CERT‑In AI Vulnerability Blueprint Demands 12‑Hour Remediation, Driving Need for Machine‑Speed Risk Operations
What Happened — India’s cyber‑security regulator CERT‑In released a 2026 blueprint that treats AI‑generated exploits as a “Mythos‑class” threat. The guidance obliges organisations to contain known exploited vulnerabilities on internet‑facing and crown‑jewel assets within 12 hours, report incidents within six hours, and continuously validate exploit‑path closure with auditable evidence.
Why It Matters for Compliance & Audit Readiness
- SOC 2’s Security (CC6) and Availability (CC7) criteria now require real‑time evidence that a vulnerability has been neutralised, not just that a ticket was closed.
- Continuous‑control monitoring and automated proof of remediation become audit evidence, reducing reliance on manual ticketing reports that regulators deem insufficient.
- Mapping the new AI‑driven risk‑operation model to existing control frameworks helps demonstrate due‑diligence and mitigates the compliance gap highlighted by CERT‑In.
Who Is Affected – Enterprises across all sectors operating in India, especially those with internet‑facing or critical infrastructure assets; vulnerability‑management and security‑operations teams.
Recommended Actions
- Align your vulnerability‑management process with the 12‑hour containment window and six‑hour reporting requirement.
- Deploy automated risk‑operations tooling that can detect, prioritise, validate, remediate, and produce immutable evidence of exploit‑path closure.
- Extend SOC 2 control mappings to include AI‑assisted exploit discovery and continuous validation as part of your security and availability controls.
- Document AI‑governance and log‑retention policies to satisfy the residency requirements in the blueprint.
Source: Qualys Blog – CERT‑In’s AI Vulnerability Blueprint
Technical Notes – The blueprint highlights a shift from CVE‑matching to autonomous exploit discovery by frontier AI models (e.g., Mythos, GPT‑5.5). Attackers can weaponise unpatched weaknesses at machine speed, making traditional ticket‑based remediation too slow. Continuous validation must prove that the exploit path is closed, not merely that the CVE is marked “fixed”. Source: same as above