NEW DELHI, INDIA β In a move underscoring the rapidly evolving threat landscape, India's Computer Emergency Response Team (CERT-In) has mandated a stringent 12-hour patching window for critical security vulnerabilities affecting internet-exposed systems. This directive, issued on May 26, 2026, represents a dramatic acceleration from typical patch management timelines and is a direct response to the growing sophistication and speed of cyberattacks powered by Artificial Intelligence (AI).
AI-Driven Exploitation Compresses Threat Windows
The core justification behind CERT-In's aggressive new timeline is the explicit recognition of AI's role in supercharging cyber threats. Threat actors are increasingly leveraging AI tools, including large language models (LLMs) and autonomous agents, to automate critical stages of the attack lifecycle. This includes the rapid identification of vulnerabilities, the development of exploit code, and the execution of sophisticated, multi-stage attacks with minimal human intervention. According to reports, the window between a vulnerability becoming publicly known and its active exploitation has shrunk to a point where traditional patch Service Level Agreements (SLAs), often measured in days or weeks, leave organizations dangerously exposed.
Nicholas Robert, reporting on the development, noted that India is among the first national CERTs to formally codify an AI-driven threat model into a patch-timing standard. This signifies a structural shift in cybersecurity, reframing patch management from a calendar-based challenge to one that necessitates advanced automation and robust architectural resilience. The implications are far-reaching, impacting not only dedicated IT security teams but also any organization with internet-facing infrastructure.
A New Era of Accelerated Cybersecurity Response
The new guidelines from CERT-In set an indicative 12-hour expectation for containing or remediating Known Exploited Vulnerabilities (KEVs) on "internet-facing and crown-jewel systems." Beyond this, the agency has outlined a risk-based schedule for other vulnerabilities: one day for critical externally exposed flaws, three days for critical internal vulnerabilities on high-value systems, and five days for high-severity issues. For situations where a patch is not immediately available, CERT-In advises interim measures such as system isolation, access restriction, or the implementation of web application firewalls until a fix can be deployed.
Prioritization of patching efforts is to be guided by the KEV catalog and the Exploit Prediction Scoring System (EPSS), rather than relying solely on vulnerability severity scores. This approach emphasizes addressing actively exploited vulnerabilities with greater urgency. While the timelines are described as "indicative expectations" and are to be applied according to operational criticality and threat exposure, the underlying message is clear: organizations must significantly enhance their cybersecurity response capabilities.
The CyberSignal reported that this directive is a direct response to trends observed in 2026, including the Verizon DBIR 2026 identifying vulnerability exploitation as the leading initial-access vector and Google's GTIG disclosing the first AI-developed zero-day exploited at scale. Anthropic's Project Glasswing also surfaced over 10,000 vulnerabilities in a single month using AI-assisted discovery, underscoring the pattern CERT-In is now addressing with its new standard.
Implications for Software Development and Infrastructure
The accelerated patching requirement has profound implications for software development practices and IT infrastructure management in India. Organizations that rely on AI-generated code or employ rapid development cycles, often termed "AI-built" or "vibe-coded" applications, face particular challenges. These applications can inherit issues such as dependency sprawl, where numerous third-party packages are incorporated without adequate tracking, potentially introducing unpatched vulnerabilities. Furthermore, AI-driven infrastructure choices, while efficient, may lead to an incomplete inventory of assets, making it difficult to identify and patch all exposed components within the tight deadline.
To meet these new demands, CERT-In strongly recommends adopting a Zero Trust security posture, implementing aggressive patching strategies for all internet-facing assets, conducting AI-focused cyber drills, and strengthening incident response plans. The agency emphasizes that defenders now need automation capabilities that can keep pace with the automation already leveraged by attackers. This necessitates significant investment in automated patching systems, rapid testing protocols, and architectures that allow for quick rollbacks if a patch introduces new issues.
This strategic shift by CERT-In positions India at the forefront of adapting national cybersecurity policies to the realities of AI-powered threats, compelling businesses to fundamentally re-evaluate their approach to software security and vulnerability management to stay ahead of an increasingly automated and accelerated threat landscape. The future of digital resilience in India hinges on the successful adoption of these rapid response mechanisms.