Skip to main content
CybersecurityVulnerability Management

India's CERT-In Mandates Swift Patching for Exposed Flaws

IT staff members in a server room look at a laptop with urgency, surrounded by rows of servers and racks near a large window.

CERT-In has set an "indicative 12-hour expectation" for containing or remediating known exploited vulnerabilities affecting internet-facing and crown-jewel systems, a deadline the agency published on May 25 in response to what it describes as AI-driven acceleration of cyber-attacks.

CERT-In's new timing framework: 12 hours, then a tiered schedule

The Indian Computer Emergency Response Team (CERT-In) advised organisations to treat actively exploited internet-facing flaws as matters for near-immediate action, mapping a set of time expectations that compress traditional patch windows. The guidance sets a 12-hour indicative expectation for known exploited vulnerabilities (KEVs) on "internet-facing and crown-jewel systems." It then lays out subsequent tiers: one day for critical externally exposed flaws; three days for critical internal vulnerabilities on high-value systems; and five days for high-severity issues.

CERT-In explicitly described these timelines as "indicative expectations" to be applied according to operational criticality and threat exposure rather than as binding mandates.

Why the clock is shortening: generative AI, LLMs and autonomous agents

The document traces the compression of attacker timelines to advances in AI. According to the guidance, "generative AI, large language models (LLMs) and autonomous agents" are accelerating reconnaissance, vulnerability discovery, phishing and malware development. CERT-In framed the 12-hour expectation as a response to attackers using AI to narrow the interval between vulnerability discovery and exploitation, shrinking the window defenders traditionally had to patch or mitigate.

Prioritisation: KEV catalogue and EPSS over severity scores

CERT-In advised organisations to prioritise response by reference to the KEV catalogue and the Exploit Prediction Scoring System (EPSS) rather than relying on severity scores alone. The agency recommended that defenders use these threat- and exploit-focused tools to determine which flaws merit the shortest remediation windows.

Where a vendor fix is not yet available, CERT-In advised interim mitigations including isolation, access restriction or web application firewall protection until a patch is released.

Securing AI deployments, supply-chain assurance and phased implementation

Beyond patching, the blueprint presents a broader security architecture that spans governance, zero-trust architecture, AI-aware security operations and supply-chain assurances through software and AI bills of materials (BOMs). The guidance devotes particular attention to securing organisations' own AI deployments, citing risks such as prompt injection, model theft, training-data poisoning and the governance of autonomous agents with limited human oversight.

CERT-In urged entities to roll out the recommendations in three phases: an immediate 0–7-day push focused on governance, exposure reduction and multi-factor authentication (MFA); a subsequent phase of operational strengthening; and a later phase emphasizing red teaming and adversarial AI testing.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: will need to shorten patch management cycles and build workflows that can meet sub-24-hour remediation expectations for externally exposed KEVs, and to implement interim controls such as isolation or WAF rules when patches are unavailable.
  • Policymakers and regulators: will see CERT-In reinforcing a threat-driven prioritisation model—using KEV catalogues and EPSS—and reiterating the existing rule that requires entities to report cyber incidents to CERT-In within six hours of detection (a requirement in force since 2022).
  • Affected enterprises and procurement leaders: are directed to integrate AI-aware supply-chain measures like software and AI BOMs and to phase in governance and MFA within the first week, ahead of deeper operational testing and red teaming.

The guidance stops short of legally binding deadlines, preferring an approach calibrated to "operational criticality and threat exposure," yet it tightens expectations in practical terms. It also reaffirms a six-hour incident reporting obligation that has been on the books since 2022, underscoring the regulator's continued emphasis on rapid notification as part of incident response.

Whether organisations can consistently meet a 12-hour containment expectation will depend on patch availability, automated deployment capability, and the speed of human decision-making in triage and interim mitigation. CERT-In's blueprint makes clear its view that AI has changed the tempo of offensive operations; the document's mix of compressed timelines, prioritisation by exploit likelihood, and explicit AI-security controls signals an administrative effort to force defenders' processes up to that new tempo.

Original story