India’s national cyber security agency CERT-In has issued a new blueprint that tells organizations to fix critical vulnerabilities in internet‑facing and “crown‑jewel” systems within 12 hours of discovery, as AI‑driven attackers slash exploitation timelines.
The guidance marks one of India’s most aggressive expectations yet on patching speed for exposed infrastructure.
CERT-In’s 38‑page document, titled “Blueprint for Reducing Exposure and Defending against AI‑Assisted Vulnerabilities Exploitation in Digital Infrastructure,” warns that generative AI, large language models and autonomous agents are radically changing how fast attackers can find and weaponise bugs.
Adversaries are already using AI to automate reconnaissance, map attack surfaces, generate exploits, craft convincing phishing lures and adapt malware to evade detection.
As a result, vulnerabilities in public‑facing systems, weak identities, insecure APIs and misconfigurations can be discovered and exploited far more quickly than traditional security programmes expect.
The blueprint stresses that in an AI‑driven threat landscape “exploitation timelines are reducing significantly,” making slow, periodic patch cycles a major systemic risk for Indian organisations.
According to CERT-In, the danger to vital sectors such as government, finance, telecom, digital public infrastructure, healthcare and energy, where successful exploitation could trigger operational disruption and national‑security level consequences.
CERT-In Mandates 12-Hour Patch
To counter this acceleration, CERT-In has published risk‑based remediation timelines that sharply compress how long vulnerabilities should remain open, especially on the public edge.
For “known exploited vulnerabilities” affecting internet‑facing and crown‑jewel systems, organisations are told to immediately contain the issue and then patch, mitigate or remove the exposure “within 12 hours where feasible.”
Critical externally exposed vulnerabilities should be addressed within one day, while known exploited bugs on internal systems also carry a one‑day deadline unless strong compensating controls are in place.
The blueprint further recommends remediating critical internal vulnerabilities on high‑value systems within three days, and other high‑severity issues within five days based on risk priority.
Where no vendor patch exists, entities are expected to isolate affected services, tighten access controls, deploy WAF or API protections, and increase monitoring until a fix becomes available.
CERT-In’s guidance goes beyond patching SLAs and calls for continuous exposure management across cloud, APIs, AI systems and third‑party dependencies. Key defensive principles include Zero Trust, assume‑breach design, defence‑in‑depth, strong identity governance, and continuous validation of security controls using red teaming and adversarial testing.
Organisations are urged to modernise security operations centres with behaviour‑based analytics, threat hunting and AI‑assisted defensive tooling, while maintaining human oversight for high‑impact actions.
The document also introduces a three‑phase roadmap: immediate risk reduction in the first 0–7 days focused on governance, internet‑facing assets and rapid patching; operational strengthening over days 8–30 to improve monitoring, AI governance and supply‑chain assurance; and advanced resilience over days 31–60 emphasising automation‑assisted defence and continuous control validation.
Entities are reminded to report cyber incidents to CERT-In within six hours under existing directions, and to participate in national cyber drills and AI‑focused exercises to test readiness.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
