CERT-In Urges 12-Hour Response for Exploited Vulnerabilities as AI Speeds Up Attacks

India’s CERT-In is urging organizations to contain known exploited vulnerabilities on internet-facing and crown-jewel systems within 12 hours where feasible, as AI-assisted attacks reduce the time defenders have to respond.

The recommendation appears in CERT-In’s new Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure, released on May 25, 2026. The guidance warns that attackers are using generative AI, large language models, autonomous agents, and automation platforms to speed up reconnaissance, exploit development, phishing, malware creation, and attack orchestration.

The 12-hour window is not a general rule for every flaw. It applies to known exploited vulnerabilities affecting systems exposed to the internet or assets that are critical to business, government, or national infrastructure. CERT-In says organizations should act through immediate containment, patching, mitigation, or removing exposure.

What CERT-In Is Asking Organizations to Do

CERT-In’s main message is that traditional patch cycles are too slow for AI-driven exploitation. A vulnerability that once gave defenders days or weeks to react may now be scanned, analyzed, weaponized, and exploited in hours.

The agency wants organizations to move away from periodic assessments and toward continuous exposure management. That means security teams need current asset inventories, attack-surface monitoring, cloud and API assessments, exploit intelligence, and fast remediation workflows.

The guidance also places vulnerability management inside a broader security model. CERT-In calls for zero-trust controls, multi-factor authentication, privileged access management, micro-segmentation, AI-aware monitoring, incident simulations, backup testing, and stronger leadership oversight.

Finding type	CERT-In’s recommended response window
Known exploited vulnerability affecting internet-facing and crown-jewel systems	Immediate containment, with patching, mitigation, or exposure removal within 12 hours where feasible
Critical externally exposed vulnerability	Patch, mitigate, or remove exposure within 1 day
Known exploited vulnerability affecting internal systems	Patch or mitigate within 1 day unless compensating controls are documented
Critical internal vulnerability affecting high-value systems	Patch or mitigate within 3 days
High-severity vulnerability	Patch or mitigate within 5 days based on risk prioritization
No patch available	Use temporary mitigation such as isolation, access restriction, WAF or API protection, enhanced monitoring, or feature disablement

Why AI Changes the Patching Timeline

CERT-In says AI-assisted cyber exploitation can reduce the time needed to identify, weaponize, and exploit vulnerable services, weak identities, insecure APIs, cloud misconfigurations, and exposed systems.

The concern is not only faster exploit writing. AI tools can also help attackers map attack surfaces, generate targeted phishing messages, modify malware, automate scripts, impersonate executives through deepfakes, and chain several weaknesses into one intrusion path.

That is why the agency highlights government, finance, telecom, healthcare, digital public infrastructure, energy, transportation, manufacturing, and digital services as high-risk sectors. These environments rely on connected systems where one exposed weakness can create cascading damage.

The 12-Hour Window Is a Containment Target

The most practical part of the guidance is the wording. CERT-In does not say every affected organization must complete full patch testing and deployment within 12 hours in all cases. It says organizations should contain the issue and patch, mitigate, or remove exposure within that window where feasible.

That distinction matters. In complex enterprise systems, a full patch may need testing, rollback planning, and change approval. But security teams can often reduce risk faster by blocking access, disabling a vulnerable feature, isolating an asset, applying a WAF rule, restricting authentication, or removing the system from the internet.

The Register also noted this nuance in its coverage, pointing out that the half-day window applies to known exploited vulnerabilities on internet-facing or crown-jewel systems, not to every vulnerability in a large enterprise environment.

What Counts as a Crown-Jewel System

Crown-jewel systems are the assets an organization cannot afford to lose. They may include payment systems, identity platforms, customer databases, production cloud accounts, source-code repositories, operational technology, core banking systems, telecom infrastructure, and public service platforms.

CERT-In’s approach asks teams to prioritize based on exposure and business impact. A critical flaw in a public-facing authentication service should move ahead of a similar flaw on a low-risk internal test machine.

This risk-based model gives security teams a clearer queue. Instead of patching only by CVSS score, organizations should combine exploit status, internet exposure, asset importance, threat intelligence, and available mitigations.

Incident Reporting Still Has a Six-Hour Rule

The blueprint also ties rapid patching to incident response. Organizations in India should remember that CERT-In already requires covered entities to report qualifying cyber incidents within six hours of noticing them or being informed of them.

That requirement comes from CERT-In’s directions under Section 70B of the Information Technology Act. The directions apply to service providers, intermediaries, data centres, body corporates, and government organizations.

The reportable categories include unauthorized access, compromise of critical systems, malicious code attacks, data breaches, cloud-related attacks, IoT attacks, attacks on digital payment systems, and incidents affecting AI and machine learning systems.

What Security Teams Should Prioritize Now

Organizations should start by identifying internet-facing systems and crown-jewel assets. Without a current asset inventory, a 12-hour response target becomes almost impossible because teams first have to find the exposed system before they can protect it.

Next, teams should map known exploited vulnerabilities against those assets. CERT-In specifically recommends using KEV prioritization, exploitability analysis, EPSS-based likelihood assessment, threat intelligence, and business criticality when deciding what to fix first.

Security leaders should also pre-approve emergency containment options. The time to decide whether a vulnerable system can be isolated should not be during an active exploitation wave.

• Identify all internet-facing assets, APIs, cloud services, VPNs, firewalls, and identity portals.
• Classify crown-jewel systems and assign clear owners.
• Map known exploited vulnerabilities to exposed and high-value systems.
• Prepare emergency firewall, WAF, API gateway, and access-restriction playbooks.
• Require MFA for privileged and remote access.
• Use micro-segmentation to reduce lateral movement from exposed systems.
• Feed endpoint, cloud, identity, firewall, and VPN logs into a central monitoring process.
• Test backup restoration and incident response procedures before a crisis.

Why Periodic Audits Are No Longer Enough

Many organizations still depend on quarterly scans, annual audits, and slow remediation cycles. CERT-In’s new guidance says that model cannot keep up when attackers use automation to find and exploit weak points continuously.

The blueprint recommends continuous monitoring and AI-aware security operations. That includes telemetry correlation, behavioral analytics, threat hunting, detection engineering, automated triage, and human oversight for high-impact response decisions.

It also encourages organizations to train employees for AI-enabled phishing and deepfake impersonation. This matters because attackers can now create more convincing messages, fake voices, and synthetic identities at scale.

How Companies Can Make the 12-Hour Target Realistic

For many companies, the hardest part will not be knowing what CERT-In expects. It will be building an operational process that can act fast enough.

Security teams need patch automation, tested rollback plans, clear change windows for emergency updates, and authority to isolate systems when active exploitation appears. Business teams also need to accept that temporary service disruption may sometimes be safer than leaving a known exploited system exposed.

Industry reactions reported by The Register make the same point: the 12-hour window should push organizations toward rapid containment first, followed by safer patch deployment once immediate exposure has been reduced.

What This Means for Indian Organizations

CERT-In’s guidance signals a major shift in India’s cybersecurity expectations. The focus is no longer only on compliance evidence after the fact. It is on reducing live exposure before attackers can automate exploitation at scale.

Organizations covered by CERT-In’s 2022 cyber incident reporting directions should align the new patching guidance with their existing reporting, logging, and incident escalation processes.

The practical takeaway is clear: keep asset data current, know which systems matter most, monitor for active exploitation, and make containment a same-day action. In the AI-assisted threat landscape described by the CERT-In blueprint, slow patch queues can turn an exposed system into a business-wide incident.

FAQ