CERT-In's 12-Hour Patch Mandate — Research Note
India's AI-paced patching standard: the tiered remediation schedule, the exploit-window data that justifies it, and what security teams should do now.
On 25 May 2026 CERT-In set an indicative 12-hour expectation for containing or remediating known exploited vulnerabilities (KEVs) on internet-facing and high-value crown-jewel systems — a timeline calibrated to the speed at which AI-assisted attacks now weaponise disclosed flaws. This note distils what was published, the data behind it, and the practical response.
The tiered remediation schedule
| Window | Vulnerability & exposure profile | What qualifies |
|---|---|---|
| 12 hours | KEV on internet-exposed / high-value system | Already exploited in the wild; internet-facing or crown-jewel asset |
| 24 hours | Critical, not yet exploited, externally exposed | Critical severity with external exposure, no confirmed exploitation |
| 3 days | Critical on internal high-value system | Critical severity, high-value, not directly internet-facing |
| 5 days | High-severity, below critical threshold | High severity flaws outside the critical band |
CERT-In framed these as indicative expectations rather than legally binding obligations. The signal is unambiguous: the regulator is benchmarking patch cadence against AI-speed exploitation. The 12-hour clock is an obligation to act — patch or contain — not exclusively to apply a software fix.
Why 12 hours — the exploit window has collapsed
AI frameworks that generate working exploits from a CVE description in minutes have changed the economics of weaponisation. Any organisation holding 30-day or even 7-day windows for internet-exposed systems is running a risk posture formulated before the current AI capability environment existed.
When you can't patch in time — compensating controls
CERT-In explicitly accepts interim containment where vendor patches don't exist or deployment can't be compressed. A documented measure executed within 12 hours satisfies the intent of the standard:
- Network isolation of the affected system from non-essential reachability.
- Access restriction — authenticated users only; tighten firewall and identity policy.
- WAF rule deployment to virtually patch the exploited path at the edge.
- Segmentation, JIT access and protocol restriction that neutralise the exposure.
India vs the current US federal posture
| CERT-In (India) · May 2026 | CISA KEV (US) · 2026 | |
|---|---|---|
| Window | 12 hours for KEVs on internet-facing / crown-jewel systems | ~14-day average remediation deadlines |
| Structure | Tiered by severity × exposure (12h / 24h / 3d / 5d) | Moving toward a 14-day default window |
| Calibration | Explicitly calibrated to AI exploitation speed | Three-day KEV standard reportedly under consideration |
| Flexibility | Compensating controls accepted as interim compliance | Same AI threat data informing the debate |
What to do in the next 30 / 60 / 90 days
- Audit internet-facing assets and map them against CERT-In advisories and the CISA KEV catalog
- Integrate a near-real-time KEV threat-intelligence feed with alerting tied to the asset inventory
- Build and test a compensating-control playbook executable inside 12 hours
- Stand up tested emergency patch-deployment automation for the internet-facing tier
- Add vulnerability-triggered containment scenarios to incident-response playbooks
- Run a live-KEV tabletop: CVE lands 09:00 with confirmed exploitation — contained by 21:00?
A 5-page Macksofy-branded research note PDF — the tiered schedule, exploit-window data, compensating-control path and action list — is available for download at the top of this page. Built from public facts; sources cited; not affiliated with CERT-In or the Cloud Security Alliance.
Sources
- CERT-In — AI Threat Landscape guidance, 25 May 2026.
- Cloud Security Alliance — research note on CERT-In's 12-hour patch mandate, May 2026.
- Mandiant — M-Trends 2026 (time-to-exploit metrics).
- CVE-Genie / "From CVE Entries to Verifiable Exploits" — arXiv:2509.01835, 2026.
- CISA — Known Exploited Vulnerabilities catalog (remediation deadlines, 2026).
- Full analysis: /blog/cert-in-12-hour-patch-mandate-ai-exploitation-2026
Macksofy offers full-service engagements that map directly to this resource. Common starting points:
- Vulnerability Assessment & Penetration Testing (VAPT) →
- SOC Setup & SIEM Engineering (Wazuh + ELK) →
- Cyber Threat Intelligence →