CERT-In — 12-hour patch mandate calibrated to AI exploitation speed

AI relevance: India's CERT-In has become the first major national cybersecurity authority to publish tiered patch timelines explicitly calibrated to AI exploitation speed, demanding 12-hour remediation for known exploited vulnerabilities on internet-facing systems.

• CERT-In released its AI Threat Landscape guidance on May 25, 2026, establishing a four-tier patch schedule: 12 hours for known exploited vulnerabilities (KEVs) on internet-exposed systems, 24 hours for critical vulns with external exposure, three days for critical vulns on internal high-value systems, and five days for high-severity flaws.
• The guidance is framed as "indicative expectations" rather than legally binding obligations, but the operational signal is unambiguous: legacy patch cycles are no longer adequate when AI-assisted attacks weaponize disclosed vulnerabilities.
• The technical justification is measurable: the average window between CVE publication and active exploitation has contracted from ~56 days in 2024 to roughly 10 hours by mid-2026, driven by AI tooling that generates working exploits within minutes of disclosure.
• Where no patch exists, CERT-In prescribed interim containment measures — network isolation, access restriction, or web application firewall deployment — acknowledging the 12-hour window may not always be met through vendor patching alone.
• India is the first major national cybersecurity authority to publish a tiered patch timeline explicitly tied to AI exploitation speed. The U.S. CISA is reportedly weighing a three-day federal standard for KEVs but has not finalized comparable guidance.
• The guidance builds on CERT-In's existing six-hour incident reporting mandate (in place since 2022), creating a coherent regulatory posture: as AI shortens every phase of attack execution, defensive timelines must compress in parallel.
• The advisory explicitly named frontier commercial AI models, warning that their dual-use nature lowers the entry barrier for malicious actors, automates exploitation workflows, and scales campaigns beyond human-only operational capacity.

Why it matters

This is a regulatory first. A national cybersecurity authority has formally recognized that AI has changed the threat timeline and is mandating patch cadence accordingly. For organizations operating in India or serving Indian customers, this sets a new operational baseline. For the rest of the world, it's a leading indicator — CISA is already considering a similar three-day standard, and other regulators will follow.

The underlying dynamic — CVE-to-exploit shrinking from 56 days to 10 hours — is not unique to India. It reflects a structural shift in the threat landscape that every AI-adjacent security team needs to account for in their incident response playbooks.

What to do

• Map your internet-facing asset inventory and identify crown-jewel systems that would fall under the 12-hour tier.
• Review patch testing pipelines: if your current cycle runs weekly or monthly, the gap between your process and the 12-hour expectation needs architectural mitigation (automated hot-patching, WAF virtual patches, network-level containment).
• Build interim containment playbooks for zero-day scenarios where no vendor patch is available within the 12-hour window.
• Monitor CISA and other national authorities for similar guidance — the regulatory signal is spreading.

Sources

• Cloud Security Alliance — CERT-In's 12-Hour Patch Mandate: AI-Paced Compliance
• The Register — CERT-In professes 12-hour patching for AI-assisted attacks
• The Hacker News — CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws
• CSA Research Note PDF (full guidance)