CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

India's CERT-In has mandated that organizations patch critical vulnerabilities in internet-facing systems within 12 hours of notification, a significant tightening of security response timelines. The directive targets flaws exposed to public networks and reflects growing concerns about AI-assisted attack automation.

The guidance comes as threat actors increasingly leverage artificial intelligence tools and large language models to accelerate exploit development and vulnerability scanning. These automated approaches compress the traditional window between disclosure and active exploitation, forcing defenders to move faster. The 12-hour window applies where operationally feasible, acknowledging that some environments face genuine constraints.

CERT-In's recommendation carries weight in India's regulatory landscape. Organizations operating critical infrastructure, financial systems, and government-connected networks face particular pressure to comply. The directive implicitly recognizes that human-speed patching no longer suffices against AI-powered attackers who can identify and weaponize flaws in hours rather than days.

The rationale centers on internet-facing assets, which present the highest risk surface. Web servers, VPN gateways, remote access portals, and cloud-exposed databases become targets immediately upon vulnerability disclosure. Once a flaw enters public knowledge, automated scanning tools powered by LLMs can identify vulnerable instances across entire IP ranges with minimal human intervention.

Organizations should inventory internet-exposed systems now and establish patch deployment pipelines capable of meeting 12-hour timelines for critical flaws. This requires advance preparation: staging patches, testing procedures, and change management workflows that don't bottleneck under time pressure. Many enterprises lack this operational readiness, meaning the guidance serves as a wake-up call to modernize vulnerability management.

The directive does not eliminate judgment calls. Organizations must classify vulnerabilities accurately and assess genuine feasibility based on system architecture and dependencies. A legacy monolithic application differs from containerized microservices in patch speed. However, claiming infeasibility requires solid just