Compliance

CERT-In’s 12-Hour Patch Mandate: Is Your Organisation Ready to Respond at AI Speed?

2 min read Updated

CERT-In just published a risk-based remediation framework that resets expectations for every organisation operating in India. The timelines are worth reading twice: 

  • Internet-facing known exploited vulnerabilities (KEV): contain or remediate within 12 hours 
  • Critical externally exposed vulnerabilities: patch or mitigate within 1 day 
  • Internal known exploited vulnerabilities: patch or mitigate within 1 day 
  • Critical internal vulnerabilities on high-value systems: patch or mitigate within 3 days 
  • High-severity vulnerabilities: patch or mitigate within 5 days 
  • No patch available: deploy temporary controls including isolation, access restriction, and WAF/API protection until a fix lands 

Now consider one question: if a known exploited vulnerability appeared on your internet-facing application at 11pm tonight, what would your team do in the next 12 hours? 

Why These Timelines Are Not Arbitrary 

The 38-page blueprint, published on May 25, 2026, maps something most security leaders already sense but rarely see documented this clearly. Generative AI, large language models, and autonomous agents have collapsed the attacker timeline. Reconnaissance that took days now takes hours. Exploit development that required specialist skills can now be largely automated. The window between a vulnerability being disclosed and it being actively weaponised has shrunk to a point where traditional patch management cycles simply do not fit anymore. 

CERT-In’s timelines were not set based on what defenders can comfortably achieve. They were set based on what attackers are already achieving. That framing matters because as AI tools become more accessible, the pressure is going to increase. 

The guidance also shifts how organisations should prioritise. Rather than relying on CVSS severity scores, CERT-In points toward the CISA Known Exploited Vulnerabilities catalog and the Exploit Prediction Scoring System (EPSS). The question is how actively vulnerability is being targeted right now. 

The Operational Gap Most Teams Will Not Admit 

A 12-hour containment window assumes several things that most enterprise security teams cannot honestly confirm today. 

It assumes you already know which of your applications are exposed at any given moment. It assumes you can deploy a virtual patch or mitigation within hours, before a full fix is ready. It assumes someone with the right expertise is available to make that call regardless of when the alert fires. And it assumes your change management process does not become the bottleneck that turns a 12-hour window into a 3-day one. 

For most teams, one or more of these assumptions does not hold, because the tooling and workflows were built for a threat environment that no longer exists. The result is a gap that is easy to overlook until it becomes a breach. 

How AppTrana Closes the Gap 

Most teams detect vulnerabilities. The breakdown happens in what follows. A vulnerability is found, development is mid-sprint, the change management queue adds days, and the application stays exposed while the process is catching up. 

AppTrana’s SwyftComply removes that bottleneck. When a vulnerability is identified, SwyftComply confirms if existing configuration is able to mitigate the vulnerability and in the <5% cases it is not, it autonomously generates an app-specific security policy at the edge, tests it for false positives, gets expert verification, and enforces protection, all within hours. Your development team fixes the underlying vulnerability on a realistic timeline. Your application is protected from the moment the risk is identified. 

The Conversation Worth Having Now 

CERT-In’s guidance is the beginning of a regulatory direction that reflects a permanent shift in how fast threats need to be mitigated. Organisations that align their security operations to this new tempo now will be significantly better positioned than those that wait for a breach to force the conversation. 

If your current patching and response workflow cannot answer that opening question with confidence, it is worth finding out where the gaps are before an attack. 

 Start your free trial today and see how AppTrana helps you meet CERT-In’s remediation timelines across your web applications and APIs. 

[Start Free Trial →] 

Vinugayathri
Vinugayathri Chinnasamy

Vinugayathri Chinnasamy is an Assistant Product Marketing Manager at Indusface, focused on application security, penetration testing, and managed WAAP. She translates vulnerability research, compliance requirements, and real-world attack trends into practical, decision-ready insights for security and business teams.

Frequently Asked Questions (FAQs)

CERT-In’s risk-based remediation framework requires organisations to contain or remediate internet-facing known exploited vulnerabilities within 12 hours of detection. Critical externally exposed vulnerabilities must be patched within 1 day, and high-severity findings within 5 days. 

CERT-In requires organisations to deploy immediate controls including isolation, access restriction, and WAF or API protection until a code-level fix is available. 

Rather than relying on CVSS severity scores alone, CERT-In points toward the CISA Known Exploited Vulnerabilities catalog and the Exploit Prediction Scoring System (EPSS), prioritising vulnerabilities based on active exploitation rather than theoretical severity. 

CERT-In’s timelines are based on attacker speed, not defender comfort. AI-assisted reconnaissance and exploit development have collapsed the window between disclosure and active weaponisation to hours in many cases. 

SwyftComply autonomously generates an application-specific virtual patch at the WAF edge within hours of vulnerability identification, protecting the application before the code-level fix reaches a sprint cycle. 

Yes. CERT-In explicitly allows WAF and API protection as immediate controls when no patch is available. AppTrana’s virtual patching directly satisfies this requirement while development works on the permanent fix. 

 

Continue Reading

More On Compliance

Web Application Firewall

Cloudflare WAF Alternatives in 2026

Discover the pros and cons of Cloudflare WAF and the top 5 Cloudflare alternatives, including AppTrana, Akamai, Imperva, Fastly, & AWS WAF.

Read Article
Web Application Firewall

AWS WAF vs. Cloudflare

In this article, we’ll discuss the similarities, differences, pros, and cons of AWS WAF and Cloudflare.

Read Article
Web Application Firewall

Managed Web Security for Agencies: A Practical Playbook

A proven model for agencies to deliver managed web security with WAF and SOC support while protecting margins and scaling operations without extra staff.

Read Article