"patch, mitigate, or remove exposure within 12 hours where feasible." — CERT-In
CERT-In's half-day rule for internet-facing and "crown jewel" systems
India's Computer Emergency Response Team (CERT-In) has issued a new guidance that instructs defenders to "patch, mitigate, or remove exposure within 12 hours where feasible" for vulnerabilities that both affect internet-facing or "crown jewel" systems and are known to be exploited. The half-day window applies only to that subset of flaws: for other problems — including a critical vulnerability scored CVSS 9.0 or higher that affects an internal system, or a known exploited bug in an internal system — CERT-In recommends a 24-hour window.
The guidance is part of a broader new guide released this week intended to help information-security professionals respond to what CERT-In calls an accelerating, AI-driven cyber threat landscape.
Agentic AI, frontier models, and the rationale CERT-In gives
CERT-In frames the shorter timelines around the influence of AI on attackers' workflows. Its report states, "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems." The document warns that as organizations rely more on interconnected infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, "the potential impact of AI-enabled cyber threats continues to increase across sectors."
The guide singles out agentic AI as a core concern: consumer-grade tools like OpenClaw have lowered the barrier for non-technical users to experiment with autonomous agents, and CERT-In says agentic systems can be given permissions to make significant system changes while sometimes behaving unexpectedly. CERT-In also cites the launches of frontier models such as Anthropic's Mythos and OpenAI's GPT-5.5 as capabilities that "threaten to empower attackers further with capabilities to uncover and exploit critical vulnerabilities at pace."
Why the 12-hour target will feel like a sprint
Any practitioner will recognize the gap between issuing a patch and safely deploying it. CERT-In's clock does not erase the practical work of testing, managing downtime, and ensuring updates do not break dependent systems. The guide acknowledges that problem space implicitly by differentiating internet-facing/high-value systems from internal assets.
The Register assembled context for the feasibility question: Microsoft's patching headaches are cited as an example of how updates can cause disruption, and CISA's Known Exploited Vulnerabilities (KEV) catalog provides a useful comparator — but for federal agencies only. The KEV deadlines are typically set at two to three weeks, "or a number of days for the most serious vulnerabilities," a contrast CERT-In's 12-hour target compresses dramatically.
Practitioners' perspective — Huntress and the role of temporary mitigations
Security professionals contacted by The Register told the paper that a strict 12-hour full-patch expectation is often unrealistic, but they praised CERT-In's emphasis on containment. Dray Agha, senior manager of security operations at Huntress, characterized the recommendation as "solid advice, largely because of the caveat that it doesn’t necessitate a full patch within that time."
Agha recommended the specific tactics CERT-In highlights: "By explicitly encouraging temporary mitigations, such as isolation, access restriction, or disablement until a patch is ready, this turns the patching deadline into a highly feasible and necessary containment strategy," he told The Register. He noted that Huntress advises its community to deploy temporary mitigations "to 'get them out of trouble' as soon as humanly possible," then follow with a coordinated patching plan that respects business operations.
Agha added that AI-assisted attacks are seen "every day in the wild," compressing exploitation timeframes. "Defenders must fundamentally reshape their operations to focus on quicker mitigations – prior to AI, at Huntress, we have seen vulnerabilities exploited within a handful of hours, let alone a full 12 hours," he said. He framed the 12-hour guideline as a nudge toward a continuous defensive posture and broader enterprise participation: "this will involve the enterprise functions of the business being a part of the security posture – not just IT, thank you very much – as the consequences of AI-driven exploitation mean faster, higher impact cascading negatives on a targeted business; much better to proactively defend than reactively recover."
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect an increased emphasis on rapid containment tooling and playbooks that allow isolation, access restriction, and service disablement in hours rather than days. Automation and validated rollback processes will be practical priorities if teams are to meet CERT-In's suggested timelines.
- Policymakers and regulators: CERT-In's guidance reframes acceptable response windows in the face of AI-assisted exploitation; comparisons to CISA's KEV — where deadlines are usually weeks — highlight differing expectations that may influence future policy conversations about mandated patch timelines.
- Affected enterprises and procurement leaders: The guide signals a need to factor resilience into purchasing and operations. Supply-chain interdependencies are explicitly cited as a route to cascading damage, meaning procurement and architecture choices that reduce blast radius and simplify mitigations will be more valuable.
CERT-In's 12-hour clock reads less like a fixed deadline than a drill-bit: a calibrated push to rework vulnerability management for an environment in which attackers can weaponize AI at speed. Whether organizations adjust processes, invest in rapid containment, or continue to rely on longer testing cycles will determine how often that half-day warning turns into an emergency weekend of firefighting.
Source: The Register — India's CERT-In guidance (May 27, 2026)




