India’s cybersecurity watchdog, the Indian Computer Emergency Response Team (CERT-In), has released a new directive targeting organizations that operate internet exposed systems. The agency now requires critical security flaws in these systems to be patched within 12 hours of identification, provided it is feasible. This accelerated timeline is a direct response to the growing use of artificial intelligence by malicious actors to automate the discovery and exploitation of vulnerabilities.
New Rules Driven by AI Threats
CERT-In’s 38 page blueprint outlines how AI assisted cyber exploitation is compressing the time needed for adversaries to identify and weaponize weaknesses in exposed services, cloud setups, insecure APIs, and misconfigurations. The agency warns that AI tools can now automate attack surface discovery, analyze exploits, generate convincing phishing content, and even produce malware. This capability allows attackers to bypass traditional security controls and launch attacks at a much faster pace. The guidelines emphasize that organizations should expect exploitation timelines to collapse and attacks to become more autonomous.
Defensive Principles and Scope
To counter these evolving threats, CERT-In recommends continuous threat assessment, proactive reduction of the attack surface, and improved operational preparedness. The new rules also highlight that AI enabled systems themselves are vulnerable to attacks such as prompt injections, model manipulation, data leakage, and training data poisoning. These threats can undermine the confidentiality and integrity of AI platforms. The directive applies across sectors, recognizing that interconnected digital infrastructure, cloud ecosystems, and software supply chains are all at increased risk.
Source: The Hacker News
