thehackernews.com via Reddit

CERT-In sets 12-hour patch rule citing AI exploit speed

cybersecurity cybersecurity patching ai-threats

Key insights

  • CERT-In requires 12-hour patching for known exploited vulnerabilities in internet-facing systems, with tiered deadlines reaching three days for internal assets.
  • This is among the first national frameworks to explicitly cite AI-assisted exploitation as justification for compressed mandatory patch timelines.
  • India's framework creates differentiated patch obligations across three tiers based on system exposure level and asset criticality.

Why this matters

AI-assisted exploitation has already compressed vulnerability-to-weaponization timelines to hours in documented cases, meaning the 12-hour patch window reflects current attacker reality rather than regulatory ambition. For AI practitioners and security teams building or deploying infrastructure, this signals that compliance frameworks are beginning to encode AI threat acceleration as a structural baseline, which will cascade into vendor contracts, SLAs, and insurance requirements. Any organization operating internet-facing systems in India, or serving Indian-regulated entities, now faces a compliance posture that demands continuous patching pipelines rather than scheduled maintenance windows.

Summary

India's CERT-In published guidelines on May 25 requiring organizations to patch known exploited vulnerabilities in internet-facing systems within 12 hours where feasible. CERT-In explicitly cites AI-assisted exploitation, arguing the disclosure-to-weaponization window has compressed past the point where legacy patch cycles offer meaningful protection. Essentially: (CERT-In) is the first national agency to formally anchor mandatory patch cadence to AI-accelerated attack timelines, not just severity scores. - 12-hour window covers internet-facing and crown-jewel systems with known active exploits - Tiered deadlines: 1 day for critical external flaws, 3 days for critical internal high-value assets Other national regulators now face pressure to justify whether their own patch windows still reflect actual attacker speed.

Potential risks and opportunities

Risks

  • Indian enterprises running legacy OT or ERP systems in manufacturing and banking sectors face a choice between compliance violations and production outages if 12-hour patch windows prove operationally unworkable
  • Multinational companies with Indian subsidiaries risk triggering parallel mandates from ENISA, CISA, or other regulators citing CERT-In's AI-threat framing as precedent, forcing global patch pipeline overhauls ahead of budget cycles
  • Security vendors unable to demonstrate sub-12-hour patch deployment capabilities for Indian enterprise customers may lose contract renewals within 6 to 12 months as compliance pressure builds

Opportunities

  • Automated patch management vendors (Qualys, Tenable, Rapid7, Tanium) gain a direct compliance hook to market urgently to Indian enterprises now facing regulatory exposure for slow patching
  • AI-powered vulnerability prioritization vendors (Armis, Balbix, Claroty) can use CERT-In's explicit AI-threat framing as a sales entry point for continuous exposure monitoring at Indian-regulated organizations
  • Indian MSSPs offering managed patching-as-a-service have a near-term upsell opportunity to existing enterprise clients that lack 24/7 internal patch operations to meet the new cadence

What we don't know yet

  • Whether CERT-In will specify enforcement mechanisms, including penalties or audit timelines, for organizations that miss the 12-hour window, which remain unaddressed in the May 25 guidelines
  • How organizations with legacy systems or third-party vendor dependencies are expected to operationalize 12-hour patching when the 'where feasible' qualifier is left undefined
  • Whether the framework applies to foreign companies with Indian operations or only domestically registered entities, a scope question the published guidelines do not resolve

Originally reported by thehackernews.com

Read the original article →

Original headline: CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws, Explicitly Cites AI-Accelerated Exploit Timelines