India’s national cyber security agency, CERT-In, has recently unveiled a comprehensive new blueprint aimed at enhancing the security posture of organizations across the nation. The document establishes an aggressive expectation for these entities to address critical vulnerabilities in internet-facing systems and essential infrastructure, referred to as “crown-jewel” systems, within a stringent timeframe of just 12 hours after their discovery. This initiative comes in response to the rapidly evolving threat landscape characterized by AI-driven attackers who are significantly reducing the timelines for exploitation.
The recent guidance marks one of the most assertive stances taken by India on the speed at which vulnerabilities must be patched in public-facing infrastructures. This comprehensive 38-page document, titled “Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure,” serves as a crucial response to the burgeoning capabilities of adversaries leveraging generative AI, large language models, and autonomous agents. The agency warns that these technologies are fundamentally transforming how swiftly attackers can uncover and weaponize software vulnerabilities.
The blueprint lays bare the reality that adversaries are increasingly employing AI tools to automate various aspects of cyber-attack preparation. These tools facilitate automated reconnaissance, enable detailed mapping of attack surfaces, and assist in the generation of exploits. Moreover, they are adept at crafting convincing phishing lures and adapting malware to elude detection by traditional security measures. As a result, vulnerabilities in public-facing systems, weak identities, insecure application programming interfaces (APIs), and misconfigurations can be identified and exploited much faster than conventional security programs can anticipate.
CERT-In’s document emphasizes that in today’s AI-driven threat landscape, “exploitation timelines are reducing significantly.” This alarming development renders slow, periodic patching cycles a systemic risk for organizations operating within India. According to CERT-In, the threat is most pronounced in vital sectors including government, finance, telecommunications, digital public infrastructure, healthcare, and energy. A successful cyber exploit in any of these areas could lead to operational disruptions and serious national security consequences.
To combat these accelerated threats, CERT-In has introduced a set of risk-based remediation timelines that drastically shorten the duration for which cybersecurity vulnerabilities can remain unaddressed, particularly at the public edge. For vulnerabilities that are known to have been exploited and that pertain to critical internet-facing and crown-jewel systems, organizations must not only contain the issue promptly but also patch, mitigate, or remove the exposure “within 12 hours where feasible.”
Moreover, the agency specifies that critical vulnerabilities exposed to the internet should be resolved within a single day. For known exploited vulnerabilities affecting internal systems, the same one-day deadline applies unless robust compensating controls are in place. The document further recommends that organizations remediate critical internal vulnerabilities in high-value systems within three days, while other high-severity issues should be addressed within five days based on risk priority.
In scenarios where a vendor patch is unavailable, organizations are expected to put in place immediate measures such as isolating affected services, tightening access controls, deploying Web Application Firewall (WAF) or API protections, and ramping up monitoring until an appropriate fix can be implemented.
The guidance from CERT-In extends beyond traditional patching service-level agreements (SLAs), advocating for continuous exposure management across a range of domains, including cloud environments, APIs, AI systems, and third-party dependencies. Central to these efforts are defensive principles that include a Zero Trust architecture, an assume-breach mindset, defense-in-depth strategies, robust identity governance, and ongoing validation of security controls through red teaming and adversarial testing.
To enhance their defenses, organizations are encouraged to modernize their security operations centers incorporating behavior-based analytics, threat hunting capabilities, and AI-driven defensive tools, all while ensuring human oversight for critical actions. The document outlines a three-phase roadmap emphasizing immediate risk reduction during the first week, operational strengthening in the following weeks, and advanced resilience in the latter stages, with a focus on automation-assisted defenses and continual control validation.
Furthermore, all organizations are reminded of their obligation to report any cyber incidents to CERT-In within six hours, in accordance with existing directives. They are also encouraged to engage in national cyber drills and AI-focused exercises to evaluate and enhance their preparedness in confronting these evolving cyber threats.