Patch Critical Flaws in 12 Hours: New CERT-In Rules

Michael Miller · 2026-05-26

The Indian Computer Emergency Response Team (CERT-In) just dropped a major update that's shaking up security teams worldwide. They're now pushing organizations to patch critical vulnerabilities in internet-exposed systems within 12 hours of being flagged, whenever it's "feasible." This isn't just another bureaucratic guideline—it's a direct response to the growing threat of AI-assisted attacks that can automate vulnerability exploitation at machine speed. ### Why This Matters Right Now You might be thinking, "Twelve hours? That's crazy tight." And you're right. For most organizations, the typical patch cycle runs weeks or even months. But here's the reality: attackers are no longer manually scanning for flaws. They're using large language models (LLMs) and AI tools to find and exploit vulnerabilities in minutes, not days. This changes everything. Think of it like this: in the old days, a burglar would case a neighborhood for weeks. Now, they have a drone that maps every unlocked window in an hour. That's what AI does for cyber attacks—it scales and accelerates the entire process. ### What CERT-In's New Guidelines Mean for You Here's the breakdown of what CERT-In is actually asking: - **12-hour window**: Critical vulnerabilities in internet-facing systems must be patched within 12 hours of discovery, when feasible. - **Internet-exposed focus**: Internal systems have more flexibility, but anything connected to the public internet is priority one. - **AI threat context**: The guidelines explicitly cite AI-assisted attacks as the driving force behind this urgency. This isn't a law yet, but it's a strong recommendation from India's top cyber agency. For companies operating in or with India, it's basically a must-follow. ### The Real Challenge: Feasibility The keyword here is "feasible." CERT-In isn't naive—they know not every organization can drop everything and patch within half a day. But the expectation is clear: you need to have processes in place to make it happen as often as possible. Let's be honest: most security teams are already stretched thin. Adding a 12-hour SLA for critical patches means you need: - Automated vulnerability scanning that feeds into a prioritized list - A change management process that can fast-track emergency patches - Testing pipelines that don't bottleneck the fix - Clear communication channels between security, IT ops, and development ### How AI Is Changing the Game What's really interesting is why CERT-In is doing this now. They're specifically calling out AI-assisted attacks. Here's what that looks like in practice: - Attackers use LLMs to automatically analyze patch notes and reverse-engineer exploits within hours of a disclosure. - AI tools can scan millions of IP addresses in minutes, looking for unpatched systems. - Bots powered by language models can craft convincing phishing emails that bypass traditional filters. The window between a vulnerability being announced and an exploit being weaponized has shrunk from weeks to hours. That's why 12 hours matters. ### Practical Steps to Meet the 12-Hour Deadline So how do you actually pull this off? Here are some strategies: - **Invest in automated patch management**: Tools that can deploy critical patches across your infrastructure without manual intervention are a game-changer. - **Prioritize your internet-facing assets**: Not all systems are equal. Focus your 12-hour SLA on what's exposed to the public internet. - **Build a rapid response team**: Have a dedicated group on call for emergency patches, with pre-approved processes to skip red tape. - **Test in parallel**: Don't wait for full regression testing. Use canary deployments to push patches to a small subset first, then roll out broadly. ### The Bottom Line This CERT-In guideline is a wake-up call. The old way of patching—wait for a monthly cycle, test for weeks, then deploy—is dead. AI-assisted attacks demand a new approach. Whether you're in India or not, adopting a 12-hour patching mindset for critical, internet-facing flaws is becoming table stakes. Start now. Review your current patch process, identify the bottlenecks, and build the automation you need. The attackers aren't waiting, and neither should you.