1.5 Million Hits in 2 Minutes: CBSE's Revaluation Portal and the Cyber Resilience Test

A Portal Opens, and the Attacks Begin

June 2, 2026, 10:00 AM. CBSE opened the online portal for Class 12 students to apply for marks verification and question-wise revaluation under its On-Screen Marking system. Within two minutes, the portal received 1.5 million hits. More than 1 lakh of those were classified as unauthorised file access attempts — a coordinated denial-of-service attack attempting to bring the system down.

The portal stayed up. By 3 PM that day, more than 16,000 students had successfully submitted their applications.

This is not a story about a failure. It is a story about how CBSE got there — through delays, preparation, and engineering choices made under public pressure — and what it reveals about the security stakes around digital examination infrastructure.

The Road to June 2

The revaluation portal was originally scheduled to open on May 28, 2026. CBSE postponed that launch, citing the need to strengthen the website to handle the large expected volume of applications. The revised date of June 1 came and went without the portal opening. A second postponement was announced, this time with a harder commitment to June 2.

The delays were criticized as further evidence of CBSE's digital infrastructure problems after a difficult OSM evaluation cycle. Students who had filed grievances about their marks were impatient. The Ministry of Education was watching.

But the June 2 launch — and particularly the system's behaviour in the face of the attack — suggests the delays were used productively. CBSE had, in the period between May 28 and June 2, scaled server capacity, hardened the application against common attack vectors, and tested the platform under load. When the attack came, the defences held.

Why Exam Portals Are High-Value Targets

The attack on CBSE's revaluation portal fits a pattern that security researchers have documented across examination and government digital services in India. Examination portals attract hostile traffic for several reasons.

High emotional stakes create motivated attackers. Students who believe their marks are wrong and whose admission futures depend on revaluation results are deeply invested in the process. In the same pool of 17.68 lakh Class 12 candidates, some small fraction may attempt to access the portal in ways that go beyond standard use — whether to inflate their own marks, to suppress a competitor's application, or simply to disrupt a system they view as having treated them unfairly.

Examination data has value. Answer sheet images, evaluation trails, and mark sheets are personal data with commercial value in the grey market for private tutoring and coaching. A successful breach of an examination portal can expose data on millions of students.

Portal launches are predictable inflection points. Unlike a government system that faces attack continuously, examination portals go from zero traffic to maximum load on an announced date. Attackers who want to disrupt the service know exactly when and where to apply pressure.

The combination makes examination portal launches among the most demanding security events in India's government digital infrastructure calendar.

What CBSE Appears to Have Done Right

Reverse-engineering the outcome — the portal survived under extraordinary load — allows some inference about what defensive measures were in place.

Capacity planning for peak load. A portal serving 17.68 lakh potential applicants must be architected for the scenario where a significant fraction of them attempt to access it simultaneously in the first hour. Provisioning server capacity for average expected load is inadequate. Cloud-based auto-scaling, CDN distribution of static content, and horizontal scaling of application servers are standard tools for this problem.

Rate limiting and bot detection. The characterisation of 1 lakh attempts as "unauthorised file access" implies that CBSE's infrastructure was distinguishing between legitimate user requests and automated attacks. Rate limiting — rejecting requests from sources that exceed a threshold of requests per second — is a basic but effective defence against naive DDoS attacks.

Network-level DDoS mitigation. At 1.5 million hits in two minutes, the traffic volume is large enough that it cannot be absorbed by application-layer defences alone. Network-level traffic scrubbing, either through a CDN with DDoS protection or through an upstream ISP mitigation service, is necessary to prevent the network pipe from being saturated before application-layer defences can act.

Monitoring and response readiness. The fact that CBSE was able to characterise the attack in real time — distinguishing volume (1.5M hits) from specific attack type (unauthorised file access) — suggests active monitoring was in place during the launch window.

The Cost of Not Being Ready

The contrast with what happened on June 1 — when the portal was nominally supposed to launch but did not — illustrates what the alternative looks like. A portal that goes live under peak load without adequate preparation faces the risk of:

Any of these outcomes for CBSE would have had real consequences: students who could not submit revaluation applications by the deadline would lose access to a process that could change their board marks and therefore their admissions options.

Implications for University Examination Portals

Most Indian universities and exam boards running their own digital examination infrastructure face a smaller but structurally identical problem. A result portal, a revaluation application system, or an admit card download system must serve the board's entire student population within a compressed window. The load profile is spiky and predictable. The stakes are high.

Several operational principles emerge from the CBSE experience:

Do not announce a launch date without a signed-off load test result. CBSE's May 28 launch date was announced before the portal was ready. This created unnecessary public controversy and pressure. A launch date should be announced only after load testing has confirmed the system can handle peak concurrent users.

Budget for cloud infrastructure, not fixed hardware. Fixed on-premises server capacity sized for average load will fail under peak conditions. Cloud infrastructure that can scale horizontally in response to demand is appropriate for examination portals. The additional cost during the launch window is trivial relative to the consequences of failure.

Run a security audit before every examination launch, not annually. Vulnerabilities are introduced with every code change. An audit run months before a portal launch may not reflect the application as it stands on launch day. Security audits and penetration tests should be run against the final pre-production build.

Establish an incident response procedure. CBSE's ability to characterise the attack in real time suggests an operations team was monitoring actively during the launch. Universities should have equivalent procedures: who is on call during a major portal launch, what actions they are authorised to take, and how they communicate with the communications team that will face questions from students and media.

Conclusion

The CBSE revaluation portal story from June 2, 2026 is unusual in a landscape where digital examination infrastructure failures have dominated education news this year. Most of the infrastructure stories from 2026 are failure stories: NEET's paper leak, CUET's TCS server crash, CBSE's own OSM technical difficulties earlier in the cycle.

The June 2 revaluation portal is a success story. The portal survived an attack that would have taken down an unprepared system. Over 16,000 students submitted applications on launch day. The revaluation process moved forward.

That outcome required the decision to delay the May 28 launch, absorb the resulting criticism, and use the time to prepare properly. For institutions managing their own examination infrastructure, that discipline — launching when ready rather than when announced — is one of the more important lessons of the 2026 cycle.

---

Related Reading