Three sovereign products for Indian banks, insurers and capital markets.
ShortOrbit ships an indigenous, AI native security stack purpose built for BFSI. CipherStrike Pro for post quantum cryptography. CryptoDoc for tamper proof document intelligence. APIStrike Pro for continuous API security testing across UPI, Open Banking and card rails.
From DRDO labs to the country's biggest banks.
ShortOrbit was not built in a startup garage chasing a trend. It was built inside the procurement processes of the most demanding cyber buyer in India, the defence establishment, and only then taken to commercial banking. The result is a portfolio that looks unusual on a vendor shortlist and behaves very differently in a real attack.
Built for the National Health Authority and contributing to ABHA
ShortOrbit was founded in 2022 with a contract from the National Health Authority, contributing to the Ayushman Bharat Health Account (ABHA) under the Prime Minister's flagship digital health mission. In parallel, the founding team began foundational work on mobile forensics and cybersecurity. These early engagements set the engineering culture that would define the company. Build for the highest assurance customer first and let everything else fall in place.
Two products procured and deployed inside DRDO
Two flagship products covering forensics, cybersecurity and cryptography were procured and deployed inside DRDO laboratories. Each product passed independent code review, supply chain audit and red team penetration testing before any production install was permitted. The DRDO seal of approval established ShortOrbit as a credible product company in the Indian defence ecosystem and opened doors across the wider security establishment.
CipherStrike Pro and APIStrike Pro take shape
ShortOrbit laid the architectural foundation for CipherStrike Pro and APIStrike Pro, two products designed from day one to handle nation state grade adversaries. Pilot deployments rolled out inside DRDO, the National Technical Research Organisation (NTRO) and other departments of the Ministry of Defence. Continuous feedback loops with classified evaluation teams shaped the product roadmap and hardened the codebase under conditions no commercial vendor ever sees.
CryptoDoc launched, APIStrike Pro closed at SAG, DRDO
CryptoDoc, our offline air gapped document and evidence vault, moved from prototype to production. APIStrike Pro completed procurement and was formally deployed at the Scientific Analysis Group (SAG) within DRDO, widely known as the Temple of Cryptography in India. With three live products inside the country's most sensitive cryptographic environment, the engineering bar was set for everything that followed in the portfolio.
Closing wide defence procurement and opening the BFSI Edition
CipherStrike Pro is closing procurement across DRDO, ISRO and more than 50 other intelligence agencies, enforcement bodies, armed forces wings, defence PSUs and departments of the Ministry of Defence. After four years of rigorous defence grade hustle, R&D, execution and earned trust, ShortOrbit is now opening the BFSI Edition of its products and entering the banking, financial services and insurance market with the same uncompromising standards that defence has demanded from us since day one.
A bank's threat model is a subset of a defence agency's threat model. If you build for the harder one first, the rest is just paperwork.
Procured. Deployed. Trusted.
Every commercial customer asks the same question. Has this been used somewhere serious. Our answer is on the record. ShortOrbit products have been procured through Government of India tenders, deployed inside classified facilities, and operated for years under audit obligations that no commercial bank will ever match.
Two flagship products procured in 2023. APIStrike Pro deployed at Scientific Analysis Group, the Temple of Cryptography in India. CipherStrike Pro closing across multiple labs.
Pilot deployments of CipherStrike Pro and APIStrike Pro for technical signals and cryptographic research workflows.
Active pilots across multiple departments for secure communication, cryptography research and document custody.
Closing procurement for satellite ground link cryptography evaluation and modernisation.
Six structural forces reshaping BFSI security
The Indian banking system is being asked to upgrade cryptography, document workflows and API security at the same time, under a tightening regulatory net and rising fraud at unprecedented scale.
The Q Day Cliff
NIST has finalised FIPS 203, 204 and 205. RBI, BIS, MAS, ECB and OCC have all issued post quantum readiness guidance. Cryptographically Relevant Quantum Computers are projected within this decade. Every classical RSA and ECC key signing a SWIFT message, custody record or mortgage contract today is harvestable.
Harvest Now, Decrypt Later
Mortgage data, life insurance contracts, custody ledgers, KYC archives and trade finance documents have decades long sensitivity. Adversaries are recording encrypted traffic today to decrypt after the cryptographic break. Data leaving your bank perimeter in 2026 must already be quantum safe.
Regulatory Avalanche
RBI Cyber Security Master Direction, RBI IT Outsourcing Directions, SEBI CSCRF, IRDAI Information and Cyber Security Guidelines, DPDP Act 2023, PCI DSS 4.0, ISO 27001:2022, BIS Cyber Resilience Framework, NPCI Risk Management Framework, FATF Travel Rule and CERT In six hour reporting all simultaneously demand crypto agility, AI governance and provable audit trails.
Real Time Fraud at UPI Scale
UPI alone processes more transactions than Visa and Mastercard combined globally. Fraud losses in Indian banking crossed Rs 13,930 Cr in FY24. Legacy rule engines miss coordinated mule networks, deepfake enabled social engineering and AI generated synthetic identities. Boards now demand AI native fraud platforms.
Digital Rupee and Tokenisation
RBI e Rupee, NPCI tokenisation programme and SEBI asset tokenisation regime require new cryptographic primitives, sovereign key infrastructure and provably tamper proof ledgers. Every token issued today must be quantum safe by design or it becomes a future liability.
Sovereign by Default
RBI IT Outsourcing Directions, MeitY data localisation, DPDP Act and Aatmanirbhar Bharat tilt all push BFSI procurement towards Indian intellectual property, on premise or sovereign cloud deployment, and full source code audit rights. Foreign black box products are fast becoming non procurable.
A ₹29,000 Cr BFSI cybersecurity TAM in India today, our wedge worth ₹1,300 Cr
Indian BFSI cybersecurity TAM stands at USD 3.5 billion or roughly ₹29,000 crore in 2026 and is growing at 22 percent CAGR driven by rapid digitisation, RBI cyber resilience mandates, DPDP Act compliance and rising frequency of nation state grade attacks. Our three products address a clearly definable subset of this spend. The numbers below are bottom up estimates built from public regulatory filings, NPCI data, the RBI cyber security framework, IDC and Gartner India reports, and primary interviews with twenty two BFSI CISOs and CTOs.
TAM BY BFSI SEGMENT (2026)
SOM SPLIT BY PRODUCT (5 YR)
Three products. One sovereign BFSI stack.
Each product solves a measurable BFSI problem on its own, and compounds when run together across UPI, lending, custody and inspection workflows.
CipherStrike Pro
Discover, benchmark and migrate every cryptographic asset in the bank to NIST FIPS 203, 204 and 205 algorithms with full crypto agility.
- FIPS 203, 204, 205 native
- Multi vendor HSM agnostic
- AI assisted CBOM
CryptoDoc
Capture, extract, classify and seal every loan, claim, KYC and trade document with AI plus quantum safe signatures and a full forensic chain.
- BFSI tuned AI extraction
- PQC seal for 30 year retention
- 10 Indian language coverage
APIStrike Pro
OWASP API Top 10 plus BFSI specific test packs for UPI, IMPS, Open Banking, Account Aggregator, card rails and mobile banking, integrated into CI.
- NPCI aligned test packs
- FAPI 2.0 plus DPoP coverage
- Native CI gating
CipherStrike Pro
Post Quantum Cryptography Workbench for BFSI
CipherStrike Pro discovers every cryptographic asset in the bank, benchmarks classical and post quantum algorithms head to head, and migrates SWIFT, RTGS, UPI, card schemes, custody and mobile banking to NIST FIPS 203, 204 and 205 with zero downtime cutover plans.
SWIFT, RTGS and NEFT Quantum Safe Migration
A Tier 1 Indian bank routes 2.4 lakh wholesale messages a day through SWIFT and RTGS. Every message is signed with RSA 2048 keys held in legacy HSMs. RBI inspectors now ask for a documented post quantum migration plan with measurable milestones.
- Auto discovery of every cryptographic call in payment middleware, message routers and HSM client libraries
- Side by side benchmarking of ML DSA 65, Falcon 1024 and SLH DSA on real SWIFT and RTGS message workloads
- Hybrid signing modes that run RSA and ML DSA in parallel to satisfy both SWIFT CSP and RBI PQC guidance during transition
- Crypto Bill of Materials report mapped to RBI Cyber Security Master Direction control numbers
Card Scheme and EMV Key Hierarchy Refresh
A card issuer with 8 million live debit and credit cards has a 7 layer EMV key hierarchy rooted in 3DES and RSA. Mastercard and Visa have committed to PQC key ceremonies and the issuer needs to prove its HSM estate is migration ready before the next scheme audit.
- EMV key hierarchy visualiser that traces every issuer master key, card master key and session key derivation
- HSM compatibility matrix across Thales Luna, Entrust nShield, Utimaco and ATOS hardware
- Migration sandbox that replays real card auth traffic against PQC enabled HSM firmware
- Crypto agility rules engine to swap algorithms per BIN range without code changes
Mobile Banking and UPI App Cryptography Refresh
A digital bank with 32 million MAU runs cryptography across iOS, Android, Flutter and React Native code paths. Pinning, token binding, device attestation and end to end UPI message signing all need to move to PQC without breaking 600 million transactions a month.
- Mobile crypto inventory that scans IPA and APK binaries for OpenSSL, BoringSSL, Conscrypt and CryptoKit usage
- Kyber and Dilithium reference clients that drop into existing TLS 1.3 and JOSE pipelines
- Phased rollout console that enables PQC for 1 percent, 10 percent, 50 percent and 100 percent of users with rollback
- App attestation chain that proves device, app and transaction integrity with quantum safe signatures
Custody, CBDC Wallet and Tokenisation Infrastructure
An asset management arm holds Rs 4.2 lakh Cr of equity, bonds and now tokenised real world assets in custody. The CBDC desk is preparing wholesale e Rupee settlement. Every key signing a custody record or token transfer must be quantum safe and provably owned by the bank.
- Threshold and multi party PQC signing for custody wallets and CBDC nodes
- Native integration with Fireblocks, Copper, Ledger Vault and indigenous HSMs
- Quantum safe Merkle proofs for tokenised assets and on chain CBDC events
- Recovery ceremony tooling with Shamir splits, hardware tokens and air gapped quorum
Cryptographic Bill of Materials and Continuous Audit
A universal bank with 4,800 applications across 26 lines of business cannot answer a basic regulator question, namely where every RSA, ECC, AES and SHA 1 instance lives. Internal audit reports 38 percent of compliance findings now relate to undocumented cryptography.
- Continuous CBOM scanner that fingerprints crypto calls in code, container images, network traffic and certificates
- Risk scoring per crypto asset, mapped to RBI, SEBI, IRDAI, PCI DSS 4.0 and ISO 27001:2022 controls
- Drift detection that alerts when a development team reintroduces SHA 1, DES or static keys
- Board ready dashboard with single quantum readiness score per business unit
CryptoDoc
Tamper Proof Document Intelligence and Signing
CryptoDoc captures, extracts, classifies, signs and preserves every BFSI document. Loan files, KYC packs, trade finance documents, claim files, custody confirmations and audit evidence packs all carry an AI extracted index plus a quantum safe seal that survives 30 year retention.
Quantum Safe Loan Origination and Mortgage Documentation
A mid sized bank originates 14,000 retail loans a month across home, personal, auto and SME segments. Each file has 18 to 42 documents that need extraction, classification, signing and 30 year retention. Aadhaar eSign and physical wet signatures coexist. Internal audit flagged 7 percent of files as having tampering risk.
- AI extraction of borrower KYC, income, collateral and bureau fields with field level confidence scoring
- Hybrid signing flow combining Aadhaar eSign, organisational eSign and ML DSA quantum safe seal
- Tamper evident write once storage with cryptographic chain across the full file lifecycle
- Native integration with Finacle, Flexcube, TCS BaNCS and home grown LOS systems
Trade Finance Letters of Credit and Bills of Lading
A trade finance desk processes 2,300 LCs and 8,400 BLs a month. Documents arrive over SWIFT MT, email and physical courier. Manual checking introduces a 4 day lag. Two LC fraud incidents in the last 18 months cost Rs 78 Cr.
- Document AI tuned for LC, BL, invoice, packing list and certificate of origin extraction
- UCP 600 and ISBP 821 rules engine that flags discrepancies in seconds
- Quantum safe signing per document, per amendment and per endorsement event
- Connectors for SWIFT FIN, Bolero, essDOCS, Contour and bank trade platforms
KYC, Re KYC and Customer Onboarding Evidence
A bank with 4,200 branches onboards 38,000 customers a day. RBI mandates periodic re KYC for low, medium and high risk customers. The current evidence locker stores PDFs and scanned images on standard storage with no cryptographic guarantee of integrity.
- Document classifier that handles PAN, Aadhaar, Form 60, GST, MCA filings and 60 plus other ID types
- Liveness and face match evidence captured and sealed alongside the document
- Quantum safe seal applied at point of capture, with every subsequent access logged on chain
- Configurable retention policies per RBI risk tier, with automatic disposal scheduling
Insurance Claims and Policy Lifecycle Integrity
A life and general insurer issues 3.1 million policies a year and processes 480,000 claims. Disputes around policy terms and claim denial often surface 5 to 18 years after issuance, by which point key evidence is hard to verify.
- Policy document extraction across endorsements, riders, premium receipts and surrender forms
- Claim file packaging with surveyor reports, medical records and discharge summaries sealed together
- Long horizon quantum safe signing that survives the 30 year tail of life policies
- Regulator portal export to IRDAI and ombudsman with one click chain of custody
Audit, Forensic and Regulatory Inspection Pack Generation
RBI, SEBI and IRDAI inspections each ask for hundreds of documents inside a 7 to 14 day window. Today this requires 30 plus people across business, IT and compliance to assemble files, redact sensitive fields and prove integrity.
- Saved query packs aligned to RBI Cyber Security Master Direction, SEBI CSCRF and IRDAI guidelines
- Automatic redaction of customer PII per DPDP Act 2023, with redaction itself cryptographically logged
- One click evidence pack with hash list, signature chain and provenance per document
- Read only inspector workspace with watermarking, screenshot detection and access expiry
APIStrike Pro
Continuous API Security Testing for BFSI
APIStrike Pro replaces slow, manual API VAPT with continuous, BFSI specific testing. OWASP API Top 10 2023, FAPI 2.0 plus DPoP, NPCI aligned UPI, IMPS and AePS test packs, Account Aggregator conformance and PCI DSS 4.0 evidence all run inside the bank CI pipelines.
UPI, IMPS and NEFT API Continuous Security Validation
A bank exposes 412 internal APIs that touch UPI switch, IMPS gateway and NEFT messaging. Every NPCI release cycle pushes new headers, fields and risk rules. Current testing is manual and lags releases by two to three weeks, creating a moving window of exposure.
- NPCI aware test packs for UPI 2.0, UPI Lite, UPI AutoPay, IMPS P2A and NEFT bulk that are updated within 48 hours of NPCI circulars
- Business logic fuzzing for amount tampering, beneficiary swap, replay, mandate abuse and merchant impersonation
- Authentication and authorisation tests covering OAuth 2.1, mTLS, FAPI 2.0 and India specific token binding
- Production safe traffic shadowing that runs full attack suites against staging using real UPI traffic patterns
Open Banking and Account Aggregator API Hardening
A scheduled bank operates as both Financial Information Provider and Financial Information User in the Account Aggregator ecosystem. 38 fintech and NBFC AA partners consume its APIs. A single broken consent flow can leak years of statement data.
- ReBIT and Sahamati conformance suite with consent artefact, FI request and FI fetch validation
- Consent abuse simulator that tests revoked, expired, duplicated and tampered consent edge cases
- Partner level rate limiting and quota policy validation with tenant aware fuzzing
- FAPI 2.0 plus DPoP, mTLS and PAR test plans that match BIS Open Banking guidance
Mobile Banking App Backend and BFF Layer Testing
A retail bank ships its mobile banking app every two weeks. The Backend For Frontend layer aggregates 70 plus internal microservices. A subtle BOLA flaw last quarter let one customer view balances of another customer in one specific screen.
- OWASP API Top 10 2023 coverage with BFSI specific BOLA, BFLA and mass assignment scenarios
- Object identifier enumeration that mutates customer ID, account number and reference fields at scale
- Session and device binding tests for app pinning, root and jailbreak detection bypass
- Differential testing across iOS, Android, web and partner channels to catch channel specific drift
Card Payment Gateway and PSP API Security Testing
A card acquirer operates a payment gateway processing 240 Cr transactions a year for 90,000 merchants. PCI DSS 4.0 now requires continuous evidence of API security, not just an annual scan. Every new merchant onboarding flow can introduce risk.
- PCI DSS 4.0 aligned API test pack with section 6 and section 11 control mapping
- 3D Secure 2 flow validation including challenge, frictionless and step up scenarios
- Tokenisation API testing for network tokens, COFT and merchant tokens
- Refund, void, capture and chargeback abuse testing against real merchant configurations
Pre Production CI CD API Security Gating
An engineering org runs 1,800 pipelines a day across 320 services. Security testing is bolted on at the end of the cycle, slowing releases and creating friction with product teams. Engineering leadership wants security at developer speed without losing rigour.
- Native integration with Jenkins, GitLab CI, Azure DevOps, Bitbucket and Harness
- Diff aware testing that runs full suites only against changed endpoints, with intelligent regression on dependent services
- Policy as code gates that block merges on critical findings, with single click waiver and audit trail
- Developer first remediation guidance with code level fixes, not generic OWASP descriptions
Three products that compound when run together
Each product is independently valuable. Together they upgrade the bank trust, document and API estate end to end, with shared keys, shared evidence and shared audit trails.
End to End UPI Trust Stack
APIStrike Pro continuously validates UPI APIs against NPCI specifications. CipherStrike Pro upgrades the cryptographic layer that signs every UPI message. CryptoDoc seals the audit trail of every dispute, chargeback and arbitration document. Together they make a bank UPI estate provably secure, quantum safe and forensically sound.
Loan Origination Quantum Safe Pipeline
CryptoDoc captures KYC, income, collateral and signs the file with quantum safe seals. CipherStrike Pro provides the underlying PQC keys and HSM compatible signing service. APIStrike Pro continuously tests every LOS to CBS API path that touches the loan file.
Custody and Digital Asset Compliance
CipherStrike Pro powers threshold quantum safe signing for custody wallets. APIStrike Pro tests every order management, fund accounting and custody integration API. CryptoDoc preserves trade confirmations, contract notes and corporate action records with tamper proof seals.
Per product analysis of every relevant alternative
The Indian BFSI buyer can choose ShortOrbit, a US or European product, an Indian system integrator reselling foreign IP, or an Indian point tool. Each option is broken down below across origin, India presence, gap and where ShortOrbit wins.
IBM Quantum Safe
Sold via IBM Consulting at long sales cycles, mostly to top 5 banks
Discovery centric, requires heavy IBM Consulting time and cost, no native HSM agility, limited Indian regulatory mapping, US controlled
Indian sovereign deployment, full source audit, 6 to 14 week delivery, BFSI specific use case packs and direct mapping to RBI, SEBI, IRDAI controls
Thales CipherTrust and Luna
Strong installed base in Indian banks for classical HSM
Hardware first, slow PQC firmware roadmap, locked into Thales hardware, no application layer crypto agility or CBOM, no AI assisted analysis
Multi vendor HSM agnostic, application and code level crypto agility, AI assisted CBOM, indigenous and on premise
Entrust nShield
Common in payments and large enterprise
Same HSM lock in story, no end to end migration tooling, no India specific use case packs, no air gapped Indian sovereign edition
Air gapped Indian build, multi HSM, deeper application coverage, lower total cost
PQShield
Limited direct presence, mostly OEM IP licensing
Library and IP focused, no enterprise migration platform, no AI workbench, no BFSI specific delivery model
Full BFSI delivery platform plus AI assistant plus on premise hardware, not just a library
SandboxAQ
Project based engagements with select large banks
Heavy advisory model, US controlled, expensive, no air gapped Indian sovereign deployment
Indian intellectual property, productised platform, predictable pricing, on premise
AWS KMS PQC and Azure Key Vault
Restricted by RBI IT Outsourcing Directions for sensitive workloads
Cloud lock in, foreign jurisdiction, limited algorithm choice, no cross HSM and on premise crypto agility
Hybrid by design, regulator compliant, runs on premise plus sovereign cloud plus GIFT IFSC
Indian system integrators with foreign tooling
Common procurement path
Margin layered on foreign products, slow innovation cycles, no native Indian PQC IP, no source code rights
Direct Indian product, lower cost, source level transparency, joint roadmap with the bank
Where ShortOrbit stands against Thales, IBM, Entrust and Salt
A pitch deck without a serious competitor analysis is not a pitch deck. The four companies below are the most common alternatives surfaced in BFSI evaluations against ShortOrbit. We have profiled each one with public revenue, India BFSI presence, overlap, pricing and our head to head win rate. Numbers are pulled from public filings, analyst reports and direct CISO interviews.
Used by SBI, HDFC, ICICI, Axis for HSMs and key management. Long sales cycles. Indian support routed through Singapore.
Direct overlap on cryptography. Thales payShield, Luna HSM, CipherTrust map onto CipherStrike Pro coverage. No overlap on CryptoDoc or APIStrike.
- Dominant HSM installed base inside Indian PSU and private banks
- FIPS 140-3 and Common Criteria certifications across product line
- Strong relationship with RBI and NPCI through legacy footprint
- PQC story is roadmap heavy. ML KEM and ML DSA support landed only in late 2025
- Locked architecture forces banks to buy Thales HSMs to get Thales tooling
- Indian engineering presence is thin. Critical bug fixes routed through Europe
Mainframe and z16 footprint at SBI, BoB, PNB. IBM Quantum Safe sold through GBS consulting. Heavy services overlay.
IBM Quantum Safe Explorer overlaps with CipherStrike Pro discovery. IBM Verify and IBM Cloud Pak for Security overlap weakly. No overlap on CryptoDoc or APIStrike.
- Brand. CIO and board level recognition still very strong in BFSI India
- Global research with 70+ post quantum patents and NIST contributions
- Deep services arm for migration with thousands of consultants
- Quantum Safe is largely a services led offering. Tooling is immature for self serve
- Locked into IBM stack. Banks running Oracle, Microsoft and open source see limited value
- Pricing skews towards software plus services bundles starting USD 2 M
Card issuance and PKI footprint at Axis, ICICI, Kotak. Recently acquired Onfido for KYC. PQC tooling new.
PKI and key management overlap with CipherStrike Pro. Smaller global brand than Thales but more aggressive on PQC roadmap.
- Strong card and PKI installed base. Trusted name in card personalisation
- Onfido acquisition gives them a credible KYC story alongside crypto
- Faster moving on PQC than Thales. Already shipping ML DSA in select products
- Limited Indian engineering presence. Most R and D in US and Canada
- Crypto agility tooling is fragmented across acquired product lines
- No native API security or document custody story
Used by 2 Indian private banks for shadow API discovery. Cloud only deployment which is a constraint for many banks.
Direct overlap with APIStrike Pro on discovery and runtime protection. No overlap on cryptography or document custody.
- Best in class behavioural ML for API anomaly detection
- Strong analyst recognition. Gartner cool vendor and 451 leader
- Mature dashboards built for SOC analyst workflows
- SaaS only. Cannot be deployed inside an air gapped Indian banking core
- Pricing in USD with no rupee parity. 3x more expensive than ShortOrbit
- No active testing or fuzzing capability. Only passive observation
Feature parity matrix
| CAPABILITY | SHORTORBIT | THALES | IBM | ENTRUST | SALT |
|---|---|---|---|---|---|
| Post quantum (ML KEM, ML DSA, SLH DSA) GA | Yes | Partial | Partial | Partial | No |
| Cryptographic Bill of Materials (CBOM) | Yes | No | Yes | Partial | No |
| Vendor agnostic HSM and KMS coverage | Yes | No | Partial | Partial | No |
| Air gapped, fully on premise deployment | Yes | Yes | Partial | Yes | No |
| Sovereign Indian deployment, India support | Yes | No | No | No | No |
| Document and evidence vault with chain of custody | Yes | No | Partial | No | No |
| OWASP API Top 10 active testing | Yes | No | No | No | Partial |
| Continuous fuzzing and BOLA detection | Yes | No | No | No | Partial |
| Regulator aligned reporting (RBI, SEBI, IRDAI) | Yes | No | Partial | No | No |
| Total cost of ownership index (lower is better) | 1.0x | 3.4x | 4.1x | 2.8x | 3.1x |
Ten BFSI procurement criteria, six vendor archetypes
Every Indian BFSI procurement question maps to ten capabilities. ShortOrbit hits all ten. Foreign and Indian alternatives partially cover a subset, which is why most banks today build hybrid stacks of three or four vendors.
| Capability | ShortOrbit suite | Foreign hyperscaler tools | Foreign HSM and PKI vendors | Foreign API security vendors | Indian system integrators | Indian eSign and ECM tools |
|---|---|---|---|---|---|---|
| Indian intellectual property | ||||||
| On premise and air gapped | ||||||
| BFSI specific use case packs | ||||||
| Post quantum cryptography native | ||||||
| AI assisted analysis | ||||||
| Source code audit rights | ||||||
| RBI, SEBI, IRDAI control mapping | ||||||
| Continuous CI integration | ||||||
| Predictable list price | ||||||
| Regulator ready evidence packs |
Six BFSI roles that fund the suite
The suite cuts across security, compliance, payments, lending, custody and engineering. Each persona below has a measurable pain that ShortOrbit shows up to solve.
Chief Information Security Officer
Q Day risk, regulator scrutiny, fragmented crypto, API attack surface
CipherStrike Pro, APIStrike Pro
Chief Compliance Officer
Inspection readiness, KYC integrity, AML evidence, DPDP enforcement
CryptoDoc, CipherStrike Pro
Head of Wholesale and Trade Finance
LC discrepancy, BL fraud, SWIFT message integrity, settlement risk
CryptoDoc, CipherStrike Pro
Head of Cards and Payments
Scheme audits, EMV key hierarchy, 3DS 2 testing, fraud loss
CipherStrike Pro, APIStrike Pro
Head of Custody and Digital Assets
Token integrity, CBDC pilot, multi party custody, regulator reporting
CipherStrike Pro, CryptoDoc
Head of DevSecOps and Platform
Release velocity, shift left security, partner API risk, regulator reporting
APIStrike Pro, CipherStrike Pro
Every line in the suite maps to a named regulator clause
Reserve Bank of India
- Cyber Security Master Direction
- IT Outsourcing Directions
- KYC Master Direction
- Digital Lending Guidelines
- Mobile Banking Guidelines
SEBI
- Cyber Security and Cyber Resilience Framework
- Outsourcing Guidelines
- Custodian and Mutual Fund Frameworks
IRDAI
- Information and Cyber Security Guidelines
- Outsourcing Regulations
- Maintenance of Records
NPCI
- UPI 2.0 and UPI Lite specifications
- AePS, IMPS and NACH specifications
- Risk Management Framework
Government of India
- DPDP Act 2023
- IT Act 2000 and CERT In rules
- Aadhaar Act
- Public Procurement Order on Indian preference
Global standards
- FIPS 203, 204, 205
- PCI DSS 4.0
- ISO 27001:2022
- BIS Cyber Resilience Framework
- FATF Travel Rule
From pilot to strategic partnership
A predictable four phase arc that delivers value in week 6, evidence by week 14 and runs continuously beyond. Every phase has joint success criteria with the bank internal audit and security teams.
Discovery and Risk Mapping
- CBOM scan across selected applications and HSMs
- API inventory and abuse path map
- Document workflow assessment
- Risk score mapped to RBI, SEBI, IRDAI controls
Targeted Pilot
- 1 critical workload per product, eg SWIFT, UPI APIs and loan files
- On premise deployment in bank data centre
- Integration with HSM, CBS, LOS and CI tooling
- Joint success criteria with internal audit
Scale and Standardise
- Roll out to all critical applications and channels
- Operating model with bank security, audit and engineering
- Continuous evidence packs for RBI, SEBI, IRDAI inspections
- Co innovation backlog with the bank
Strategic Partnership
- Joint roadmap with crypto, payments and digital teams
- GIFT IFSC and overseas subsidiary extension
- Industry forums, RBI Innovation Hub and BIS submissions
- Annual quantum and AI risk board review
Path to ₹486 Cr ARR by FY30, profitable from FY29
Bottom up financial projections built from named pipeline accounts, signed letters of intent, and conservative win rate assumptions. Numbers exclude any defence revenue and represent BFSI only.
| YEAR | LOGOS | ARR | GROWTH | GM | NRR CHURN | BURN / PROFIT | NOTE |
|---|---|---|---|---|---|---|---|
| FY26 | 4 | ₹18 Cr | Base | 62% | 0% | ₹14 Cr | Lighthouse PSU + 3 private banks |
| FY27 | 14 | ₹62 Cr | 244% | 68% | 0% | ₹22 Cr | PSU expansion, first NBFC cohort |
| FY28 | 32 | ₹148 Cr | 138% | 72% | 1.2% | ₹6 Cr | Insurance + capital markets entry |
| FY29 | 58 | ₹284 Cr | 92% | 75% | 1.5% | Profit ₹38 Cr | GCC and SEA bank expansion |
| FY30 | 92 | ₹486 Cr | 71% | 77% | 1.8% | Profit ₹112 Cr | Public market readiness |
FY30 ARR BY PRODUCT LINE
A SaaS like cost structure with enterprise software pricing power
Our products are licensed on a per environment, per product basis with annual escalation. Margins are protected by our own infrastructure, no third party crypto provider royalties, and a partner channel that absorbs implementation cost.
| SEGMENT | ACV | CAC | LTV | LTV/CAC | PAYBACK | GM |
|---|---|---|---|---|---|---|
| PSU bank | ₹6.8 Cr | ₹1.2 Cr | ₹38 Cr | 32x | 11 mo | 74% |
| Private bank | ₹4.4 Cr | ₹0.7 Cr | ₹26 Cr | 37x | 8 mo | 76% |
| NBFC, HFC | ₹1.6 Cr | ₹0.22 Cr | ₹9 Cr | 41x | 7 mo | 78% |
| Insurer, AMC | ₹2.1 Cr | ₹0.32 Cr | ₹12 Cr | 37x | 8 mo | 75% |
We build, own and ship our cryptographic core. No royalty stack on top of every deployment.
Transparent, three tier licensing across all products
Banks tell us they want predictable annual licences, no surprise consumption fees, and a clear upgrade path. We offer three tiers per product. Pricing below is list. Tier 1 banks typically buy at the Enterprise tier across two or three products.
1 environment, 5,000 assets, CBOM and reporting
Up to 50,000 assets, multi vendor HSM, PQC pilot
Unlimited assets, prod migration, regulator reporting
1 vault, up to 250 K documents, KYC pack
Up to 5 M docs, loan and trade finance flows
Unlimited docs, multi region, regulator portal
Up to 250 APIs, OWASP Top 10 testing
Up to 2,500 APIs, fuzzing, BOLA, runtime hooks
Unlimited APIs, CI / CD, on prem appliance
Three motions, one buyer journey
Selling security products into Indian BFSI is a relationship game with a long tail. Our motion is built around three reinforcing channels with clear handoff rules and joint pipeline reviews.
Named account team selling to top 35 BFSI accounts. Six person team of ex BFSI, ex defence, ex Big 4 advisors.
Co sell with Wipro, Infosys, TCS, LTI Mindtree and HCL on cryptography modernisation programmes.
RBI College of Supervisors and IRDAI cyber assessment programmes refer banks needing PQC roadmaps.
Tier 2 partners for NBFC and insurance segments. Lower touch, higher volume motion.
Sales funnel benchmarks
Six reasons this is the highest conviction BFSI security bet in India today.
A regulatory and quantum cliff are converging in 2026
RBI cyber security framework, Digital Personal Data Protection Act, NIST PQC mandates and harvest now decrypt later threats are forcing a forced replacement cycle in BFSI cryptography. The window opens in 2026 and closes by 2029.
Defence pedigree no other BFSI vendor in India can claim
ShortOrbit is the only Indian product company with simultaneous DRDO, MoD and ISRO procurement. That credibility shortcuts every BFSI evaluation by twelve to eighteen months and creates a pricing premium of 18% to 25%.
Operators with track record in scale, not just research
Founders have built and scaled three companies before. Senior advisors include former Tech Mahindra Group Executive Board member, founder of GenxAi Analytics, and a research leadership panel from IIT Madras and IISc Bangalore.
₹300 Cr is the right size for a 36 month sprint
Smaller and we miss the regulator window. Larger and we dilute beyond what FY30 returns justify. Use of funds is concentrated on engineering, GTM and certifications. No moonshots.
Below comparable PQC and BFSI security exits
PQShield, SandboxAQ and Salt Security have all priced at 15x to 22x ARR in their last rounds. We are pricing at 12.2x FY28 ARR. Our exit comparables are CrowdStrike at 30x, Wiz at 40x and SailPoint at 18x.
Three credible paths and a strategic acquirer pool
Public listing on NSE BSE in FY30, US listing through reverse flip in FY31, or strategic acquisition by Wipro, TCS, Infosys, IBM, Thales or a global PE roll up. Acquirer pool already engaged through advisor network.
Leadership
Founders with patents and shipped defence tenders. Advisors who built India internet backbone and scaled global enterprise businesses.
Harsh Vardhan Singh Rao
Co Founder
2x Entrepreneur, 4 Patents Filed
Deep technical roots spanning 10 plus years in IoT, cryptography, defence tech and cybersecurity. Products scaled to 10 million plus users. Procured and fulfilled 3 major defence tenders.
Runjhun Singh Rana
Co Founder
14 plus years, Housing.com, Indiabulls
Seasoned tech leader with 14 plus years building scalable products across Housing.com, Indiabulls and Rebelfoods. Brings broad perspective to product development and growth strategy.
Rakesh Agarwal
Executive Advisor to the Board
IIM Lucknow, Founder GenxAi
25 plus years in business intelligence and analytics. Founded GenxAi Analytics and ACG India. Bringing strategy expertise to scale ShortOrbit towards its USD 500 million revenue target.
Manoj Chugh
Advisor
4 Decades, 100 Great IITians
Built India internet infrastructure. Former Group Executive Board member at Mahindra Group, leading Tech Mahindra Enterprise Business across 70 global markets.
Run a 6 week BFSI pilot.
Pick one workload per product, deploy on premise inside the bank, agree success criteria with internal audit and regulator, and produce a board ready evidence pack at the end.