India’s cybersecurity agency, CERT-In, has urged organizations to patch, mitigate, or isolate known exploited vulnerabilities affecting internet-facing “crown jewel” systems within 12 hours where feasible, warning that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation.
The recommendation, part of a sweeping new CERT-In blueprint on defending against AI-assisted cyber exploitation, signals a significant escalation in expectations around enterprise vulnerability management, exposure reduction, and operational resilience.
The 38-page framework also recommends one-day remediation for critical externally exposed vulnerabilities, three days for critical internal vulnerabilities affecting high-value systems, and five days for high-severity flaws based on risk prioritization.
CERT-In said threat actors are increasingly using AI to accelerate reconnaissance, vulnerability discovery, phishing, malware generation, and automated exploitation workflows.
“Exploitation timelines are reducing significantly,” the agency warned in the advisory, adding that attacks are expected to become “increasingly autonomous.”
An operationally disruptive target
Security analysts said the headline 12-hour expectation is likely to force enterprises to rethink traditional weekly or monthly patching cycles, but cautioned that the guidance is more nuanced than a blanket patch mandate.
“The 12-hour window is the outlier, realistic only as a containment target on a narrow set of exposed assets, never as a patch-completion target across sprawling estates burdened by fragmented infrastructure, layered approvals, outsourced operations, and legacy dependency,” said Sanchit Vir Gogia, chief analyst at Greyhound Research.
Gogia said the blueprint’s tiered approach is more significant than the headline remediation clock itself because it ties response timelines to exposure and operational criticality rather than applying a uniform patching mandate across all systems.
“The five-day high-severity window is comfortable for most enterprises. The three-day critical-internal window is where the pressure actually bites,” he said, particularly in sectors such as finance, telecom, healthcare, and operational technology environments where uptime concerns complicate rapid change management.
Apeksha Kaushik, senior principal analyst at Gartner, said the biggest challenge for many organizations will not necessarily be deploying patches, but achieving the operational maturity needed for rapid exposure management.
“The primary barriers are not just technical, but operational. Most organizations lack real-time asset visibility, automated vulnerability prioritization, and cross-functional incident response playbooks,” Kaushik said.
“The most acute struggles will be in asset discovery, risk-based prioritization, and orchestrating rapid response across silos,” she added.
From vulnerability management to exposure management
The blueprint repeatedly emphasizes that traditional periodic security assessments are becoming insufficient against AI-enabled attacks capable of rapidly weaponizing newly disclosed flaws.
Instead, CERT-In is pushing organizations toward continuous exposure management, threat-informed defense, continuous monitoring, and adversarial testing.
Notably, the framework leans heavily on temporary mitigations, including isolation, access restrictions, WAF/API protections, enhanced monitoring, and compensating controls when immediate patching is not possible.
Analysts said that approach makes the timelines more achievable operationally, but also shifts the burden onto asset visibility and exposure intelligence.
“Compensating controls do make the timelines more workable. They also remove every excuse,” Gogia said. “If you cannot isolate, restrict, or monitor quickly, the problem was never patch cadence. The problem is that you do not know your own exposure.”
Kaushik similarly said the guidance effectively pushes organizations toward more mature exposure management capabilities.
“Organizations must be able to rapidly identify affected assets, assess risk, and deploy effective interim controls,” she said, adding that enterprises lacking mature asset inventories, segmentation, and monitoring capabilities will struggle to operationalize the guidance at scale.
The blueprint also calls for continuous vulnerability assessments, AI-assisted security testing, adversarial simulations, penetration testing, and red teaming exercises.
A preview of future global standards?
Analysts said CERT-In’s remediation expectations are among the most aggressive currently issued by a national cyber agency and may influence broader international vulnerability-management practices as AI compresses attacker timelines globally.
“CERT-In has done something the West has largely avoided: it has set standing clocks by asset category rather than deadlines by individual vulnerability,” Gogia said.
He contrasted the framework with CISA’s Known Exploited Vulnerabilities (KEV) program, which typically uses vulnerability-specific remediation deadlines rather than persistent enterprise-wide remediation clocks.
“The fixed-clock model looks aggressive today because the rest of the world has not caught up, not because it is reading the threat wrongly,” Gogia said.
Kaushik said the framework could create operational challenges for multinationals whose global service-level agreements are less stringent than India’s expectations. “For providers, this may create a compliance gap where internal SLAs are less stringent than India’s requirements, necessitating a reassessment of global patching and mitigation processes,” she said.
No Responses