India's CERT-In mandates 12-hour patching window as AI-powered cyberattacks compress timelines

India's cyber agency sets clock at 12 hours to tackle exploited bugs as AI turns up the heat

India's Computer Emergency Response Team (CERT-In) says defenders should endevor to patch or mitigate exploited n-day vulnerabilities within 12 hours as the cybercrime landscape continues its AI-ification. The organization's recommended half-day window applies only to bugs that affect internet-facing or "crown jewel" systems and are known to be exploited. In these cases, CERT-In told defenders to "patch, mitigate, or remove exposure within 12 hours where feasible." For other flaws, such as a standard critical vulnerability (CVSS 9.0 or higher) affecting an internal system, or a known exploited bug affecting an internal system, defenders can enjoy a much more leisurely 24-hour window. The revised suggestions come as part of a new guide released by CERT-In this week to help infosec pros better protect against AI-assisted cyberattacks. "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems," CERT-In's report reads. "As organizations become increasingly dependent on interconnected digital infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, the potential impact of AI-enabled cyber threats continues to increase across sectors." CERT-In's report follows a trail of news stories in 2026 that all suggest AI is becoming an increasingly important part of cybersecurity for both attackers and defenders. The field of agentic AI has especially matured rapidly in the past year. Consumer-grade tools like OpenClaw have made it easier for non-technical users to experiment with autonomous tech, raising its profile and awareness of its capabilities. Agents are equipped with all the necessary permissions to make significant system changes, but as global intelligence agencies recently highlighted, their behavior can at times be unexpected, and they're also prone to mischief. Security pros are starting to see the potential for AI agents in their workflows, but for attackers, the technology represents an opportunity to hasten all parts of their process, from recon and exploitation to privilege escalation and data theft. CERT-In cited agentic AI as one of the core concerns behind the report's recommendations, and because of the disparate supply chains on which organizations are increasingly reliant, any vulnerability can lead to cascading damage on interconnected systems. Beyond agentic AI, the launches of frontier models such as Anthropic's Mythos and OpenAI's GPT-5.5, two certified cyber workhorses, threaten to empower attackers further with capabilities to uncover and exploit critical vulnerabilities at pace. Any cybersecurity practitioner will attest to the onerous nature of the patching process, and how it's not as easy as clicking "Update," which is why a 12-hour patch window might seem initially unrealistic to some. Urgent warnings and demands for immediate patching are routinely delivered alongside critical vulnerability disclosures, but these fail to account for the downtime required to apply patches, or the testing required to prove that by applying them, everything else won't break. Microsoft has had its fair share of these cases, for example, and many readers will have borne the brunt. CISA's Known Exploited Vulnerabilities catalog is another prominent resource that sets patching deadlines, albeit only for federal agencies, but these are typically set at two to three weeks, or a number of days for the most serious vulnerabilities. The cybersecurity pros who spoke to The Register, weighing in on the CERT-In recommendations, agreed that 12 hours is far too short a window to properly test and deploy a patch, although they said the organization was on to something with its approach. Dray Agha, senior manager of security operations at Huntress, said that CERT-In's recommendation to "patch, mitigate, or remove exposure within 12 hours where feasible" was solid advice, largely because of the caveat that it doesn't necessitate a full patch within that time. "By explicitly encouraging temporary mitigations, such as isolation, access restriction, or disablement until a patch is ready, this turns the patching deadline into a highly feasible and necessary containment strategy," Agha told The Register. "And this corroborates the guidance we dispense at Huntress for critical threats: we often advise our community to deploy temporary mitigations to 'get them out of trouble' as soon as humanly possible, and then come up with a more coordinated strategy for patching that respects the business's need to function in its enterprises." Agha added that AI-assisted cyberattacks are seen every day in the wild, compressing the time taken to exploit vulnerabilities, meaning defenders must adapt to this new reality. In the pre-AI days, a 12-hour window to mitigate or patch a known exploited vulnerability was seen as excessively tight, but increased availability of advanced tooling and automation is reshaping the demands of vulnerability management. "Defenders must fundamentally reshape their operations to focus on quicker mitigations - prior to AI, at Huntress, we have seen vulnerabilities exploited within a handful of hours, let alone a full 12 hours," said Agha. He said the 12-hour guideline is less about an arbitrary clock, more about "forcing a necessary readjustment in how organizations drive their security approaches to be beyond compliance and move to a continuous defensive posture. "And this will involve the enterprise functions of the business being a part of the security posture - not just IT, thank you very much - as the consequences of AI-driven exploitation mean faster, higher impact cascading negatives on a targeted business; much better to proactively defend than reactively recover." ®

CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where "feasible" to safeguard against potential threats stemming from threat actors' abuse of artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability discovery and exploitation, and enhance the scale and velocity of cyber attacks. "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems," CERT-In said in a 38-page blueprint published Monday. "As organizations become increasingly dependent on interconnected digital infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, the potential impact of AI-enabled cyber threats continues to increase across sectors." With threat actors beginning to increasingly rely on AI for a wide range of tasks, including attack surface discovery, exploit analysis, convincing phishing content, and even malware generation, they can significantly compress attack preparation timelines and bypass traditional security controls. Furthermore, AI-enabled systems may themselves become targets of malicious attacks via prompt injections, data leakage vulnerabilities, jailbreaking techniques, model manipulation, training data poisoning, model theft, and orchestration pipeline compromises, effectively undermining their confidentiality and integrity. CERT-In has warned that organizations should expect exploitation timelines to collapse significantly and attacks to become autonomous, necessitating the need for adopting heightened cybersecurity measures that involve continuous threat assessment, proactive exposure reduction, and operational preparedness. Some of the defensive principles outlined by the cybersecurity agency to reduce exposure and better respond to AI-assisted cyber threats are listed below - "Organizations should implement layered, risk-based, and continuously validated technical controls to reduce exposure to AI-assisted cyber threats," CERT-In said. "Controls should prioritise protection of internet-facing systems, critical business applications, identities, cloud environments, APIs, sensitive data, AI-enabled systems, and operational infrastructure." The agency is also urging organizations to embrace "continuous, risk-based vulnerability and patch management practices" to reduce exposure arising from security flaws, misconfigurations, insecure APIs, publicly-accessible services, and weak identities. To that end, known exploited vulnerabilities affecting internet-facing and critical systems should be remediated within 12 hours where applicable. Other risk-based remediation times are as follows - In scenarios where no patches are immediately available, it's advised to implement temporary mitigations such as isolation, access restriction, WAF/API protection, enhanced monitoring, or feature disablement until the fix is released. "Given the rapidly evolving nature of AI-assisted cyber threats, organisations should continuously reassess exposure, validate security controls, strengthen resilience capabilities, and enhance operational preparedness through ongoing audits, monitoring, testing, and coordinated cybersecurity governance," CERT-In said. The blueprint arrives a month after CERT-In released an advisory warning of the growing cyber capabilities of frontier AI models from Anthropic and OpenAI, stating how their "dual-use nature" could "lower the barrier to entry for malicious cyber actors and be leveraged to accelerate attack execution, automate exploitation workflows and scale cyber campaigns." "Keeping pace with frontier AI-driven cyber developments is critical for maintaining cyber resilience," it added. "Baseline cybersecurity controls remain critical and should be rigorously enforced."

CERT-In Mandates 12-Hour Fix Window as AI-Powered Cyber Threats Escalate

CERT-In has introduced a significantly stricter cybersecurity response framework, mandating rapid remediation timelines for critical vulnerabilities as artificial intelligence increasingly transforms the scale, speed, and sophistication of cyberattacks targeting organisations across sectors. In its latest 38-page cybersecurity framework, the agency has recommended that organisations patch critical vulnerabilities in internet-facing systems within 12 hours wherever feasible. The updated directive comes amid growing concerns that cybercriminals are increasingly leveraging AI tools, generative AI platforms, large language models (LLMs), and autonomous automation systems to accelerate cyber operations and reduce the response time available to defenders.