India's cybersecurity market is projected to reach $10 billion by 2028, growing at a compound annual rate of 18-20% from the current $5.6 billion, according to a report by NASSCOM and Data Security Council of India (DSCI). The growth is driven by a convergence of demand factors including the explosion of digital financial transactions generating high-value targets for cybercriminals, the implementation of the Digital Personal Data Protection (DPDP) Act 2023 which imposes significant compliance obligations and financial penalties on organisations handling Indian citizens' personal data, the proliferation of cloud and SaaS infrastructure that expands the attack surface, and the increasingly sophisticated nature of cyber threats including AI-generated phishing, ransomware-as-a-service and nation-state-sponsored attacks targeting Indian critical infrastructure.
India's financial sector has been the primary target of cyberattacks, with the Reserve Bank of India reporting that cyber incidents against banks, NBFCs and payment companies increased 48% in FY26 compared to FY25. The UPI ecosystem — which processes 600 crore transactions per month — has been specifically targeted with increasingly sophisticated fraud schemes including SIM-swap attacks, QR code spoofing and AI-generated vishing (voice phishing) calls that impersonate bank representatives to trick customers into sharing OTPs and credentials. Banks and payment companies have collectively invested Rs 8,400 crore in cybersecurity tools, AI-based fraud detection systems and security operations centers in FY26, making financial services the single largest buyer of cybersecurity products and services in India.
The DPDP Act has created significant new demand for data privacy management, consent management platforms, data localisation compliance solutions and privacy-by-design consulting services. Every significant data fiduciary — defined as any entity processing personal data of Indian residents above defined volume thresholds — must appoint a Data Protection Officer, conduct regular data protection impact assessments and maintain auditable consent records for all personal data processing. The Act's provisions for significant data fiduciaries (large platforms processing sensitive personal data) are even more stringent, requiring independent data audits and detailed compliance reporting. This regulatory framework has created a substantial market for compliance tools and consulting services that barely existed in India 18 months ago.
Indian cybersecurity companies — a segment that barely existed a decade ago beyond IT services majors like Wipro and HCL — are now emerging as significant players in specific niches. Quick Heal Technologies remains the largest listed Indian cybersecurity company by revenue, with a strong presence in endpoint security for SMBs. Securonix (US-listed but India-founded) leads in AI-powered security operations. Innefu Labs focuses on AI for government security and surveillance. InstaSafe has built a cloud-native Zero Trust Network Access product competing with Zscaler and Palo Alto Networks at significantly lower price points. TAC Security has built a vulnerability management platform with strong traction in regulated industries. These Indian companies typically compete on price and local support quality rather than feature-for-feature comparison with global leaders, successfully capturing the tier-2 and tier-3 corporate market that global vendors struggle to serve effectively.
The talent shortage in cybersecurity is the most significant constraint on the industry's growth. India produces fewer than 50,000 cybersecurity professionals annually against a demand that exceeds 200,000, creating a talent gap that inflates compensation and limits the pace at which enterprises can strengthen their security postures. NASSCOM's FutureSkills Prime programme has incorporated cybersecurity certification pathways, and the government has mandated cybersecurity as a curriculum component in engineering colleges. However, closing the talent gap will require sustained multi-year investment in academic programmes, industry-academic partnerships for hands-on training, and bug bounty programmes that help identify and develop talented self-taught security researchers. The demand-supply imbalance is expected to keep cybersecurity professional salaries growing 15-20% annually for at least the next three to four years.
