The compression of the remediation window from industry-standard 30-day cycles to 12 hours for internet-facing systems creates immediate operational and compliance pressure: organizations that cannot demonstrate timely patching face regulatory penalty exposure under CERT-In's authority and, by precedent, from other regulators adopting similar timelines. A failure to patch a critical internet-facing vulnerability within the mandated window — even temporarily — increases the probability of successful automated exploitation, which can result in data breach costs, ransomware deployment, and service disruption. The broader signal is that AI-accelerated exploitation has materially shortened the viable window between public vulnerability disclosure and organizational compromise, making legacy patch governance a quantifiable business liability.
You Are Affected If
Your organization operates internet-facing systems (web applications, VPNs, remote access portals, APIs, or public-cloud-hosted services) in India or under CERT-In jurisdiction
Your current vulnerability remediation SLA for critical vulnerabilities exceeds 12 hours for internet-exposed assets
Your patch approval process requires standard change advisory board review that cannot complete within a 12-hour window
You lack continuous asset inventory visibility and cannot confirm at any given time which services are internet-exposed and which are fully patched
You do not have compensating controls (WAF, virtual patching, network segmentation) available as interim measures when emergency patching is not operationally feasible
Board Talking Points
India's national cybersecurity authority now requires organizations to patch critical internet-facing vulnerabilities within 12 hours of disclosure — a direct response to AI tools that can automate attacks faster than traditional patch cycles allow.
We recommend an immediate review of our patch governance process to create an emergency remediation track for internet-exposed systems, with a target completion date within 30 days.
Organizations that do not adapt their remediation timelines face both regulatory penalty exposure under CERT-In and a materially higher probability of breach, given that AI-assisted exploitation can now operate within hours of a vulnerability becoming public.
CERT-In Directions 2022 (India) — this directive directly updates CERT-In's mandatory compliance requirements; organizations operating in India or processing data of Indian residents must assess applicability against their internet-facing asset inventory
DPDP Act 2023 (India) — accelerated exploitation of internet-facing systems increases breach probability; a resulting data breach involving personal data of Indian residents triggers notification obligations under India's Digital Personal Data Protection Act
