The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where “feasible” to safeguard against potential threats stemming from threat actors’ abuse of artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability discovery and exploitation, and enhance the scale and velocity of cyber attacks.
“AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems,” CERT-In said in a 38-page blueprint published Monday.
“As organizations become increasingly dependent on interconnected digital infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, the potential impact of AI-enabled cyber threats continues to increase across sectors.”
With threat actors beginning to increasingly rely on AI for a wide range of tasks, including attack surface discovery, exploit analysis, convincing phishing content, and even malware generation, they can significantly compress attack preparation timelines and bypass traditional security controls.
Furthermore, AI-enabled systems may themselves become targets of malicious attacks via prompt injections, data leakage vulnerabilities, jailbreaking techniques, model manipulation, training data poisoning, model theft, and orchestration pipeline compromises, effectively undermining their confidentiality and integrity.
CERT-In has warned that organizations should expect exploitation timelines to collapse significantly and attacks to become autonomous, necessitating the need for adopting heightened cybersecurity measures that involve continuous threat assessment, proactive exposure reduction, and operational preparedness.
Some of the defensive principles outlined by the cybersecurity agency to reduce exposure and better respond to AI-assisted cyber threats are listed below –
- Assume breach and prepare for rapid detection, containment, and recovery from compromise scenarios.
- Adopt a Zero Trust approach by enforcing continuous verification and least-privilege access.
- Implement a defense-in-depth strategy with layered controls across infrastructure to eliminate single points of failure and minimize the overall impact of a successful breach.
- Monitor and reduce exposure to security vulnerabilities.
- Embed a secure-by-design paradigm into systems, applications, and AI workflows.
- Maintain operational continuity during cyber incidents and disruption scenarios.
- Safeguard sensitive and operationally critical data throughout its lifecycle.
- Reduce software supply chain risks arising from third-party software, AI models, and dependencies through SBOM, provenance validation, and assessments.
- Test security effectiveness against evolving threats through red teaming, vulnerability assessments, penetration testing, and independent audits.
- Prioritize controls based on operational criticality and threat exposure.
- Establish formal governance mechanisms regarding the use of AI systems.
- Maintain visibility into AI systems, integrations, and operational behavior.
“Organizations should implement layered, risk-based, and continuously validated technical controls to reduce exposure to AI-assisted cyber threats,” CERT-In said. “Controls should prioritise protection of internet-facing systems, critical business applications, identities, cloud environments, APIs, sensitive data, AI-enabled systems, and operational infrastructure.”
The agency is also urging organizations to embrace “continuous, risk-based vulnerability and patch management practices” to reduce exposure arising from security flaws, misconfigurations, insecure APIs, publicly-accessible services, and weak identities. To that end, known exploited vulnerabilities affecting internet-facing and critical systems should be remediated within 12 hours where applicable.
Other risk-based remediation times are as follows –
- Critical externally exposed vulnerabilities: Within 1 day
- Known exploited vulnerabilities affecting internal systems: Within 1 day unless other mitigations are implemented and documented
- Critical internal vulnerabilities affecting high-value systems: Within 3 days
- High-severity vulnerabilities: Within 5 days based on risk prioritization
In scenarios where no patches are immediately available, it’s advised to implement temporary mitigations such as isolation, access restriction, WAF/API protection, enhanced monitoring, or feature disablement until the fix is released.
“Given the rapidly evolving nature of AI-assisted cyber threats, organisations should continuously reassess exposure, validate security controls, strengthen resilience capabilities, and enhance operational preparedness through ongoing audits, monitoring, testing, and coordinated cybersecurity governance,” CERT-In said.
The blueprint arrives a month after CERT-In released an advisory warning of the growing cyber capabilities of frontier AI models from Anthropic and OpenAI, stating how their “dual-use nature” could “lower the barrier to entry for malicious cyber actors and be leveraged to accelerate attack execution, automate exploitation workflows and scale cyber campaigns.”
“Keeping pace with frontier AI-driven cyber developments is critical for maintaining cyber resilience,” it added. “Baseline cybersecurity controls remain critical and should be rigorously enforced.”
