immediately.

CVE-2026-21858n8n Authentication Bypass — CVSS: 10.0
Unauthenticated attackers can read arbitrary local files, forge admin sessions, and execute commands on n8n servers via a Content-Type confusion flaw. Affects all versions before 1.65.0. Nicknamed "Ni8mare."
MITRE: T1078, T1083 · Action: Update to v1.121.0+. Audit all exposed n8n instances.

CVE-2026-20122 / 20128 / 20133Cisco Catalyst SD-WAN Manager
Three actively exploited flaws added to CISA KEV April 2026 — incorrect privileged API use, passwords in recoverable format, and sensitive info exposure to unauthenticated actors. Federal remediation deadline: April 23, 2026.
MITRE: T1552, T1078 · Action: Apply Cisco patches. Rotate all SD-WAN credentials.

CVE-2025-36918Windows MSHTML RCE
Use-After-Free in the Windows MSHTML engine. Weaponized in spear-phishing against government and financial institutions — opening a document becomes a system-level breach. Microsoft issued emergency patch December 2025.
MITRE: T1566.001, T1203 · Action: Apply Microsoft emergency patch. Disable MSHTML legacy rendering.

CVE-2025-48700Zimbra ZCS XSS — Added CISA KEV Apr 2026
Cross-site scripting in Synacor Zimbra. Attackers execute arbitrary JavaScript in authenticated sessions — stealing session tokens and accessing mailbox contents.
MITRE: T1185 · Action: Patch Zimbra. Review mail server logs for abnormal session activity.

Key takeaway for 2026: CVSS scores alone are not enough. Prioritize by exploitability and real-world active exploitation status — not just severity. Subscribe to CISA KEV catalog alerts and act within 24 hours on critical additions.

Ransomware is no longer just encryption. In 2026, it is an autonomous, AI-driven operation that handles reconnaissance, exploitation, lateral movement, and ransom negotiation — with minimal human involvement.

1. Agentic AI in the attack chain
Ransomware groups now deploy AI agents to autonomously scan for targets, prioritize high-value victims, and trigger exploitation. IBM X-Force 2026 Threat Index reported a 44% increase in attacks starting with exploitation of public-facing applications — accelerated by AI-enabled vulnerability discovery. Active ransomware groups surged 49% year-over-year.

2. Triple extortion is standard
Modern ransomware encrypts, steals data, and threatens regulatory violations (GDPR, DPDP Act). Average recovery cost 2026: $2.73 million. Healthcare average: $7.42 million.

3. Supply chain as primary vector
Supply chain compromises have nearly quadrupled since 2020. Lotus Blossom (China-linked APT) hijacked the Notepad++ update channel via CVE-2025-15556, delivering Cobalt Strike Beacon and Chrysalis backdoor to thousands of endpoints — undetected for 6+ months.

4. RaaS ecosystem is fragmenting
Smaller transient operators replaced large groups like LockBit. Harder to attribute, reuse leaked tooling, and use AI to automate what teams once did manually. Barriers to entry have collapsed.

5. AI infrastructure itself is a target
CVE-2026-33017 (Langflow) and CVE-2026-21858 (n8n) show AI automation platforms are being weaponized within hours of vulnerability disclosure — a new and growing attack surface.

What defenders should do:
✅ Immutable, air-gapped backups — ransomware targets backup systems first
✅ EDR with behavioral detection, not signature-only AV
✅ Patch public-facing apps within 24 hours of critical CVE disclosure
✅ Network segmentation — assume breach, limit lateral movement
✅ Audit AI tool inventory — Langflow, n8n, and similar need hardening
✅ Monitor supply chain — every vendor is an attack surface

87% of security leaders identify AI-related vulnerabilities as the fastest-growing cyber risk in 2026 — World Economic Forum Global Cybersecurity Outlook 2026.

Supply chain attacks have nearly quadrupled since 2020. Nation-state actors are no longer just attacking your network — they're attacking the software, vendors, and tools you trust.

CVE-2025-15556Lotus Blossom (China-linked) — Notepad++ Supply Chain
Hijacked Notepad++'s update channel June–December 2025. Victims received Cobalt Strike Beacon and the "Chrysalis" backdoor instead of a legitimate update. Added to CISA KEV February 2026. Operated undetected for 6+ months.
MITRE: T1195.002 — Compromise Software Supply Chain, T1072 — Software Deployment Tools

CVE-2026-21513APT28 / Fancy Bear (Russia) — Windows MSHTML
Russian state-sponsored group leveraged an MSHTML flaw via malicious Windows Shortcut (.lnk) files for multi-stage payload delivery. Targeting government and defence organizations. Recorded Future Risk Score: 99 (Very Critical).
MITRE: T1566.002, T1547

SideCopy (Pakistan-linked) — Active Q1–Q2 2026
Ongoing spear phishing campaigns targeting Indian banking and government employees. LNK files → RAT deployment → persistent access. Particularly active against BFSI sector employees in India.
MITRE: T1566.001, T1204.002, T1055

Why supply chain attacks are so dangerous:
• Abuse trusted channels — software updates, vendor integrations, open-source packages
• Detection is harder — legitimate tools carry malicious payloads, bypass most AV
• Blast radius is massive — one compromised vendor reaches thousands of customers
• Dwell time is high — Lotus Blossom operated undetected for 6+ months

PwC Annual Threat Dynamics 2026 notes that motivations are blurring — ransomware groups trade stolen data, state actors use criminal tools, and North Korea-linked groups are industrializing fraudulent employment and crypto theft at scale. India's BFSI and government sectors remain priority targets.

What to do:
✅ Implement SBOM — know every software dependency
✅ Verify software update signatures before deployment
✅ Monitor third-party vendor access with PAM tools
✅ Deploy threat intel feeds covering APT IoCs (MISP, OTX AlienVault)
✅ Hunt for Cobalt Strike Beacon C2 traffic in network logs
✅ Block .lnk execution from untrusted sources via GPO

If you're in India's BFSI or government sector — assume you are a target. Build defences around that assumption.

The SOC as we know it was designed for a human-speed threat landscape. Analysts triage alerts, escalate incidents, and correlate logs — on a timeline measured in minutes and hours. In 2026, AI has collapsed that window to seconds. The traditional SOC model is breaking under the pressure.

What's changed:

1. Attackers now move at machine speed
Palo Alto Networks Unit 42's Global Incident Response Report 2026 found that the fastest data exfiltration cases in 2025 occurred four times quicker than the prior year. AI is compressing the entire attack lifecycle — from initial access to data theft — into a window that human analysts cannot match manually. Attackers begin scanning for new CVEs within 15 minutes of disclosure.

2. Alert volume has exploded
131 new CVEs are disclosed every day , each generating detection rule updates, threat intel feeds, and alert noise. SOC analysts are drowning. Organizations with critical staffing shortages face $1.76 million higher average breach costs than adequately staffed peers — and there are 4.8 million unfilled cybersecurity positions globally in 2026.

3. AI agents are creating new blind spots
As enterprises adopt agentic AI tools, those agents make API calls, access credentials, and trigger workflows autonomously. Traditional SOC monitoring is built around human user behaviour — it cannot distinguish a legitimate AI agent from a compromised one. 51% of developers cite unauthorized API calls from AI agents as their top security concern.

4. Attackers use AI to bypass detection
AI-generated phishing lures now mimic writing styles with high precision. Polymorphic malware rewrites its own signature after each execution. Deepfake voices bypass voice-authenticated systems. The signature-based detection that anchored SOC workflows for a decade is increasingly ineffective.

What modern SOC teams must do:
✅ Shift from reactive alert triage to proactive threat hunting — assume breach
✅ Automate Tier 1 response: log correlation, IOC enrichment, ticket creation
✅ Implement behavioural detection (UEBA) alongside signature rules
✅ Deploy SOAR platforms to reduce analyst fatigue and response latency
✅ Build detection rules for AI agent activity — monitor service accounts, API keys, machine identities
✅ Shorten Mean Time to Detect (MTTD) and Mean Time to Contain (MTTC) as primary KPIs
✅ Subscribe to CISA KEV alerts — act within 24 hours on critical additions

The uncomfortable truth: A SOC that still relies on manual alert triage in 2026 is already behind. The goal is not to hire faster analysts — it is to automate the baseline so analysts focus on decisions machines cannot make.

The perimeter is dead. Attackers no longer break in — they log in. PwC's Annual Threat Dynamics 2026 report frames the current threat landscape as fundamentally identity-driven: adversaries abuse credentials, session tokens, and federated access rather than exploiting network vulnerabilities. Identity is the new battleground.

The numbers tell the story:
Identity weaknesses factored into nearly 90% of Unit 42's incident response investigations in 2026. IBM X-Force found that abuse of valid user identities was the preferred entry point in 30% of tracked cases. Verizon reported that 88% of web application breaches involved stolen credentials. Breaches involving stolen or compromised credentials take the longest to identify — an average of 243 days.

Top identity attack vectors in 2026:

1. AI-generated deepfake voices
Attackers clone voices to bypass bank call centre authentication and voice-based MFA. Financial services are the primary target — AI-generated deepfakes and phishing lures are growing more sophisticated month by month.

2. MFA fatigue attacks
Spamming users with push notification requests until they approve out of frustration. Still devastatingly effective in 2026 because many organizations haven't moved to phishing-resistant MFA. SMS OTP remains widely deployed despite being trivially bypassable via SIM swap.

3. Agentic AI identity abuse
AI agents operate inside enterprise systems using real credentials and session tokens. Cybercriminals are now targeting autonomous AI agents, exploiting agent-to-agent communication to commit attacks by compromising machine identities. Traditional IAM was designed for human users — it cannot yet adequately govern AI agents.

4. Session token theft
Rather than stealing passwords, attackers steal post-authentication session tokens — bypassing MFA entirely. Infostealer malware (Redline, Lumma) harvests browser cookies and tokens at scale.

5. Over-privileged accounts & standing access
Over 90% of breaches were enabled by preventable exposure gaps rather than advanced tradecraft. Most organizations still grant excessive standing privileges. One compromised identity with over-provisioned access = full environment compromise.

What to do right now:
✅ Move to phishing-resistant MFA — FIDO2/passkeys, not SMS OTP
✅ Implement Zero Standing Privileges — Just-in-Time (JIT) elevation only
✅ Shorten token lifetimes — short-lived credentials reduce blast radius
✅ Enforce Conditional Access policies evaluating risk, location, device health continuously
✅ Rotate service accounts and API keys every 90 days — machine identities are frequently overlooked
✅ Enable PIM (Privileged Identity Management) in Azure AD for admin role activation
✅ Run quarterly access reviews — remove stale accounts and over-provisioned roles

The IAM market will reach $24.1 billion in 2026 — because organizations are finally understanding that identity is not an IT problem. It is the security problem.

APIs are the nervous system of modern software. They power mobile apps, fintech platforms, UPI integrations, and now agentic AI workflows. They are also the fastest-growing attack surface in 2026. API attack traffic has grown by approximately 681% in recent years. API-related incidents affected 84% of security professionals in the past 12 months.

Why APIs are so vulnerable:
The average enterprise manages over 900 active APIs in 2026. Most were never security tested. Shadow APIs — undocumented endpoints that teams forget exist — are everywhere. And with AI agents now making autonomous API calls, the attack surface is expanding faster than any security team can manually track.

OWASP API Top 10 — The Ones Getting Exploited Right Now:

API1 — Broken Object Level Authorization (BOLA/IDOR)
Still #1 in 2026. Attacker changes an object ID in a request URL and accesses another user's data. Hard for automated scanners to detect because it's a logic flaw, not a syntax error. A BOLA-style flaw at a major US fintech in 2024 exposed millions of customer transaction records.
Fix: Validate object ownership server-side on every request. Use UUIDs not sequential IDs.

API2 — Broken Authentication
Weak token validation, missing expiry, insecure OAuth flows. Credential stuffing accounts for over 30% of API attacks — attackers automate login attempts using leaked credential databases.
Fix: Short-lived tokens, rate limiting, anomaly detection on auth endpoints.

API5 — Broken Function Level Authorization (BFLA)
Regular users accessing admin endpoints by changing the HTTP method or endpoint path. Attackers exploit predictable API route structures.
Fix: Enforce method-level permissions via JWT claims. Centralized authorization policy.

API8 — Security Misconfiguration
Debug endpoints left on in production, permissive CORS, unnecessary HTTP verbs enabled, stack traces in error messages. Agentic attackers thrive on forgotten APIs — deprecated endpoints, shadow APIs, and test environments often lack modern controls.
Fix: Continuous configuration drift detection. Aggressive decommissioning of unused endpoints.

The AI agent problem:
Agentic workflows change how API failures are exploited — what once required manual probing can now be discovered, chained, and replayed automatically. AI-driven scanners identify misconfigurations within minutes of deployment. Only 15% of organizations feel highly confident in handling AI-driven API threats.

For Indian BFSI specifically:
Fintech startups report API vulnerabilities as a factor in nearly 50% of security incidents. UPI, open banking APIs, and payment gateways are high-value targets. BOLA, rate-limit bypass for OTP brute force, and JWT manipulation are the top three attack patterns.

Action plan:
✅ Build a complete API inventory — including shadow and deprecated endpoints
✅ Test every API against OWASP API Top 10 before production deployment
✅ Implement runtime API monitoring — not just static testing
✅ Enforce rate limiting on all authentication and OTP endpoints
✅ Use Burp Suite or OWASP ZAP for manual API security testing
✅ Monitor for abnormal API call volumes — early indicator of automated attack

The patch window is no longer measured in weeks. In 2026, the median time from CVE disclosure to active exploitation is under 5 days. For high-profile vulnerabilities, it's hours. CVE-2026-33017 (Langflow RCE) was exploited within 20 hours of disclosure — with no public PoC available. Attackers built working exploits directly from the advisory text.

The current reality:
28.3% of exploited vulnerabilities are weaponized within 24 hours of disclosure. 32.1% are abused on or before the CVE disclosure date — effectively zero-days. Attackers begin scanning within 15 minutes of a CVE going public. The traditional "patch on Tuesday, test on Wednesday, deploy by Friday" cycle is dangerously obsolete.

Why most organizations are failing at patch response:
• Relying on CVSS scores alone — a CVSS 7.0 that's actively exploited is more dangerous than a CVSS 9.5 with no public exploit
• No real-time asset inventory — teams don't know which systems are affected
• Lengthy change management processes designed for stability, not speed
• No integration between threat intel feeds and vulnerability scanners
• Testing cycles that assume weeks of lead time

How to build a rapid patch response process:

Step 1 — Subscribe to real-time threat intel
CISA KEV catalog (free, authoritative) · NVD RSS feed · Vendor security advisories · Twitter/X accounts of key security researchers · TheHackerNews for weaponization alerts

Step 2 — Maintain a live asset inventory
You cannot patch what you don't know exists. Every asset — endpoint, server, cloud instance, container, API — must be in a continuously updated inventory. Shadow IT is your biggest vulnerability gap.

Step 3 — Risk-based prioritization, not CVSS-only
Ask three questions for every CVE:
• Is it actively exploited? (Check CISA KEV)
• Is the affected software internet-facing in our environment?
• Is there a public PoC or working exploit?
If yes to any two: treat as P0, patch within 24 hours.

Step 4 — Emergency patch lanes
Create a separate, fast-track change process for P0 vulnerabilities that bypasses standard 2-week change windows. Define criteria in advance so there's no debate when a critical CVE drops at 2 AM.

Step 5 — Virtual patching for what you can't immediately patch
WAF rules, network-level blocks, and firewall ACLs can mitigate exploitation while the full patch is tested and deployed. Particularly important for legacy systems that can't be updated quickly.

Step 6 — Post-patch verification
Run a vulnerability scan after patching. Confirm the CVE is actually remediated. Log it with timestamp — this matters for compliance and incident response if exploitation is later discovered.

The organizations that contained CVE-2026-33017 quickly had continuous scanning, virtual patching, and a real-time KEV subscription already in place. Build the process before the next 20-hour exploit window opens.

Every Indian SMB needs a SIEM in 2026. The DPDP Act requires breach detection and notification. Regulators expect logging. Clients in BFSI and healthcare demand it. But "get a SIEM" immediately runs into one question: Splunk or Wazuh? Here's an honest, practical comparison.

Cost — the biggest differentiator
Wazuh: Completely free and open-source. No licensing cost. Runs on your own infrastructure. The only cost is the server (a ₹5,000/month cloud VM handles most SMB deployments).
Splunk: Enterprise licensing starts at ~$150/GB/day indexed data. For a 50-endpoint organization generating 5GB/day, that's $750/day — ₹22,000+ daily. Splunk Cloud is slightly more accessible but still expensive for SMBs. There is a free tier capped at 500MB/day — useful only for labs.

Capabilities comparison:

Log collection & ingestion
Wazuh: Agent-based collection from Windows, Linux, macOS, cloud. Syslog, AWS CloudTrail, Office 365 support. Solid for standard environments.
Splunk: Universal forwarder supports virtually any log source. Thousands of pre-built integrations via Splunkbase. Wins on breadth and flexibility.

Detection rules
Wazuh: 3,000+ built-in rules, fully customizable in XML. MITRE ATT&CK mapping built in. Writing custom rules is straightforward once you learn the syntax.
Splunk: SPL (Search Processing Language) is powerful but has a steeper learning curve. Enterprise Security app adds correlation rules, risk-based alerting, and MITRE dashboards — but costs extra.

Threat intelligence integration
Wazuh: Native integration with VirusTotal, MISP. CDB lists for IOC matching. Good enough for SMBs.
Splunk: SIEM + SOAR combination with Splunk SOAR (formerly Phantom) is industry-leading for large SOC environments. Overkill for SMBs.

HIDS / FIM (Host Intrusion Detection)
Wazuh: Excellent. Built-in File Integrity Monitoring, rootkit detection, active response. This is where Wazuh genuinely outperforms many paid tools.
Splunk: Requires additional agents and integrations for endpoint-level detection.

Ease of use & dashboards
Wazuh: Web UI has improved significantly. Pre-built dashboards for compliance (PCI DSS, HIPAA, GDPR). Good for most use cases.
Splunk: Industry-leading dashboards and visualizations. Search interface is more powerful and flexible for advanced analysts.

My recommendation for Indian SMBs:
Start with Wazuh. It covers 90% of what an SMB needs for DPDP Act compliance, threat detection, and incident response — at zero licensing cost. Build your detection engineering skills on Wazuh first.

Move to Splunk (or consider Microsoft Sentinel) only when: you have 500+ endpoints, a dedicated SOC team, budget for licensing, and complex data sources that Wazuh struggles with.

The worst outcome is buying Splunk Enterprise, spending months on deployment, and having no one skilled enough to write detection rules. A well-tuned Wazuh with 50 custom rules beats an unused Splunk instance every time.

For job seekers: Learn both. Wazuh for your home lab (it's free). Splunk for your resume (Splunk offers free training and a free 60-day cloud trial). Employers want to see both on your CV.

Indian banks and fintechs are deploying ML models to detect fraud at scale. Transaction anomaly detection, UPI fraud scoring, credit risk models — AI is now embedded in the core of BFSI security infrastructure. What most institutions haven't accounted for is that these models themselves are attackable. This is the domain of adversarial machine learning — and it's no longer theoretical.

What is an adversarial ML attack?
An adversarial attack manipulates input data in ways that are imperceptible to humans but cause an ML model to make incorrect predictions. In the BFSI context: a fraudulent transaction is crafted to look legitimate to the fraud detection model, while being clearly fraudulent in intent. The model says "safe" — the attack succeeds.

The two main attack types relevant to BFSI:

1. FGSM — Fast Gradient Sign Method
A white-box attack that uses the model's gradient information to craft minimal perturbations that flip the model's prediction. In a fraud detection context, an attacker who understands the model architecture can craft transaction features that score as legitimate. FGSM is computationally cheap and fast — a real-time attack is feasible.

2. PGD — Projected Gradient Descent
A stronger, iterative variant of FGSM. Generates more robust adversarial examples by repeatedly applying gradient steps within a constrained perturbation budget. PGD attacks are harder to defend against with standard adversarial training.

Why BFSI is particularly vulnerable:
• Fraud detection models are trained on historical transaction data — attackers study breach datasets and public fraud datasets to reverse-engineer model behaviour
• UPI and open banking APIs expose real-time scoring endpoints — an adversary can probe the model with crafted requests to learn its decision boundary
• Model updates are infrequent — a successful adversarial pattern can be exploited repeatedly before retraining
• Explainability is limited — institutions often can't distinguish an adversarial sample from a genuine edge case

Real-world implications:
• Fraudulent UPI transfers crafted to bypass velocity checks
• Synthetic identity fraud with transaction histories designed to look legitimate to credit models
• Account takeover attempts that mimic normal user behaviour patterns to evade anomaly detection

Defences that work:
✅ Adversarial training — include adversarial examples in training data. The single most effective defence, though imperfect against unseen attack types
✅ Input validation & feature monitoring — flag statistical anomalies in input features before they reach the model
✅ Ensemble models — adversarial examples crafted against one model often don't transfer cleanly to others
✅ Model versioning & monitoring — track prediction confidence distributions over time. A sudden shift can indicate adversarial probing
✅ Rate limiting on scoring APIs — limit how frequently an entity can query the fraud scoring endpoint
✅ Human-in-the-loop for edge cases — low-confidence model predictions should trigger manual review, not automatic approval

The bigger picture:
As Indian BFSI institutions accelerate AI adoption under RBI's regulatory framework, adversarial robustness needs to be part of every model's security requirements — not an afterthought. A fraud detection model that hasn't been tested against adversarial inputs is not a security control. It's a liability.

This research area formed the core of my MTech thesis at University of Hyderabad in collaboration with IDRBT (RBI's Institute for Development and Research in Banking Technology). Happy to discuss further with BFSI security teams.