India’s cyber agency CERT-In has issued one of its toughest cybersecurity directives yet: critical internet-facing vulnerabilities now need to be patched within 12 hours where feasible. And the reason behind the urgency is simple, AI is making cyberattacks faster than humans can respond.
For years, companies treated patching like maintenance work.
Scheduling the update, testing compatibility, and rolling it out next week.
CERT-In just signaled that mindset may no longer survive the AI era.
In a newly released cybersecurity blueprint, India’s national incident response agency warned that attackers are increasingly using generative AI, large language models, and autonomous tools to automate everything from vulnerability discovery to exploit creation. What once took hackers days, or even weeks, can now happen in hours.
And that changes the entire rhythm of cybersecurity. CERT-In’s new framework reportedly sets aggressive remediation expectations:
- 12 hours for actively exploited internet-facing vulnerabilities
- 24 hours for other critical external vulnerabilities
- 3 days for critical internal vulnerabilities
- 5 days for high-severity flaws below critical level
While the agency framed these timelines as operational expectations “where feasible” rather than rigid legal mandates, the signal to industry is unmistakable: attackers are no longer waiting for maintenance windows.
That may sound aggressive, because it is.
Most enterprises still operate on patch cycles measured in days or weeks. Large organizations often delay updates deliberately to avoid breaking production systems. But CERT-In’s message is clear: in the age of AI-assisted attacks, slow remediation is becoming a security risk of its own.
And the reason is AI.
The agency warned that AI-assisted attacks are compressing the “disclosure-to-exploitation” timeline dramatically. Threat actors can now use AI tools to scan exposed infrastructure, identify weak points, generate exploit code, automate phishing campaigns, and chain vulnerabilities together at machine speed.
But the warning goes beyond exploit generation alone. The blueprint also highlights risks around prompt injection, insecure AI integrations, model manipulation, autonomous attack agents, and sensitive data leakage through public AI platforms, signaling that AI itself is becoming a new attack surface organizations need to secure.
In other words, the internet is starting to move faster than traditional defense models were designed for. CERT-In’s blueprint doesn’t stop at patching either. It pushes organizations toward continuous exposure management, real-time attack surface monitoring, AI-assisted security operations, zero-trust architectures, micro-segmentation, and stronger identity protections like MFA and least-privilege access.
And honestly, the tone of the guidance feels different from older cybersecurity advisories. This isn’t just about compliance anymore. It reads more like a warning that the rules of cyber defense are changing in real time.
Because AI isn’t only helping defenders. It’s helping attackers scale, too. One compromised vulnerability can now be weaponized globally before many organizations even finish reading the advisory email about it. That’s the reality CERT-In appears to be preparing companies for.
The operational challenge is real. Patch too slowly and attackers win the race; patch too quickly, and organizations risk disrupting production systems. For many enterprises and MSMEs, the issue is no longer awareness, it’s whether security teams realistically have the tooling, automation, and staffing required to operate at this speed.
CERT-In also acknowledged that immediate patching may not always be possible, recommending compensating controls like network isolation, access restrictions, web application firewalls, and containment measures to reduce exposure until fixes can be deployed.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
