Compliance

CERT-In AI Security Blueprint 2026: Remediation Timelines Every Indian Organisation Should Know

5 min read Updated

If a known exploited vulnerability appeared on your internet-facing application right now, what would your team actually do in the next 12 hours?

What would actually happen, given your tooling, your sprint cycle, your change management queue, and who is available.

CERT-In’s blueprint sets these timelines because generative AI and autonomous agents have collapsed the attacker timeline to the point where anything longer is already too slow.

  • Internet-facing known exploited vulnerabilities (KEV): contain or remediate within 12 hours
  • Critical externally exposed vulnerabilities: patch or mitigate within 1 day
  • Internal known exploited vulnerabilities: patch or mitigate within 1 day
  • Critical internal vulnerabilities on high-value systems: patch or mitigate within 3 days
  • High-severity vulnerabilities: patch or mitigate within 5 days
  • No patch available: deploy temporary controls including isolation, access restriction, and WAF/API protection until remediation becomes available,

That gap between the answer you want to give and the answer you can honestly give is what this blueprint is designed to close.

Why CERT-In Blueprint Set a 12-Hour Deadline

Section 4 spells out the answer directly: AI has collapsed the time attackers need to find and exploit a vulnerability. AI-assisted tooling can now automate large parts of the pre-exploitation: attack surface discovery, exposed API identification, vulnerability analysis, and exploit code generation run as one workflow. Section 4.3 goes further: agentic AI can run reconnaissance, exploitation, and data exfiltration as one compressed sequence, dropping the barrier far enough that even semi-skilled actors can run sophisticated attacks at scale.

The gap between a vulnerability appearing on your attack surface and an attacker weaponising it used to be weeks. For known exploited vulnerabilities, it is now hours. Your security operations were built for weeks.

The Operational Gap Most Teams Will Not Admit

A 12-hour containment window assumes several things that most enterprise security teams cannot honestly confirm today.

It assumes you already know which of your applications are exposed at any given moment. It assumes you can deploy a virtual patch or mitigation within hours, before a full fix is ready. It assumes someone with the right expertise is available to make that call regardless of when the alert fires. And it assumes your change management process does not become the bottleneck that turns a 12-hour window into a 3-day one.

For most teams, one or more of these assumptions does not hold, because the tooling and workflows were built for a threat environment that no longer exists. That gap stays invisible until it becomes a breach.

How AppTrana Closes the Gap

Most teams detect vulnerabilities. The breakdown happens in what follows. A vulnerability is found, development is mid-sprint, the change management queue adds days, and the application stays exposed while the process is catching up.

AppTrana’s SwyftComply removes that bottleneck. When a vulnerability is identified, SwyftComply first checks whether your existing configuration already blocks it. In the under-5% of cases it does not, SwyftComply generates an app-specific policy at the edge, tests it for false positives, gets expert verification, and enforces protection, all within hours. Your development team fixes the underlying vulnerability on a realistic timeline. Your application is protected from the moment the risk is identified.

Everything Else the CERT- In Blueprint Requires

The 12-hour window is the sharpest deadline in the blueprint, but it is not the only one. A fuller set of expectations runs alongside it, spanning AI systems, APIs, monitoring, testing, and incident response.

AI systems are now a named attack surface – If your applications route any traffic to an LLM, Section 7 Item 9 requires prompt injection protection, AI access controls, model monitoring, AI activity logging, and adversarial testing as standard controls, not optional add-ons. Section 4.4 spells out exactly what these controls are meant to defend against: prompt injection, model manipulation, training data poisoning, AI model theft, sensitive data leakage, and compromise of AI orchestration pipelines. Section 12 goes further, requiring organisations to maintain an inventory of every AI system in use, including shadow AI tools adopted without formal approval, and to apply governance and monitoring uniformly across all of them.

Insecure APIs are the exposure CERT-In flags most – Section 4.1 names exposed API identification as a core activity of AI-enabled reconnaissance, right alongside attack surface discovery and vulnerability analysis. Section 7 Item 6 translates that into a concrete requirement: ongoing API security testing alongside SAST, DAST, SCA, and secrets management, with all of it run continuously rather than at scheduled intervals.

Monitoring-only postures don’t satisfy Assume Breach – Principle 1 requires continuous monitoring, segmentation, and rapid containment as baseline posture, not an upgrade path. Section 8 is explicit on the detection mechanism itself, stating that signature-based and static detection methods are insufficient against AI-enabled attacks and that behavioural monitoring, anomaly detection, and continuous traffic analysis are required instead.

Testing has to be continuous, not annual. Section 7 Item 14 and Section 11 call for ongoing VAPT, adversarial simulation, and control validation on a rolling basis. The blueprint frames a once-a-year audit cycle as structurally incompatible with the pace of AI-assisted attacks, since a control validated in January offers no assurance against a vulnerability class that emerges in March.

The 6-hour reporting clock starts at detection, not after investigation. Section 10 requires you to report cyber incidents to CERT-In within 6 hours of detection. If detection and triage alone eat that window, you have missed the notification deadline before anyone starts drafting the report.

Quick Summary: CERT-In Recommendations and AppTrana Coverage

AppTrana is purpose-built for the internet-facing web app, API, and AI layer. The blueprint treats that layer as its strictest tier, carrying the tightest remediation timelines, the most explicit API and AI security requirements, and the controls CERT-In names first.

CERT-In Recommendation Section What It Actually Means AppTrana capabilities mapped to those requirements
AI: Prompt injection, jailbreak, and model abuse protection, with access controls and adversarial testing 7, Item 9; Section 11, Item 4; Section 12 Block adversarial inputs targeting LLM-integrated applications, control who can access AI models and APIs, and test continuously for prompt injection and model integrity AI Shield: OWASP LLM Top 10 coverage, prompt injection and jailbreak blocking, AI API access monitoring and adversarial testing
AI: Shadow AI detection and asset inventory Section 12, Item 2; Section 7, Item 1 Identify unauthorised AI tools and integrations in use across the organisation EASM: surfaces AI-integrated endpoints and undiscovered AI APIs
API: Continuous discovery, security testing, and exposure classification 7, Item 1; Section 7, Item 6; 7, Item 8 Know every API exposed including shadow and zombie endpoints, test against OWASP API Top 10, and classify APIs exposing sensitive data API Protection: continuous discovery, schema-aware positive security, automated PII, PCI, and PHI classification
API: Rate limiting and behavioural abuse detection 7, Item 6; Section 8 Block automated abuse and business logic attacks that gateways miss API Protection: rate limiting and behavioural anomaly detection
WAF: Active block mode and compensating control when no patch exists Section 9; Principle 1 Deploy WAF protection immediately when no patch is ready; monitoring-only is insufficient Active block mode from day zero, zero false-positive guarantee
WAF: Behavioural detection and DDoS mitigation Section 8; 7, Item 4 Signature-based monitoring alone is insufficient; availability must be protected against volumetric attacks 24×7 managed monitoring with behavioural analysis, unmetered DDoS protection with 100% uptime SLA
Vulnerability remediation: 12-hour mitigation and risk-based prioritisation Section 9 Close the exposure window before development ships a fix, prioritising by active exploitation likelihood using KEV and EPSS, not CVSS score SwyftComply: autonomous virtual patch, expert-verified clean report within hours. AcuRisQ: surfaces highest-exploitability exposures first
Vulnerability remediation: Continuous attack surface monitoring 7, Item 1; Principle 4 Visibility so the 12-hour clock starts when risk surfaces, not at next scan EASM: real-time attack surface monitoring and risk scoring
DAST and testing: Continuous application testing, penetration testing, and control validation 7, Item 6; 7, Item 14; Section 11 Testing by automated tooling and qualified engineers on an ongoing basis, with re-validation after every fix Built-in DAST, expert-verified penetration testing, automated remediation validation
Incident response: 24×7 detection, response, and post-incident review Section 10, Item 7 Expert coverage around the clock and learning from every incident to update controls 24×7 managed security operations: tuning, triage, response, and full incident telemetry for post-incident analysis

Start With Phase 1 of the Blueprint’s Own Roadmap

Section 13 sets Phase 1 in a 0 to 7 day window: identify critical assets and internet-facing systems, implement MFA, run vulnerability assessments, patch critical and known exploited vulnerabilities, reduce unnecessary exposure, enable security logging, and establish incident reporting procedures.

If a known exploited vulnerability appeared on your application tonight, would it be contained by morning? If the answer is uncertain, start with your attack surface. That is where CERT-In’s 12-hour clock starts too.

Start a free trial with AppTrana and see exactly where your applications stand against CERT-In’s blueprint, before the next exploit makes that decision for you.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Vinugayathri
Vinugayathri Chinnasamy

Vinugayathri Chinnasamy is an Assistant Product Marketing Manager at Indusface, focused on application security, penetration testing, and managed WAAP. She translates vulnerability research, compliance requirements, and real-world attack trends into practical, decision-ready insights for security and business teams.

Frequently Asked Questions (FAQs)

The blueprint is issued as guidance, not a standalone regulation with penalties attached. CERT-In does not use the word “mandatory” in the document itself. That said, the 6-hour incident reporting direction it references stems from CERT-In’s existing statutory directions under the IT Act, which do carry compliance weight, and CERT-In empanelled auditors are likely to benchmark against this blueprint going forward.

No. Section 9 says “contain or mitigate” within 12 hours, not that your underlying code fix must ship in that window. A compensating control, such as a WAF/API policy, satisfies the requirement while your permanent fix follows its normal development cycle.

At the point a vulnerability is identified as a known exploited vulnerability on an internet-facing or crown-jewel system, not from when your team finishes investigating it. The same detection-first logic applies to the 6-hour incident reporting window in Section 10.

The blueprint is framed around organisations operating in India and protecting India’s digital ecosystem. If you have Indian operations, Indian customer data, or internet-facing systems serving Indian users, you sit within its intended scope, regardless of where your parent company is headquartered.

The blueprint does not reference RBI, SEBI, or IRDAI directly. It is a CERT-In framework focused on AI-assisted threats across the digital ecosystem generally. Sector-specific regulators may issue their own aligned requirements, as IRDAI has done separately, so treat this blueprint as an additional layer, not a replacement for your existing sectoral obligations.

That’s exactly why it matters. The internet-facing web app, API, and AI layer is the strictest tier in the blueprint, carrying the tightest remediation timelines (the 12-hour KEV window) and the most explicit named risks. AppTrana goes deep on this layer, with continuous discovery, autonomous remediation, and 24×7 coverage, the depth a broader estate-wide tool typically cannot match for this specific surface.

Most WAFs run in monitoring mode, which does not meet CERT-In’s Assume Breach principle or the Section 9 remediation requirement. The Indusface AppSec 2026 Report found 32% of critical vulnerabilities stay open past 180 days due to development backlogs. AppTrana runs in active block mode from day one; SwyftComply closes the exposure gap autonomously while your code fix follows its normal sprint cycle.

Yes, Section 12 still applies. It requires an inventory of every AI tool in use, including shadow AI, such as a team using a public AI writer connected to company data. AppTrana’s EASM surfaces these automatically.