Why India Needs Sovereign Cyber Ranges

The Sovereignty Imperative

Every year, India's defence establishments, government agencies, and critical infrastructure operators conduct thousands of cybersecurity exercises. These exercises involve sensitive network topologies, attack patterns, vulnerability data, and performance metrics of personnel defending critical systems.

Where does this data go?

If you're using a foreign cyber range platform, the answer is: offshore. To servers in the United States, Europe, or Israel. Every exercise generates telemetry. Every participant's performance creates a data point. Every network topology reveals architectural decisions about how India's critical infrastructure is defended.

This isn't a theoretical concern. It's an intelligence exposure.

The Make in India Imperative

The IDDM (Indigenously Designed, Developed and Manufactured) mandate exists for a reason. When India's defence forces conduct a multi-day cyber exercise simulating an advanced persistent threat against military command and control systems, the platform hosting that exercise must be:

• Designed in India — by engineers who understand the Indian threat landscape, regulatory requirements, and operational constraints
• Developed in India — with source code that can be audited, escrowed, and verified by sovereign customers
• Deployed in India — on infrastructure that operates within India's borders, with zero external dependencies

Foreign platforms fail all three tests.

The Telemetry Problem

Most foreign cyber range platforms are SaaS-based. Even those that offer "on-premises" deployment often require internet connectivity for licensing validation, content updates, and analytics aggregation. This creates a persistent telemetry channel — a digital umbilical cord connecting India's cyber defence training infrastructure to foreign servers.

Consider what this telemetry reveals:

• Which MITRE ATT&CK techniques Indian SOC teams struggle to detect
• Mean Time to Detect (MTTD) for specific attack patterns — revealing response capability gaps
• Network topologies used in exercises — often modelled on real production environments
• Personnel performance data — identifying strong and weak analysts by name

For a nation-state adversary, this telemetry is gold. It maps the human layer of India's cyber defence: who is good, who is weak, and where the gaps are.

Air-Gap: Not Optional

India's classified networks are air-gapped for a reason. A cyber range platform deployed in these environments must operate with zero internet dependency:

• No licensing callbacks
• No content update channels
• No analytics aggregation
• No SaaS authentication
• No cloud-hosted components

Critical Range was designed air-gap-first. Every component — from exercise content to analytics to authentication — operates entirely within the deployment perimeter. This isn't a retrofit; it's an architectural decision that was made before the first line of code was written.

The Economics of Sovereignty

Beyond security, there's a compelling economic argument. Foreign cyber range platforms typically charge in USD or EUR with 8-15% annual escalation. For a government department operating on allocated budgets in INR, this creates three problems:

1. Forex volatility — a 10% rupee depreciation inflates the training budget by 10% overnight
2. Budget unpredictability — annual escalation makes multi-year planning unreliable
3. Vendor lock-in — switching costs increase with every year of accumulated content and customisation

An indigenous platform eliminates all three. INR billing, fixed multi-year pricing, and zero vendor lock-in because the customer can access the source code.

What Sovereignty Looks Like in Practice

Sovereign cybersecurity training infrastructure means:

• Source code escrow — the customer can verify, audit, and maintain the platform independently if needed
• Zero foreign dependencies — no foreign libraries, frameworks, or services that could be sanctioned, deprecated, or compromised
• Indian support — L1/L2/L3 support teams in Indian time zones, not offshore helpdesks with 12-hour response windows
• Compliance alignment — built for CERT-In, NCIIPC, RBI, and SEBI mandates, not retrofitted from NIST/ISO
• Data residency — all exercise data, analytics, and participant records stay within the deployment perimeter

The Path Forward

India's cyber defence capability is only as strong as its training infrastructure. That infrastructure must be sovereign — not because of nationalism, but because of operational security. The data generated during cyber exercises is as sensitive as the exercises themselves.

Every institution responsible for India's cyber resilience should ask a simple question about their training platform: Where does the telemetry go?

If the answer is "offshore" — or worse, "we don't know" — it's time to reconsider.

---

Abhijit Anand is the Founder and CEO of Zindagi Technologies. Critical Range is India's sovereign cyber range platform, deployed at defence establishments and critical infrastructure operators across the country.