Playbooks

CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

India's Computer Emergency Response Team (CERT-In) has issued a new directive requiring organizations to patch critical vulnerabilities in internet-facing systems within 12 hours of patch availability, citing the acceleration of exploitation timelines driven by AI-assisted attack tooling. The directive acknowledges that the traditional 30-day patching window is no longer viable when AI tools enable attackers to develop and deploy exploits within hours of vulnerability disclosure. The 12-hour mandate applies to the most severe vulnerabilities, while high and medium severity flaws have proportionally shorter windows than previous guidance. This aggressive timeline shift reflects a growing global consensus among cyber defense agencies that patching velocity must match the speed of AI-accelerated attacks, though it raises practical challenges for organizations with complex change management processes.

View on Graph

Overview

  • India’s Computer Emergency Response Team (CERT-In) has issued a new directive requiring organizations to patch critical vulnerabilities in internet-facing systems within 12 hours of patch availability, citing the acceleration of exploitation timelines driven by AI-assisted attack tooling.
  • The directive acknowledges that the traditional 30-day patching window is no longer viable when AI tools enable attackers to develop and deploy exploits within hours of vulnerability disclosure.
  • The 12-hour mandate applies to the most severe vulnerabilities, while high and medium severity flaws have proportionally shorter windows than previous guidance.
  • This aggressive timeline shift reflects a growing global consensus among cyber defense agencies that patching velocity must match the speed of AI-accelerated attacks, though it raises practical challenges for organizations with complex change management processes.

Sources