India's national cybersecurity agency has told organisations running internet-facing systems to patch, mitigate, or isolate known-exploited critical vulnerabilities within 12 hours — a window so tight it renders the traditional monthly patch cycle functionally obsolete. The Computer Emergency Response Team India (CERT-In) released the directive on 26 May 2026 inside a 38-page document titled Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure (reference: CISG-2026-02).

Why 12 Hours?

The numbers behind the directive are stark. According to a Cloud Security Alliance analysis of the blueprint and supporting threat data, the average window between CVE publication and active exploitation in the wild has contracted from roughly 56 days in 2024 to as few as 10 hours by mid-2026 — driven by AI tooling capable of generating working exploits within minutes of a vulnerability's public disclosure. CERT-In states directly that "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities." The 12-hour window applies specifically to known-exploited vulnerabilities on internet-facing and "crown-jewel" systems where feasible. It is not a blanket universal deadline.

The blueprint sets a tiered remediation schedule beyond that headline figure:

12 hrsKnown-exploited, internet-facing / crown-jewel systems
1 dayCritical externally exposed or known-exploited internal vulnerabilities (CVSS 9.0+ on internal systems)
3 daysCritical vulnerabilities on high-value internal systems
5 daysOther high-severity issues, risk-prioritised

Three AI Threat Vectors the Blueprint Names

CERT-In organises the threat landscape around three distinct AI-driven shifts. First, automated reconnaissance and exploit-code generation — AI agents scan entire networks, identify exposed services, and produce working exploits at machine speed. Second, hyper-personalised social engineering: AI-written phishing emails and deepfake voice calls that defeat the human detection heuristics most security awareness training is built on. Third, polymorphic malware that rewrites its own signatures on the fly, evading the detection-by-pattern logic that underpins most endpoint security stacks.

The Register's coverage notes that frontier AI models are actively cited in the blueprint as amplifiers of attacker capability — including examples of criminal groups using AI to build zero-day exploits for planned mass campaigns. The document also addresses prompt injection and model jailbreaking as threat surfaces, reflecting how AI systems themselves have become attack targets, not just attack tools.

What Practitioners Are Saying

Dray Agha, Senior Manager of Security Operations at Huntress, welcomed the explicit carve-out for temporary mitigations: "By explicitly encouraging temporary mitigations, such as isolation, access restriction, or disablement until a patch is ready, this turns the patching deadline into a highly feasible and necessary containment strategy." Agha added that defenders already witness vulnerabilities exploited within hours in the wild — making rapid-response adaptation a practical necessity, not an aspirational target.

What Organisations Must Actually Do

The blueprint is advisory, not legislated. But "advisory" does not mean optional for India's critical-infrastructure operators. CERT-In holds authority to impose the six-hour incident-reporting obligation under the 2022 IT (Amendment) Rules, and non-compliance with that existing rule carries enforcement teeth. The new guidance sits within that regulatory gravity.

Practically, the document requires organisations to maintain a dedicated AI asset inventory — cataloguing every AI system in the environment that could be a vulnerability surface or an attacker tool. It mandates building what CERT-In calls an "Agentic SOC": a security operations centre that uses AI-assisted tooling for continuous monitoring, alert triage, and rapid response. The three-phase implementation roadmap runs across 60 days: Days 0–7 cover immediate risk reduction (governance, internet-facing asset inventory, activating rapid patching); Days 8–30 focus on operational strengthening (monitoring uplift, AI governance, supply-chain assurance); Days 31–60 target advanced resilience through automation-assisted defence and continuous validation.

Security practitioners have noted publicly that the 12-hour directive does not demand full remediation. Temporary isolation, access restriction, or disabling an exposed service until a patch is ready all satisfy the intent. The point is to eliminate the dwell time that AI-assisted attackers now exploit between vulnerability disclosure and defender action.

Why This Matters Beyond India

India's digital economy is one of the fastest-scaling in the world, and CERT-In's regulatory posture tends to ripple through ASEAN enterprise security teams — particularly in Singapore, Malaysia, and Indonesia, where shared infrastructure, outsourcing relationships, and supply-chain ties create direct exposure to the Indian market's threat surface. A 12-hour patching expectation at India's critical infrastructure layer raises the bar for every vendor and partner connected to it.

The blueprint is also the most detailed AI-threat guidance any major Asian cyber agency has published to date. Where previous CERT-In advisories focused on specific CVEs or incident response procedures, this document frames AI-accelerated exploitation as a structural shift that demands an operational — not just a compliance — response. Monthly patch cycles built around change-management windows are a design assumption the blueprint explicitly challenges.