CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks
CERT-In now recommends patching critical internet-facing flaws within 12 hours as AI-assisted attacks shrink the exploitation window to hours. Here’s what your team needs to do.
What’s new: India’s Computer Emergency Response Team (CERT-In) has issued new guidelines recommending that organisations patch critical vulnerabilities in internet-facing systems within 12 hours of identification, where feasible. The aggressive timeline reflects a growing reality: AI-assisted cyberattacks can compress the window between public vulnerability disclosure and active exploitation to just hours, leaving organisations with traditional weekly or monthly patch cycles dangerously exposed.
Who’s affected
All organisations operating internet-exposed systems — particularly those running cloud services, AI-enabled platforms, and interconnected digital infrastructures — are expected to align with this guidance. While binding for Indian government entities, the 12-hour benchmark sets a new global standard for critical vulnerability response.
What to do
- Build a patching pipeline capable of triaging and deploying emergency fixes within 12 hours for critical internet-facing vulnerabilities.
- Adopt a Zero Trust architecture with continuous verification and least-privilege access to reduce blast radius when patches can’t be applied immediately.
- Apply temporary mitigations (WAF rules, network isolation, service disabling) when immediate patching is not feasible — do not leave systems unprotected while awaiting a full patch cycle.
- Conduct regular vulnerability assessments and penetration tests to identify exposure before attackers do.
- Establish formal AI governance to maintain visibility into AI-enabled systems that may introduce new attack surfaces.
