**CERT-In**'s new guidelines mandate that organizations patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged, where "feasible." This aggressive timeline aims to counter the escalating threat posed by AI-enhanced cyberattacks. ### The AI-Cyber Threat Landscape According to **CERT-In**'s 38-page blueprint, "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems." The agency highlights the growing dependence on interconnected digital infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, all of which amplify the potential impact of AI-enabled cyber threats across sectors. Threat actors are leveraging AI for various malicious activities, including: * Attack surface discovery * Exploit analysis * Phishing content generation * Malware creation This allows them to compress attack preparation timelines and bypass traditional security controls. Furthermore, AI-enabled systems themselves are becoming targets through prompt injections, data leakage vulnerabilities, jailbreaking techniques, model manipulation, training data poisoning, model theft, and orchestration pipeline compromises. ### Defensive Principles **CERT-In** emphasizes the need for proactive exposure reduction and operational preparedness. Key defensive principles include: * Assuming breach and preparing for rapid incident response. * Adopting a Zero Trust architecture. * Implementing a defense-in-depth strategy. * Continuous vulnerability monitoring and reduction. * Embedding a secure-by-design paradigm. * Maintaining operational continuity during incidents. * Safeguarding sensitive data throughout its lifecycle. * Reducing software supply chain risks through Software Bill of Materials (SBOM), provenance validation, and assessments. * Regular security testing through red teaming and penetration testing. * Prioritizing controls based on criticality and exposure. * Establishing formal AI governance mechanisms. * Maintaining visibility into AI systems and their behavior. ### Remediation Timelines Beyond the 12-hour patching mandate for critical internet-facing vulnerabilities, **CERT-In** outlines the following risk-based remediation times: * Critical externally exposed vulnerabilities: Within 1 day * Known exploited vulnerabilities affecting internal systems: Within 1 day (unless mitigations are in place) * Critical internal vulnerabilities affecting high-value systems: Within 3 days * High-severity vulnerabilities: Within 5 days based on risk prioritization In cases where patches are unavailable, temporary mitigations such as isolation, access restriction, Web Application Firewall (WAF)/API protection, enhanced monitoring, or feature disablement are recommended. ### The Bigger Picture This blueprint follows a previous advisory from **CERT-In** warning about the increasing cyber capabilities of frontier AI models from **Anthropic** and **OpenAI**, highlighting their potential for malicious use. The agency stressed that "baseline cybersecurity controls remain critical and should be rigorously enforced."