Back to front page
Policy May 29, 2026

India's 12-Hour Clock: CERT-In's New AI Patch Mandate and What It Means for Global Security

India's CERT-In now recommends patching known exploited vulnerabilities on internet-facing and crown-jewel systems within 12 hours, tightening global pressure for AI-speed cyber response.

On May 27, India's Computer Emergency Response Team (CERT-In) issued guidance that reshapes enterprise patching expectations: where operationally feasible, known exploited vulnerabilities on internet-facing and crown-jewel systems should be patched within 12 hours.

The recommendation is risk-based rather than universal across all vulnerability classes, but it materially compresses response timelines for the systems most likely to be targeted in active campaigns.

Built on India's Existing 6-Hour Reporting Regime

Since 2022, CERT-In incident reporting requirements have pushed organizations to report cyber incidents within 6 hours of discovery. The 2026 patch guidance adds a second compressed clock for remediation when exploitation is already in the wild.

Together, these timelines reduce the gap between detection, escalation, and technical response, making delayed patch windows harder to justify for exposed high-value assets.

AI Compresses the Defender's Window

In 2026, AI-assisted reconnaissance and exploit development can reduce attacker timelines from days to hours, raising the cost of traditional multi-day patch cadences.

CERT-In's emphasis on known exploited vulnerabilities aligns with this shift: once exploitation is active, defenders may only have a narrow, automation-dependent window to prevent compromise at scale.

Global Supply Chains Feel the Spillover

Multinational organizations operating in India or relying on India-based services now need to account for tighter patch-response expectations in vendor governance, contractual security terms, and incident playbooks.

As jurisdictions set different response clocks, global security teams are forced to operate across competing timelines, increasing pressure for standardized automation and higher baseline readiness.

A Signal for AI-Era Cyber Policy

India's 12-hour recommendation highlights a broader policy transition: cyber defenses are being redesigned for threat environments that move at AI speed rather than human administrative speed.

For security leaders, the strategic requirement is clear: build patching, mitigation, and monitoring systems that can execute continuously, not just during scheduled maintenance cycles.