CERT-In’s 12hour patching requirement: Can organizations keep up?
29 May 2026
Overview
CERT-In, India’s national cybersecurity agency, has recommended that organizations patch critical vulnerabilities in all internet-facing systems within 12 hours of being discovered. This is a step taken by the agency to prepare organizations against AI-driven threats.
Through our blog, we will explore what the new guideline means, along with actions that organizations must take.
What has CERT-In recommended?
CERT-In has developed a 38- page document titled “Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure” to support organizations in building resilience against AI-enabled cyber threats.
The blueprint lays down a structured and implementation-oriented framework that covers:
- Governance and accountability
- Exposure reduction strategies
- Technical defense controls
- AI- aware security operations
- Vulnerability and exposure management
- Supply chain security
- Incident response and cyber resilience
- Continuous security validation
- Workforce preparedness and operational readiness
In its blueprint, CERT-In has recommended that organizations prioritize and patch all the critical vulnerabilities in internet-facing systems within 12 hours of discovery.
Why is timely patching important?
While many organizations are still following the traditional 15 to 30-day patch cycle, attackers are using AI to discover flaws in minutes, automate reconnaissance, and are leveraging publicly available exploit frameworks. Therefore, attacks are no longer taking weeks to orchestrate but hours after exploitation.
32.1% of vulnerabilities were exploited within or before 24 hours of disclosure in the first quarter of 2025 (VulnCheck 2025).
The recent data breaches have proven how quickly attackers are carrying out mass exploitation shortly after vulnerabilities become public. Some of the most recent examples include the Log4Shell, Citrix Bleed, and Ivanti vulnerabilities, where the attackers have quickly launched exploitation-based campaigns after disclosure of flaws.
Exploitation of vulnerabilities has risen to become the most common initial access vector for breaches, with a 31% increase over the previous year (Verizon DBIR 2026).
The CERT-In’s blueprint is not just about compliance but a warning that traditional vulnerability management approaches are going obsolete.
This is why proactive patching, monitoring, and other security activities are critical in the age of AI-enabled threats.
Is implementing 12-hour patching window easy?
Short answer – No.
Here’s why
Large enterprises often comprise large environments with legacy infrastructure, operations dependent on applications, operational technology (OT), and third-party dependencies. Therefore, any form of emergency patching can create downtime risks.
Also, many organizations are lacking proper asset management and continuous monitoring capabilities to quickly identify the affected systems.
What should organizations do?
Organizations must change how they approach vulnerability management to be secure against rapidly evolving threats and be compliant with the latest guidelines.
Instead of being dependent on periodic patching cycles, they must focus on prioritization of patching based on risk and exposure. Vulnerabilities that are affecting internet-facing systems and are actively exploited and known must be a top priority and must receive immediate patching efforts.
Additionally, organizations should also take actions to improve their overall resilience through actions like:
- Improving asset discovery
- Scanning vulnerabilities in real-time
- Planning and implementing exposure management
- Creating and implementing workflows for patch management
Organizations should also implement compensatory controls like endpoint monitoring, access restrictions, and network isolation for cases where patching cannot be done immediately.