CERT-In Urges 12-Hour Patching as AI Collapses Attack Timelines
India's CERT-In urges critical, internet-facing flaws be patched or mitigated within 12 hours, warning AI has collapsed the gap between disclosure and attack.
The short version: India's national cyber agency has told organisations to treat patching as an hours-not-weeks problem, recommending that critical, internet-facing vulnerabilities already under attack be fixed, mitigated, or taken offline within 12 hours. Its reasoning: artificial intelligence has collapsed the time between a flaw becoming public and attackers weaponising it.
What CERT-In issued
On 25 May 2026, CERT-In (the Indian Computer Emergency Response Team, under the Ministry of Electronics and Information Technology) published a 38-page "Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure" (document CISG-2026-02, Version 1.0). It is guidance, not a binding legal direction, but it lays out the most aggressive remediation timelines the agency has recommended to date.
The 12-hour clock, and the tiers below it
The headline is a set of risk-tiered windows:
- 12 hours for known, actively exploited vulnerabilities on internet-facing or "crown-jewel" critical systems, where feasible.
- 1 day for critical externally exposed flaws, and for known-exploited bugs on internal systems.
- 3 days for critical internal vulnerabilities on high-value systems.
- 5 days for other high-severity flaws, risk-prioritised.
Crucially, the 12 hours does not demand a full vendor patch. Temporary mitigations, such as isolating a system, restricting access, or disabling the affected service, count toward the deadline. The blueprint also announces a new CERT-In AI Cyber Defence Center and pushes organisations toward continuous "exposure management" across internet-facing assets, identities, APIs, cloud and AI systems.
Why now
CERT-In's argument is that AI tooling has compressed the attack cycle. Where defenders once had weeks or months between a vulnerability being disclosed and exploit code circulating, AI now helps attackers automate reconnaissance, generate exploit code, and find targets within hours. On that view, legacy 30- or 90-day patch cycles are obsolete for anything exposed to the internet.
What it means for organisations
A 12-hour window is operationally demanding. In practice it rewards organisations that have already automated their patch-and-mitigate pipelines and that keep a live inventory of exposed assets, and it puts pressure on the sectors the blueprint emphasises: government, finance, telecom, healthcare, energy and digital public infrastructure. It is also a signal of direction: today's recommendation is often where tomorrow's binding rules head. India's existing binding cyber rules, the CERT-In 2022 Directions including the six-hour incident-reporting requirement, remain separate and unchanged.
Frequently asked questions
Is the 12-hour patching mandatory? No. It is recommended best-practice guidance, not a legally binding direction. Some reports have called it a "mandate", which is inaccurate.
Does it require a full patch in 12 hours? No. Temporary mitigations such as isolating or disabling the exposed service also satisfy the window.
Who should pay closest attention? Operators of internet-facing critical systems in government, finance, telecom, healthcare and energy.