Indian CERT Moves From Warnings to War Games as Frontier AI Reshapes the Cyber Threat
How CERT-In is protecting Indian Cyberspace the in an era of machine-speed attacks and Mythos
In April 2026, India's national cyber-defence agency issued an advisory that read less like a routine compliance bulletin and more like a warning shot.
It named "frontier AI" by name.
It described software capable of doing, autonomously and in minutes, what once took teams of skilled human attackers weeks.
And it told every organisation in the country to stop assuming that a freshly disclosed vulnerability would sit unexploited long enough to patch at leisure.
Over the months that followed, the Indian Computer Emergency Response Team (CERT-In) backed that warning with an unusually detailed blueprint and a run of national cyber exercises that simulated AI-assisted attacks against the country's most critical sectors.
The effort marks one of the more concrete national responses anywhere to a threat that most governments are still describing only in the abstract.
The threat that collapsed the clock
The shift CERT-In is responding to is one of speed.
Advanced generative models, large language models and increasingly autonomous "agentic" AI systems are being turned to nearly every stage of an attack: scanning vast codebases for known and zero-day flaws, generating working exploits, automating reconnaissance across cloud platforms and APIs, and producing convincing multilingual phishing, including voice and video deepfakes, that lowers the barrier to targeting both enterprises and individuals.
The practical effect is that the window between a vulnerability being disclosed and being weaponised has narrowed dramatically.
CERT-In's warning frames this as a structural change rather than a new malware family: an entire class of AI systems that can accelerate offence end-to-end, operating at a speed and scale that previously required coordinated expert teams.
Industry voices have echoed the alarm in starker terms.
One application-security executive observed that reconnaissance which "used to take a week" can now run in minutes, with many strikes on Indian banks concluded before a human analyst opens the ticket, pointing to a banking sector that absorbed billions of attack attempts over the past year.
The April advisory: assume the perimeter is already porous
On 26 April 2026, CERT-In issued Advisory No. CIAD-2026-0020, "Defending Against Frontier AI Driven Cyber Risks."
Rated high severity, it applied deliberately broadly, to large organisations, to micro, small and medium enterprises (MSMEs), and to individuals.
Its core argument is that AI lowers the cost of cybercrime by making attacks automated, scalable and repeatable with minimal human effort, and that traditional perimeter-based or periodic security is therefore no longer sufficient.
In its place the advisory pushes a familiar but newly urgent set of principles:
- zero-trust architecture, where every access request is untrusted by default;
- continuous monitoring rather than scheduled checks;
- rapid patching to counter shrinking exploitation windows;
- proactive reduction of internet-facing attack surface.
The advisory also took the unusual step, for an Indian cyber authority, of explicitly acknowledging the dual-use nature of the technology, noting that the same capabilities that aid defenders also lower the barrier to entry for malicious actors.
For MSMEs, it offered a pragmatic note: with limited resources, they should adopt security measures that are affordable but still robust enough to protect the business.
The May blueprint: patching measured in hours
A month later, on 25 May 2026, CERT-In followed up with a detailed framework: the "Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure."
Where the advisory set the tone, the blueprint set the benchmarks, and they are demanding.
Its most-discussed requirement is remediation speed.
For known, exploited vulnerabilities on internet-facing and "crown-jewel" systems, the blueprint expects organisations to contain, patch or mitigate within roughly 12 hours, with continuous validation and evidence that the exploit path is actually closed.
That single line represents a structural ask: India's average breach detection-and-containment lifecycle has historically run to hundreds of days, a timeline now colliding head-on with expectations measured in hours.
Beyond patching speed, the blueprint maps out a broader operating model:
- zero-trust controls such as multi-factor authentication, privileged access management and micro-segmentation;
- continuous audits, red-teaming and adversarial simulation;
- supply-chain visibility through mechanisms like a Software Bill of Materials (SBOM) and an AI Bill of Materials (AIBOM).
It frames the overall posture as "assume-breach" and resilience-driven, and explicitly calls for AI-enabled adaptive defences to counter AI-enabled attacks, an arms race that has been summarised as "AI vs. AI."
The existing six-hour incident-reporting requirement remains in force, with added emphasis on faster detection.
The framework is structured around a phased, roughly 60-day implementation roadmap, moving from immediate baseline controls through strengthening security operations centres and establishing AI governance, and on to red-team exercises, adversarial AI testing and resilience planning.
From paper to practice: the war games
What distinguishes India's approach from a stack of policy documents is that CERT-In has paired the guidance with hands-on exercises that simulate the very attacks the advisory describes.
The centrepiece was Cy-AI-X 2026, held on 16–17 June 2026, a national cyber-resilience exercise focused on the Energy and Telecom sectors.
It drew 529 participants, with 242 from Energy and 287 from Telecom, and ran realistic AI-assisted scenarios including automated vulnerability discovery, exploitation and attack orchestration, with the goal of stress-testing coordination and incident response.
That exercise sat within a wider programme of capacity-building.
A dedicated CERT-Interact session on defending against frontier AI-driven risk, held in early June, engaged several hundred participants across sectors on topics including AI-aware threat intelligence, zero-trust architecture and secure-by-design AI deployment.
And on 24 June 2026, a strategic tabletop exercise conducted with the Securities and Exchange Board of India (SEBI) brought together representatives of SEBI-regulated entities for immersive simulations of AI-enabled attacks, from automated vulnerability discovery to end-to-end AI-driven campaigns, aimed at sharpening incident response and crisis decision-making in the financial sector.
The common thread is a shift from theory to accelerated, realistic rehearsal: testing whether defenders can actually meet the timelines the blueprint demands.
An inclusive net, cast wide
India's strategy is notable for who it tries to reach.
Rather than addressing only large enterprises, the guidance deliberately extends to MSMEs and individuals, a recognition that AI-driven risk is systemic, and that the weakest nodes in an interconnected economy can become everyone's problem.
Sector-specific collaboration reinforces that breadth: dedicated work with SEBI for financial markets, and targeted exercises for energy and telecom.
It is a multi-stakeholder model designed to build resilience across a vast and tightly interconnected digital infrastructure, in step with the broader Digital India and IndiaAI ambitions.
A model worth watching
Translating abstract warnings into specific benchmarks, and tabletop theory into accelerated live simulations, puts CERT-In ahead of many international peers who are still circulating high-level guidance.
The emphasis on rapid response, zero-trust adoption, supply-chain transparency and AI-augmented defence offers a template others may borrow.
The harder test lies ahead, and it is twofold.
First, whether organisations, especially resource-constrained ones, can actually operate at the machine speed the new rules assume.
And second, whether a defensive posture can hold when the most capable offensive tools are governed by export controls that keep them out of defenders' hands while doing little to keep the underlying capability out of attackers'.
Many countries have done the part within its control: turning warnings into structured action.
Whether that proves sufficient against a threat that evolves at machine speed, is the question the coming months will answer.
This article is based on public advisories and reporting concerning CERT-In and SEBI initiatives in 2026. Specific participation figures for some exercises are drawn from official communications and may be subject to revision. Readers seeking authoritative detail should consult the original CERT-In advisory (CIAD-2026-0020) and the May 2026 blueprint directly.