If you’re in charge of defending corporate infrastructure, start clearing your calendar. India’s Computer Emergency Response Team (CERT-In) just hit organizations with what might be the harshest reality check yet: patch critical vulnerabilities in any system exposed to the internet within 12 hours of detection. You heard that right. Half a day. That’s about the time it takes your IT vendor to reply to your initial support email, let alone roll out a system-wide fix. But these aren’t normal times—or attacks.
Why the Clock Is Ticking Faster Than Ever
Let’s get one thing straight: this isn’t some out-of-touch, feel-good bureaucratic policy. The logic is grimly straightforward. Attackers, supercharged by generative AI and large language models, don’t just move fast—they move algorithmically, at scale, without fatigue or doubt. Remember the days when you had a week to patch after a CVE dropped? That’s fantasy. AI-driven adversaries now go from uncovering an exposed service to actively exploiting it in a matter of hours. You stand still, you get steamrolled.
CERT-In’s 38-page directive spells out the new strategy: forget periodic security check-ups or quarterly drills. The pace of attacks has been permanently accelerated, and if organizations can’t change with it, breaches are inevitable. This blueprint doesn’t just cover holes in your public web servers; think your APIs, SaaS portals, cloud dashboards, and AI-enabled business logic. These are the new battlegrounds, and the enemy is tireless.
The Roadmap: Four Windows, No Excuses
The guidance gives you a sliding scale of urgency. Rest assured, there’s no version where you can sit on your hands for a week and expect a gold star:
- 12 hours: If it’s a known-exploited bug on internet-facing or critical systems, fix it yesterday. Realistically, you’ve got half a day, max.
- 24 hours: Anything else critical and exposed gets a full day—sort of a snooze button, but barely.
- 72 hours: Critical but internal holes affecting your crown jewels? Three days, but don’t get too comfortable.
- 120 hours: For high-severity stuff that’s less urgent, you’ve got five days. It might as well be a year in AI time.
If you can’t patch (because the fix doesn’t exist, your vendor’s MIA, or your system is a legacy nightmare), CERT-In expects “interim mitigation.” Translation: circle the wagons and make it harder for attackers to get in or move around. This usually means segmenting networks, restricting privileged access, or hitting the emergency off-switch on problematic services. You’d better hope your organization is actually capable of any of those, because attackers aren’t waiting politely for your next risk committee meeting.
AI: The Attacker’s Infinite Ammo
Why so merciless? Because AI is changing the rules—maybe even tearing up the whole rulebook. Tools that once required days of reconnaissance or bespoke malware writing are now automated through a handful of ChatGPT prompts and code fuzzers. Phishing campaigns morph adaptively in minutes. Malware is custom-built based on your company’s online footprint. Automated tools probe exposed endpoints at a speed that manual hackers only dreamt of just five years ago.
It’s not science fiction. The pipeline from zero day to widespread exploitation is shrinking every quarter. Today, attackers don’t just scan and attack; they probe, learn, pivot, and escalate—all in one seamless, AI-driven workflow. Enterprises that move at the pace of human-only IT teams are outmatched from the start. CERT-In’s timelines might sound brutal, but they’re not arbitrary. They’re keeping pace with attackers who don’t care about your change freeze or your sleep schedule.
Will Anyone Actually Meet These Targets?
Here’s where the cynicism piles on. CERT-In claims these windows are “indicative expectations” and not law. So, what’s stopping you from missing deadlines? Technically, not much—unless you count the possibility of your brand being next in the breach-news cycle. Compliance-driven firms might breathe a sigh of relief, but sophisticated attackers aren’t going to audit your patch cycles before exploiting you. Tick-tock.
The reality? For many organizations, achieving 12-hour patching is pure fantasy. Sitting on heaps of unmonitored assets, overloaded with legacy spaghetti, and staffed by an underpaid SOC that’s allergic to overtime? You’re not alone. Yet the intent here isn’t to set organizations up to fail. It’s a desperate attempt to jolt slow movers out of audit-thinking and into operational defense. The old world, where you only patched when your vendor called you, is dead. Welcome to crisis management as the new normal.
From Compliance Checkbox to Zero Trust or Bust
You might shrug, thinking “this is just another round of security frameworks.” But CERT-In is clear: patching cycles alone won’t save you. ‘Assume breach’ becomes more than a slogan—now it’s reality. If your incident response is slow, or you trust everything inside your firewall without verification, you’re toast.
Zero trust, defense-in-depth, and continuous monitoring are moving from best practice to baseline survival mechanisms. You’re expected to operate as if an attacker is already inside, probing, pivoting, and waiting for you to slip up. That means strict access controls, constant verification, and security baked into system design from day one. For many enterprises, adopting this mindset is a culture shock that can’t come soon enough—or maybe ever, if leadership persists in magical thinking.
Supply Chains and the Billion-Dollar Blame Game
Let’s not forget: most organizations are just as exposed through their vendors and software supply chains. AI models, CI/CD pipeline plugins, third-party APIs—each is a tempting backdoor for attackers and a blind spot for most defenders. CERT-In recommends things like Software Bills of Materials (SBOMs), provenance checks, and independent security audits, but how many companies even have a full inventory of their digital supply chain? Many don’t until it’s too late.
Cloud ecosystems, “AI-enabled” products, sensitive data lakes—these aren’t just buzzwords. They’re massive attack surfaces that grow every quarter as businesses chase the next big thing and tack on shiny new tools. If you’re not validating everything that plugs into your core business, you’re asking for trouble.
CERT-In’s Dilemma: Harsh Medicine or Impossible Ask?
No one can accuse CERT-In of burying its head in the sand. These recommendations are a blunt, perhaps desperate, response as attackers get smarter, faster, and less predictable. Yet for all the urgency, it’s hard to see organizations everywhere dropping everything to hit 12-hour SLAs for patching every public-facing flaw. There’s simply too much tech debt, too many unknown assets, and not enough skilled hands.
Still, you’ve been warned—move at the speed of attackers, or prepare to become their next headline. Patch, isolate, restrict, monitor, and audit with relentless discipline. If that sounds impossible, welcome to cybersecurity in the AI era. Tick-tock.
