Organizations in India have been urged to patch actively exploited internet-facing vulnerabilities within 12 hours under new guidance that responds to the speed AI now brings to cyber-attacks.
According to new guidance from the Indian Computer Emergency Response Team (CERT-In), attackers are using AI to compress the time between finding and exploiting a weakness, shrinking the window defenders have to respond.
The document, published on May 25, maps how generative AI, large language models (LLMs) and autonomous agents are accelerating reconnaissance, vulnerability discovery, phishing and malware development.
A Blueprint Built Around AI Threats
CERT-In set an indicative 12-hour expectation for containing or remediating known exploited vulnerabilities (KEVs) on “internet-facing and crown-jewel systems.”
Other tiers follow a risk-based schedule: one day for critical externally exposed flaws, three days for critical internal vulnerabilities on high-value systems and five days for high-severity issues. Where no patch exists, the agency advised interim measures such as isolation, access restriction or web application firewall protection until a fix lands.
For prioritization, CERT-In pointed organizations toward the KEV catalog and the Exploit Prediction Scoring System (EPSS) rather than severity scores alone.
CERT-In stopped short of framing the timelines as binding, describing them as indicative expectations to be applied according to operational criticality and threat exposure.
Read more on national cybersecurity directives: CISA Closes Ten Emergency Directives After Federal Cyber Reviews
Securing AI Deployments and Reporting Incidents
Beyond patching, the blueprint lays out a framework spanning governance, zero-trust architecture, AI-aware security operations and supply-chain assurance through software and AI bills of materials (BOMs).
It devotes particular attention to securing organizations’ own AI deployments, covering prompt injection, model theft, training-data poisoning and the governance of autonomous agents that act with limited human oversight.
The guidance also reiterates the existing requirement for entities to report cyber incidents to CERT-In within six hours of detection, a rule in force since 2022.
Organizations are encouraged to roll out the recommendations in three phases, starting with a 0-7-day push on governance, exposure reduction and multi-factor authentication (MFA), then moving through operational strengthening and on to red teaming and adversarial AI testing.
