"AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems," CERT-In warned in a 38-page blueprint published Monday.
CERT-In's 12-hour patching requirement for internet-facing flaws
The Indian Computer Emergency Response Team (CERT-In) has instructed organisations to remediate known exploited vulnerabilities affecting internet-facing and critical systems within 12 hours "where applicable" and "feasible." The guidance is part of a longer blueprint that ties accelerated remediation timelines to the agency's assessment that threat actors are increasingly using artificial intelligence (AI) and large language models (LLMs) to automate vulnerability discovery and exploitation.
CERT-In frames the 12‑hour expectation as one element of "continuous, risk-based vulnerability and patch management practices" intended to reduce exposure from security flaws, misconfigurations, insecure APIs, publicly accessible services, and weak identities.
AI-assisted exploitation: how CERT-In frames the risk
The blueprint warns that AI tools compress traditional attack timelines. According to CERT-In, threat actors are beginning to rely on AI for tasks including attack surface discovery, exploit analysis, convincing phishing content, and even malware generation, enabling them to "significantly compress attack preparation timelines and bypass traditional security controls."
CERT-In also notes that AI-enabled systems themselves may be targeted through techniques such as prompt injections, data leakage vulnerabilities, jailbreaking, model manipulation, training data poisoning, model theft, and orchestration pipeline compromises — all risks the agency says can "undermine their confidentiality and integrity."
Defensive principles and controls CERT-In prescribes
To counter what it calls collapsing exploitation timelines and increasingly autonomous attacks, CERT-In lists a set of defensive principles organisations should adopt. Excerpts from the blueprint include:
- Assume breach and prepare for rapid detection, containment, and recovery from compromise scenarios.
- Adopt a Zero Trust approach by enforcing continuous verification and least-privilege access.
- Implement a defense-in-depth strategy with layered controls across infrastructure.
- Monitor and reduce exposure to security vulnerabilities.
- Embed a secure-by-design paradigm into systems, applications, and AI workflows.
- Maintain operational continuity during cyber incidents and disruption scenarios.
- Safeguard sensitive and operationally critical data throughout its lifecycle.
- Reduce software supply chain risks from third-party software, AI models, and dependencies using SBOM, provenance validation, and assessments.
- Test security effectiveness through red teaming, vulnerability assessments, penetration testing, and independent audits.
- Prioritise controls based on operational criticality and threat exposure, and establish formal governance regarding AI systems.
- Maintain visibility into AI systems, integrations, and operational behavior.
CERT-In emphasises that controls should "prioritise protection of internet-facing systems, critical business applications, identities, cloud environments, APIs, sensitive data, AI-enabled systems, and operational infrastructure."
Remediation windows and temporary mitigations
The blueprint sets out a set of risk‑based remediation timeframes beyond the 12‑hour instruction for exploitable internet-facing flaws. The agency lists these targets:
- Critical externally exposed vulnerabilities: Within 1 day
- Known exploited vulnerabilities affecting internal systems: Within 1 day unless other mitigations are implemented and documented
- Critical internal vulnerabilities affecting high-value systems: Within 3 days
- High-severity vulnerabilities: Within 5 days based on risk prioritisation
Where patches are not yet available, CERT-In advises implementing temporary mitigations such as isolation, access restriction, WAF/API protection, enhanced monitoring, or disabling features until a fix is released.
What this means for technologists, policymakers, and enterprises
Technologists and security teams should expect a sharper operational emphasis on rapid patching, continuous exposure monitoring, and measures that preserve visibility into AI integrations — from SBOMs and provenance checks to red-teaming AI workflows. CERT-In explicitly recommends "continuous, risk-based vulnerability and patch management practices" and maintaining visibility into AI systems.
Policymakers and regulators are presented with a linkage between AI advances and cyber risk: the blueprint arrived a month after CERT-In issued an advisory about the growing cyber capabilities of frontier models from Anthropic and OpenAI, warning that their "dual-use nature" could lower the barrier to malicious cyber activity. The agency calls for formal governance mechanisms around AI use and ongoing validation of security controls.
Affected enterprises and procurement leaders are asked to prioritise internet-facing and critical applications for protection, follow the specified remediation windows, and adopt temporary mitigations when fixes are unavailable. The blueprint also highlights supply-chain measures — SBOMs, provenance validation, and assessments — to reduce risk from third-party software and AI dependencies.
CERT-In's message is direct: as AI accelerates attackers' ability to find and weaponise flaws, baseline cybersecurity controls must be enforced, and organisations must shift to continuous, risk-based practices for patching, governance, and exposure reduction. The agency concludes by urging ongoing audits, monitoring, testing, and coordinated cybersecurity governance to strengthen resilience in the face of evolving AI-assisted threats.
