India's two largest IT companies are doing something unprecedented — quietly, without press conferences or product launches. Infosys and TCS are working with CERT-In (India's Computer Emergency Response Team) to stress-test the country's critical banking and government systems for a new category of threat: AI-driven cyberattacks capable of finding and exploiting vulnerabilities faster than any human hacker.
What "AI Cybersecurity Risk" Actually Means for Indian Banks
CERT-In issued an advisory flagging AI-powered reconnaissance and exploitation as an emerging threat vector. AI systems can now scan code, identify vulnerabilities, generate custom exploits, and probe authentication systems at machine speed — what traditional human hackers required weeks to accomplish can now happen in hours.
Infosys is specifically testing its Finacle banking software — used by over 100 banks globally, including SBI, Bank of Baroda, and numerous cooperative banks. A vulnerability in Finacle discovered by an AI-powered attacker would have systemic consequences across the Indian financial system. TCS is running parallel audits on government and financial systems, including India's passport platform and tax infrastructure. Finance Minister Nirmala Sitharaman has reportedly urged banks to increase IT system vigilance and protect customer data and financial resources against AI-driven risks.
Why This Threat Is Different From Traditional Cyberattacks
Traditional cybersecurity assumes human attackers who operate at human speed. AI-powered attacks break this model entirely. Before AI-assisted hacking tools, a sophisticated attack on a bank's core infrastructure might take weeks — reconnaissance, identifying the attack surface, crafting a custom exploit. With AI tools processing millions of lines of code in hours and generating targeted payloads automatically, that timeline shrinks to hours or days.
According to cybersecurity firm SOCRadar, there are currently over 30,000 compromised Fortinet firewalls globally that expose networks to AI-speed threat actors. India's BFSI sector is explicitly in the crosshairs because it combines high-value targets with legacy infrastructure not designed for AI-speed attacks. CERT-In is specifically stress-testing the Aadhaar database — which holds biometric and personal data for over 1.3 billion Indians — a target of extraordinary value where any breach would be a national security event.
India Is Taking AI Security Seriously at Enterprise Level
This public-private collaboration — Infosys and TCS bringing AI security research alongside CERT-In's enforcement authority — mirrors what the US did post-Colonial Pipeline attack: mandatory security frameworks with real enforcement teeth. India passed its Digital Personal Data Protection Act in 2023, but enforcement mechanisms for AI-specific threats are still being codified. This audit exercise is effectively building the playbook before regulations catch up. As we covered in our analysis of India's cybersecurity regulatory landscape, the window to act before the first major AI-powered breach is still open — barely.
What Indian Businesses Outside Banking Should Do Right Now
Specific actions worth taking immediately: Audit your API security — AI systems target APIs because they're machine-readable attack surfaces. Review all developer credentials and API keys for potential exposure. Enable MFA on all critical systems. Ask your banking software vendor whether they've conducted AI-threat security reviews in the past 60 days. The CERT-In advisory recommends patch prioritization for any system with internet-facing APIs. As we explored in our piece on enterprise cybersecurity threats in 2026, developer toolchain attacks — including recently discovered malicious IDE plugins that stole 70,000 API keys — are increasingly the preferred vector for sophisticated actors.
What This Means for You
For Indian startups using banking APIs, payment gateways, or Aadhaar-based KYC: the security audit work underway will likely result in additional authentication requirements and API changes over the next 6–12 months — build that flexibility into your integration layer. For enterprise CISOs in India: accelerate your AI-specific threat model — your old playbook assumed human-speed attackers. For anyone using Aadhaar-linked apps: enable the highest security settings on your linked accounts now.
Frequently Asked Questions (FAQs)
Q: Why are Infosys and TCS auditing Indian banks for AI threats?
A: Infosys and TCS are working with CERT-In to test India's critical banking and government systems for vulnerabilities to AI-powered cyberattacks. AI systems can now scan code, identify vulnerabilities, and craft exploits at machine speed — making existing security frameworks insufficient against this new threat class.
Q: Is the Aadhaar database at risk from AI cyberattacks?
A: CERT-In is specifically stress-testing Aadhaar and government login systems as part of the current audit. No breach has been announced — the audit is proactive, identifying and patching vulnerabilities before attacks occur.
Q: What is Finacle and why is Infosys testing it?
A: Finacle is Infosys's core banking software used by over 100 banks globally, including major Indian public sector banks like SBI and Bank of Baroda. A vulnerability in Finacle would have systemic consequences for the Indian financial system — making it a priority audit target.
Q: How can Indian businesses protect themselves from AI-powered cyberattacks?
A: Start with API security audits (AI attacks target machine-readable interfaces first), rotate all developer credentials and API keys, ensure MFA is enabled on all critical systems, and ask software vendors whether they've conducted AI-threat security reviews recently.
Q: What enforcement powers does India's CERT-In have?
A: CERT-In can mandate compliance requirements for critical infrastructure and requires organizations to report cybersecurity incidents within 6 hours of detection — one of the world's strictest incident-reporting regimes.
India's AI cybersecurity moment is now. The fact that Infosys and TCS are dedicating resources proactively — not reactively — is the most encouraging signal that India is taking AI-era security seriously. The window to act before the first major AI-powered breach is still open. Barely.
