CERT-In’s New AI Cybersecurity Blueprint: What Has Changed and Why It Matters

The CyberDiplomat

5 min read
Share
CERT-In’s New AI Cybersecurity Blueprint: What Has Changed and Why It Matters

India’s cybersecurity landscape is entering a new phase.

As artificial intelligence rapidly transforms both defensive and offensive cyber capabilities, CERT-In (Indian Computer Emergency Response Team) has released a new cybersecurity blueprint focused on defending against AI-assisted vulnerability exploitation in digital infrastructure.

The guidance comes at a time when governments, financial institutions, critical infrastructure operators, and enterprises worldwide are increasingly concerned about how advanced AI systems may accelerate cyberattacks, automate exploitation, and lower the barrier for sophisticated threat operations.

One of the most significant aspects of the new blueprint is that it does not create entirely new legal obligations, but instead strengthens expectations around cyber resilience, vulnerability management, AI governance, and rapid incident response.

This article examines:

  • The current legal and regulatory position under CERT-In directions
  • What the updated AI-focused guidance introduces
  • The strategic implications for organisations and critical infrastructure operators

The Current CERT-In Legal Framework

India’s cybersecurity compliance obligations are primarily governed through:

  • The Information Technology Act, 2000
  • CERT-In Directions issued in April 2022
  • Sector-specific cybersecurity regulations
  • Critical infrastructure protection frameworks

Under the existing CERT-In directions, organisations are already required to comply with several mandatory cybersecurity obligations.

1. Mandatory Cyber Incident Reporting Within 6 Hours

One of the most important existing obligations is the requirement to report certain cybersecurity incidents to CERT-In within six hours of detection or becoming aware of the incident.

This includes incidents such as:

  • Data breaches
  • Ransomware attacks
  • Targeted scanning/probing
  • Website defacements
  • Unauthorized access
  • Malware attacks
  • Denial of service attacks
  • Attacks on critical systems

This requirement remains unchanged in the new blueprint.

2. Log Retention Requirements

Organisations are required to:

  • Maintain ICT system logs securely
  • Retain logs for at least 180 days
  • Make logs available to CERT-In upon request

This requirement supports forensic investigation and incident response.

3. Time Synchronisation Requirements

Entities must synchronise system clocks with:

  • National Informatics Centre (NIC)
  • National Physical Laboratory (NPL)
  • Or other approved time sources

This helps improve incident correlation and forensic analysis.

4. KYC and Data Retention Obligations

Cloud service providers, data centres, VPN providers, and virtual asset service providers may be required to:

  • Maintain customer information
  • Preserve registration data
  • Retain records for specified periods

These obligations support traceability and law enforcement investigations.

What the New CERT-In AI Cybersecurity Blueprint Changes

The newly issued AI-focused cybersecurity blueprint introduces a significant shift in operational cybersecurity expectations.

Unlike traditional compliance-driven cybersecurity models, the blueprint recognises that AI-enabled cyber threats dramatically reduce the time available for organisations to detect and respond to vulnerabilities.

The document strongly warns that:

  • AI-assisted reconnaissance is accelerating attack preparation
  • AI can automate exploit discovery
  • AI-generated phishing and deepfake fraud are becoming more sophisticated
  • Autonomous cyber operations may soon become common

The blueprint therefore pushes organisations toward:

  • Faster patch management
  • Continuous security validation
  • Adaptive cybersecurity
  • Zero trust architectures
  • AI-enabled defence mechanisms

The Most Significant Update: Faster Patch Timelines

One of the biggest operational changes introduced by the blueprint is the recommendation for extremely aggressive vulnerability remediation timelines.

Previous Reality

Traditionally, many organisations operated on:

  • Weekly patch cycles
  • Monthly vulnerability management windows
  • Periodic security audits

This model assumed that defenders had enough time between vulnerability disclosure and exploitation.

That assumption is rapidly disappearing.

Updated CERT-In Recommendations

The new blueprint recommends:

Vulnerability TypeRecommended Remediation Timeline
Critical internet-facing vulnerabilitiesWithin 12 hours (where feasible)
Critical externally exposed systemsWithin 24 hours
High-value systemsWithin 3 days
High-severity vulnerabilitiesWithin 5 days

This is a major shift.

It reflects growing concern that AI-enabled tools can identify, weaponize, and exploit vulnerabilities far faster than traditional cyber defense processes can respond.

Why AI Changes Everything

CERT-In’s blueprint acknowledges a critical reality:
Cyber attackers are increasingly using AI as a force multiplier.

AI-Assisted Threat Capabilities Include:

Rapid Reconnaissance

AI systems can map attack surfaces and identify exposed systems at unprecedented speed.

Automated Vulnerability Discovery

Advanced models may identify software flaws and potential exploits much faster than human researchers.

AI-Generated Phishing

Threat actors can now generate:

  • Highly personalized phishing emails
  • Executive impersonation attacks
  • Deepfake voice and video scams
  • Business email compromise campaigns

AI-Assisted Malware Development

AI-enabled offensive tools may support:

  • Malware obfuscation
  • Adaptive payload creation
  • Automated scripting
  • Detection evasion
  • Semi-autonomous attack execution

Deepfake-Enabled Fraud

Synthetic audio and video impersonation are emerging as major risks for:

  • Financial institutions
  • Executives
  • Government officials
  • Critical infrastructure operators

Zero Trust and “Assume Breach”

The blueprint strongly encourages organisations to move away from perimeter-based security models.

Instead, CERT-In recommends:

  • Zero Trust Architecture
  • Multi-Factor Authentication (MFA)
  • Privileged Access Management (PAM)
  • Micro-segmentation
  • Conditional access controls
  • Session monitoring

Importantly, organisations are advised to adopt an “assume breach” mindset.

This reflects modern cybersecurity thinking:
The question is no longer whether attackers will enter systems — but how quickly organisations can detect, contain, and recover from compromise.

New Focus on Software Supply Chain Security

Another major emphasis in the blueprint is supply chain visibility.

CERT-In recommends adopting:

  • Software Bill of Materials (SBOM)
  • AI Bill of Materials (AIBOM)
  • Quantum Bill of Materials (QBOM)
  • Cryptographic Bill of Materials (CBOM)

These mechanisms improve:

  • Dependency tracking
  • Vulnerability visibility
  • Component transparency
  • Exposure identification
  • Coordinated remediation

This aligns India more closely with evolving global cybersecurity practices.

Operational Technology (OT) and Critical Infrastructure Concerns

The blueprint is particularly relevant for:

  • Banking
  • Energy
  • Railways
  • Telecom
  • Manufacturing
  • Healthcare
  • Critical infrastructure operators

CERT-In specifically warns that AI-assisted cyberattacks can impact:

  • Cloud-native systems
  • APIs
  • OT/ICS environments
  • Software supply chains
  • AI-enabled platforms

This is especially important because operational technology systems often operate on longer maintenance cycles and cannot always patch vulnerabilities immediately.

The new guidance may therefore push organisations toward:

  • Improved OT asset visibility
  • Network segmentation
  • Continuous monitoring
  • Faster vulnerability prioritisation
  • Enhanced cyber resilience planning

Strategic Implications for Organisations

The CERT-In blueprint signals a broader transition in cybersecurity governance.

The Era of Periodic Security is Ending

Traditional models based on:

  • Quarterly audits
  • Annual compliance checks
  • Periodic penetration testing

may no longer be sufficient against AI-enabled cyber threats.

Cybersecurity is becoming:

  • Continuous
  • Adaptive
  • Intelligence-driven
  • Automated

AI vs AI Cybersecurity

One of the most important strategic shifts is that organisations may increasingly need to use AI defensively to counter AI-enabled attacks.

This includes:

  • AI-powered threat detection
  • Automated anomaly detection
  • AI-assisted SOC operations
  • Adaptive response mechanisms
  • Behavioural analytics

The cybersecurity race is rapidly becoming an AI-versus-AI environment.

Final Thoughts

CERT-In’s new AI cybersecurity blueprint is more than a technical advisory.

It represents an early policy signal that India is preparing for a future where:

  • Cyberattacks become faster
  • Exploitation becomes automated
  • Deepfake-enabled fraud increases
  • AI-assisted offensive operations scale globally

While many of the recommendations are not yet legally mandatory, they clearly indicate the direction cybersecurity expectations are moving toward.

For organisations, the message is clear:
Traditional reactive cybersecurity approaches may no longer be enough in the age of AI-driven threats.

The future of cybersecurity will depend on:

  • Speed
  • Visibility
  • Resilience
  • Automation
  • Continuous defence
  • Cross-sector collaboration

And increasingly, the ability to defend against machines using machines.

Source reference: CERT-In Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure.

Read more