I've been in cybersecurity for 18 years. I've seen enterprise security from the inside — the ₹50 lakh annual contracts, the 6-month implementation timelines, the compliance theater. But when I started scanning Indian SMB infrastructure last year, what I found was genuinely shocking.
The numbers:
- 78% of Indian SMB websites have broken or misconfigured SSL
- 91% are missing basic security headers entirely
- 62% run software with known published CVEs
- 37% have admin panels accessible from the public internet
These aren't exotic zero-days. These are configuration basics that take minutes to fix — once you know they exist.
The Real Problem Isn't Awareness
Every founder I talk to knows cybersecurity matters. They've read about the ₹22 crore average breach cost (IBM 2025). They know about the DPDP Act and its ₹250 crore penalty ceiling. The problem isn't awareness — it's access.
Here's what the cybersecurity market looks like for an Indian SMB with ₹5 crore annual revenue:
| Service | Typical Cost | Timeline |
|---|---|---|
| Manual VAPT engagement | ₹40,000 – ₹8,50,000 | 2-4 weeks |
| Enterprise SIEM | ₹15,000 – ₹50,000/month | 3-6 months to implement |
| Compliance consultant (ISO 27001) | ₹5,00,000 – ₹10,00,000 | 6-12 months |
| CISO hire | ₹30,00,000 – ₹60,00,000/year | Good luck finding one |
The rational response? Skip it entirely and hope for the best.
What We're Building
Bachao.AI is an AI-native end-to-end cybersecurity platform built specifically for this gap. Not a single tool — a full platform with 20+ products:
Detection & Testing:
- AI VAPT Scanner (free first scan, ₹4,999 report)
- API Security (REST + GraphQL)
- Mobile App Security (iOS/Android)
- Attack Surface Management
- Secret Scanning
Monitoring & Response:
- Dark Web Monitoring
- MSSP-Lite (SOC-as-a-Service)
- Incident Response
- RASP Protection
Compliance & Governance:
- DPDP Act 2023 Readiness Assessment
- SEBI CSCRF Audit
- Compliance Automation
- Consent Manager SDK
- vCISO AI Copilot
Offensive Security:
- Red Team / Breach & Attack Simulation
- Cyber Forensics
Consumer Protection:
- Deepfake Detection
- UPI QR Scanner
The Technical Architecture
For the engineers here — a few decisions we made early:
Scan isolation: Every scan runs in a Firecracker microVM — the same isolation technology AWS Lambda uses. No scan can affect another customer's environment or our own infrastructure.
Report generation: We use Claude API for contextual vulnerability analysis. Raw scanner output gets transformed into actionable, business-context reports with specific remediation steps — not generic "update your software" advice.
Data security: AES-256 encryption, 90-day default purge cycle. We don't want to be the cybersecurity company that gets breached because we hoarded customer scan data.
The Pricing Bet
Our bet is simple: if you make the entry point free and the paid tier affordable, Indian SMBs will adopt cybersecurity at scale.
- Free scan: Summary report, risk score, top findings. 2-hour delivery.
- ₹4,999: Full vulnerability report with CVSS scoring, OWASP mapping, evidence screenshots
- ₹9,999: Everything above plus remediation — actual fixes, not just recommendations
That's 99% cheaper than the enterprise equivalent. We're not competing with CrowdStrike or Palo Alto. We're competing with "do nothing" — which is what 87% of Indian SMBs currently choose.
DPDP Act — The Clock Is Ticking
The Digital Personal Data Protection Act enforcement begins May 13, 2027. No grace period. Penalties up to ₹250 crore per contravention. And it applies to every business that processes personal data — regardless of size.
Every finding in our reports auto-maps to Schedule I technical safeguards. When the Data Protection Board asks "what reasonable security measures did you have in place?" — our customers have a timestamped, evidence-backed answer.
Where We Are Today
- Bootstrapped, solo founder (me + COO Amit Kumar Poreli)
- DPIIT recognized startup (CIN: U62099WB2025PTC275605)
- 20+ products live on the platform
- Regulatory coverage: RBI IT Framework, DPDP Act 2023, SEBI CSCRF
If you're an Indian startup or SMB that's never run a security scan — try Bachao.AI. The first scan is free and takes 2 hours.
If you're a developer building SaaS products — I'd love to hear what security tooling gaps you face. Drop a comment.
I'm Shouvik Mukherjee, founder of Bachao.AI. Previously Principal Engineer, TEDx speaker. Building from India for Indian businesses.
Top comments (0)