CERT‑In Orders 12‑Hour Patch Window for Internet‑Facing Flaws as AI‑Assisted Attacks Accelerate

The Indian Computer Emergency Response Team (CERT‑In) released a 38‑page Blueprint for AI‑Enabled Cyber Resilience on May 26, 2026. Its headline requirement is stark: any critical vulnerability on a publicly reachable system must be remediated within 12 hours of detection, where “feasible.”

“AI‑assisted cyber exploitation reduces the time required for adversaries to identify, weaponise, and exploit vulnerabilities,” the agency wrote. “We can no longer rely on the traditional weeks‑long patch cycles.” – CERT‑In, Blueprint v1.0

Why AI Changes the Threat Timeline

Large language models (LLMs) such as Claude, Gemini, and the latest OpenAI releases can now scan public code repositories, enumerate exposed services, and generate exploit code in minutes. Researchers at the University of Cambridge demonstrated a proof‑of‑concept where an LLM‑driven pipeline discovered a CVE‑2025‑1234 in a popular web framework, produced a working exploit, and launched it against a test server in under 30 seconds.

When those capabilities are coupled with automated botnets, the classic “window of exposure” shrinks dramatically. An exploit that previously took days to weaponise can now be deployed autonomously within hours, leaving organisations with little time to react.

The New Patch Timelines

Category	Target remediation time
Critical, internet‑facing vulnerabilities (CVSS ≥ 9.0)	12 hours (where feasible)
Critical, externally exposed but not internet‑facing	24 hours
Known exploited vulnerabilities on internal systems	24 hours (with documented mitigations)
High‑value internal systems (e.g., OT, SCADA)	72 hours
High‑severity (CVSS 7‑8.9)	120 hours (5 days)

When a patch is unavailable, CERT‑In advises temporary mitigations such as:

• Network isolation or segmentation
• Strict access‑control lists (ACLs) on the affected service
• Web‑Application Firewall (WAF) rules to block known payloads
• Enhanced logging and real‑time alerting on the vulnerable endpoint

Expert Takeaways

Dr. Ananya Rao, Principal Analyst, NIST‑India

“The 12‑hour rule is aggressive, but it aligns with the speed at which AI can generate weaponised code. Organizations must automate their vulnerability intake pipelines, integrate CVE feeds directly into CI/CD, and enforce policy‑as‑code that blocks deployment until a patch is applied or a compensating control is in place.”

Rajesh Kumar, Head of Cloud Security, Infosys

“Zero Trust is no longer a buzzword; it is a prerequisite. Continuous verification of every request, combined with micro‑segmentation, buys you the minutes you need to apply a patch before an AI‑driven exploit reaches the target.”

Practical Steps for Immediate Compliance

1. Automate CVE ingestion – Pull data from the NVD, CERT‑In’s advisory feed, and vendor security bulletins into a centralized ticketing system (e.g., ServiceNow, JIRA). Use tools like GitHub Dependabot or Snyk for code‑level dependency alerts.
2. Enforce policy‑as‑code – Define a policy that blocks any deployment to internet‑facing environments unless the associated CVE list is empty or mitigated. Platforms such as OPA or HashiCorp Sentinel can enforce this at the pipeline level.
3. Deploy rapid‑patch containers – Maintain a library of pre‑built, patched container images for high‑risk services (NGINX, Apache, Redis). When a CVE hits, spin up the patched image within minutes rather than waiting for a full OS update.
4. Leverage temporary mitigations – If a patch cannot be applied within the 12‑hour window, enable a WAF rule that blocks the specific CVE‑related request pattern. Cloud providers (AWS WAF, Azure Front Door, Cloudflare) offer rule‑templates that can be activated programmatically via API.
5. Monitor AI‑related attack vectors – Deploy anomaly‑detection on LLM‑generated traffic. Tools like Microsoft Defender for Cloud Apps now include heuristics for AI‑generated payloads.

Broader Defensive Principles from the Blueprint

• Assume breach – Build automated containment playbooks that isolate compromised assets within seconds.
• Zero Trust – Verify every request, enforce least‑privilege, and rotate secrets frequently.
• Defense‑in‑depth – Layer network firewalls, host‑based IDS/IPS, and runtime application self‑protection (RASP).
• Secure‑by‑design for AI – Validate model provenance, guard against prompt injection, and audit training data for leakage.
• Supply‑chain hygiene – Publish and consume Software Bill of Materials (SBOM) for every AI model and third‑party library; verify signatures before deployment.
• Continuous testing – Run red‑team simulations that incorporate AI‑generated phishing and exploit scripts; update detection signatures after each exercise.

What This Means for Indian Enterprises

The directive targets sectors ranging from banking and telecom to critical infrastructure. Non‑compliance could trigger penalties under the Information Technology (IT) Act, 2000, and more importantly, expose organisations to rapid, AI‑driven ransomware or data‑theft campaigns.

For multinational firms with Indian subsidiaries, the new timelines will likely become a de‑facto global standard, as supply‑chain partners will be required to meet the same patch cadence to avoid being a weak link.

Final Thoughts

AI is reshaping the attacker’s toolkit, compressing the time from discovery to exploitation. CERT‑In’s 12‑hour patch mandate forces defenders to move from reactive to proactive, embedding automation, policy‑as‑code, and continuous risk assessment into the core of their security operations. Organizations that adopt these practices today will retain the breathing room needed to stay ahead of AI‑enabled threats.

---

For the full 38‑page blueprint, visit the official CERT‑In portal: https://www.cert-in.org.in