CERT-In’s AI-Accelerated Vulnerability Protection Guidelines

FinTech BizNews Service
Mumbai, July 12, 2026: With rising instances of online fraud, phishing, ransomware attacks, AI-driven scams, and threats to critical digital infrastructure, the need for a coordinated and resilient cybersecurity framework has never been greater. At the centre of India’s cybersecurity architecture is the Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY) and mandated by the Information Technology Act, 2000. CERT-In provides the institutional depth for national cyber defence by overseeing incident management, enhancing systemic resilience, and promoting secure digital practices across government, industry, and society.

Dr. Dittin Andrews, Scientist F, Software Technology Parks of India (Ministry of Electronics and IT, Govt of India) analyses the Evolving Regulatory Frameworks for AI-Driven Cybersecurity. Dr. Dittin Andrews is a technology and cybersecurity leader with over 23 years of experience in ICT infrastructure, cybersecurity, digital transformation, and technology governance. He currently serves as Scientist ‘F’ at Software Technology Parks of India (STPI), under the Ministry of Electronics and Information Technology (MeitY), Government of India. His areas of expertise and interest include cybersecurity, regulatory technology (RegTech), particularly in the FinTech domain, data privacy, cloud and AI infrastructure, and the application of artificial intelligence for cybersecurity and digital resilience:

Dr. Dittin Andrews, Scientist F, Software Technology Parks of India, MeITY
The rapid advancement of Artificial Intelligence (AI) is reshaping the cybersecurity landscape and challenging many of the assumptions on which traditional vulnerability management has been built. For years, organizations have relied on periodic vulnerability assessments, scheduled patch management, penetration testing, annual security audits, and risk-based remediation to manage cyber risks. These approaches were effective when there was sufficient time to identify vulnerabilities, assess their impact, and implement corrective actions before they could be exploited. Today, that window is shrinking rapidly.
AI has dramatically accelerated the pace of cyberattacks. Modern AI tools can analyse source code, identify software vulnerabilities, automate reconnaissance, and even generate exploit code within minutes. As a result, vulnerabilities can be weaponized much faster than before, leaving organizations with very little time to respond. This changing threat landscape requires a fundamental shift from periodic, compliance-driven security practices to continuous vulnerability monitoring, faster remediation, and intelligence-led cyber defence.
Recognizing these challenges, the Indian Computer Emergency Response Team (CERT-In) issued two important guidance documents in 2026: Blueprint for Reducing Exposure and Defending Against AI-Assisted Vulnerability Exploitation in Digital Infrastructure and Guidelines regarding AI-Accelerated Vulnerability Protection and Response Requirements for Original Equipment Manufacturers (OEMs) and Technology Providers. Although these guidelines are primarily targeted at OEMs and technology providers, their relevance extends much further. They provide a valuable roadmap for sectoral regulators such as RBI, SEBI, IRDAI, PFRDA, TRAI, and other regulatory bodies to strengthen existing cybersecurity frameworks. By incorporating these principles into sector-specific regulations, regulators can encourage continuous cyber resilience, faster vulnerability management, and stronger software supply chain security, thereby enhancing the overall cybersecurity posture of regulated entities and protecting India's rapidly expanding digital ecosystem.
Why Traditional Vulnerability Management Is No Longer Sufficient
For many years, vulnerability management has been built around predictable security processes such as periodic vulnerability assessments, CVSS-based prioritization, scheduled patch management, annual penetration testing, and compliance-driven security audits. These practices were effective when organizations had sufficient time to identify vulnerabilities, evaluate their impact, and implement corrective measures before attackers could exploit them. However, the rapid advancement of Artificial Intelligence (AI) has fundamentally changed this balance. AI-enabled attackers can now identify vulnerabilities, automate reconnaissance, generate exploit code, and launch sophisticated attacks within hours instead of weeks. As a result, the window available for defenders to detect and remediate vulnerabilities has narrowed significantly.
Recognizing this shift, CERT-In has highlighted that AI-assisted attacks can dramatically accelerate the discovery, validation, and exploitation of vulnerabilities, particularly in internet-facing applications, APIs, cloud platforms, operational technology (OT), and software supply chains. The guidance therefore encourages organizations to move beyond periodic assessments and adopt continuous vulnerability monitoring, faster remediation processes, AI-assisted security testing, and risk-based prioritization that focuses on vulnerabilities actively being exploited rather than relying solely on CVSS scores. These recommendations are equally relevant for sectoral regulators such as RBI, SEBI, IRDAI, PFRDA, TRAI, and other regulatory authorities. By incorporating these principles into their existing cybersecurity frameworks, regulators can strengthen the cyber resilience of regulated entities without introducing entirely new regulations. In the AI era, cybersecurity can no longer be viewed as a periodic compliance exercise; it must become a continuous operational capability where the speed of defence keeps pace with the speed of AI-enabled attacks.
Evolving Regulatory Frameworks for AI-Driven Cybersecurity
The CERT-In guidelines offer sectoral regulators a practical opportunity to strengthen their existing cybersecurity frameworks in response to the rapidly evolving threat landscape created by Artificial Intelligence (AI). A key recommendation is the shift from periodic vulnerability assessments to continuous monitoring of vulnerabilities and cyber exposure. Traditionally, regulatory oversight has focused on whether organizations have completed activities such as Vulnerability Assessment and Penetration Testing (VAPT). Going forward, greater emphasis should be placed on an organization's current cyber risk exposure and its ability to identify and respond to emerging threats in near real time. The guidelines also call for faster vulnerability remediation, especially for internet-facing systems and vulnerabilities that are actively being exploited. As a result, future regulatory assessments are likely to place greater importance on operational indicators such as Mean Time to Detect (MTTD), Mean Time to Remediate (MTTR), patch deployment timelines, emergency change management, and risk-based prioritization, rather than relying only on evidence of periodic security assessments.
Another important aspect of the guidelines is the emphasis on strengthening software supply chain security. CERT-In encourages organizations to adopt Software Bills of Materials (SBOMs), improve visibility into third-party software components, continuously monitor open-source dependencies, follow secure software development practices, and establish structured vulnerability disclosure processes. At the same time, the guidelines recognize that AI should be used not only to drive business innovation but also to improve cyber defence. Organizations are encouraged to leverage AI for vulnerability discovery, automated code analysis, attack surface management, continuous security validation, and penetration testing. The guidelines also recommend moving beyond traditional CVSS-based prioritization by giving greater attention to vulnerabilities affecting internet-facing applications, business-critical systems, identity infrastructure, cloud environments, APIs, and remote access services. Together, these recommendations mark a clear shift from a compliance-focused approach to one that emphasizes continuous risk management and operational cyber resilience, providing regulators with a stronger foundation for enhancing the cybersecurity posture of regulated entities.
Implications for Regulated Entities and Regulatory Supervision
The CERT-In guidelines have significant implications for organizations operating in regulated sectors, including banks, insurance companies, pension intermediaries, stock exchanges, depositories, telecom service providers, payment system operators, fintech firms, and digital infrastructure providers. These organizations should view the guidelines as an early indication of how cybersecurity regulation and supervisory expectations are likely to evolve in the coming years. Going forward, regulated entities will need to be prepared for more frequent cybersecurity assessments, faster vulnerability remediation, continuous monitoring of their attack surface, stronger board-level oversight, improved software supply chain security, enhanced third-party risk management, and wider adoption of AI-enabled security capabilities. In this evolving environment, cyber resilience will increasingly be assessed as an organization's ability to continuously manage cyber risks rather than simply demonstrate compliance during periodic audits.
Adopting these recommendations will require investment in modern cybersecurity technologies, skilled professionals, and updated operational processes. Organizations are likely to invest in continuous attack surface management, exposure management platforms, AI-assisted vulnerability management, DevSecOps practices, security automation, threat intelligence, SBOM management, advanced Security Operations Centres (SOCs), and continuous security testing. While these measures will inevitably increase compliance costs in the short term, they should be viewed as investments in long-term resilience rather than as additional regulatory burdens. The cost of implementing proactive cybersecurity measures is significantly lower than the financial losses, operational disruptions, regulatory penalties, and reputational damage that can result from a major cyber incident.
The guidelines also present an opportunity for sectoral regulators to modernize their supervisory frameworks. Future regulatory assessments are likely to move beyond traditional compliance verification and place greater emphasis on operational cyber resilience. This may include evaluating AI readiness, cyber maturity, software supply chain security, AI-enabled threat modelling, attack surface visibility, vulnerability remediation performance, software provenance, and third-party cyber resilience. Such an approach would enable regulators to shift from reactive compliance-based supervision to proactive, risk-informed oversight. Ultimately, this evolution will strengthen the resilience of regulated sectors and help safeguard India's critical digital infrastructure against the rapidly changing threat landscape shaped by Artificial Intelligence.
Conclusion and Key Recommendations for Regulators
The CERT-In Guidelines regarding AI-Accelerated Vulnerability Protection and Response Requirements represent more than a technical advisory for OEMs and technology providers. They provide a timely opportunity for sectoral regulators to strengthen India's cybersecurity framework by integrating AI-driven vulnerability management into existing regulatory practices. Instead of creating new regulations, authorities can enhance current cybersecurity frameworks by promoting continuous vulnerability monitoring, faster risk-based remediation, Software Bill of Materials (SBOM) adoption, secure software supply chain governance, and the use of AI-assisted security testing. Regulatory oversight can also become more effective by encouraging board-level monitoring of operational cyber resilience using measurable indicators such as exposure trends, Mean Time to Detect (MTTD), and Mean Time to Remediate (MTTR). Equally important is the need to shift regulatory assessments from periodic compliance verification towards evaluating an organization's ability to maintain continuous cyber resilience.
As Artificial Intelligence continues to accelerate the pace of cyber attacks, regulatory approaches must also evolve. Sectoral regulators such as RBI, SEBI, IRDAI, PFRDA, TRAI, and other government authorities have an opportunity to translate CERT-In's guidance into sector-specific supervisory expectations that are practical, measurable, and aligned with today's threat landscape. Organizations that adopt these practices proactively will not only strengthen regulatory compliance but also improve operational resilience, build greater stakeholder confidence, and reduce systemic cyber risk. Ultimately, success in the AI era will depend not only on how effectively organizations respond to cyber incidents but also on how quickly they can identify, prioritize, and remediate vulnerabilities before they are exploited. The future of cybersecurity therefore lies in moving from a reactive, compliance-driven approach to one that is continuous, intelligence-led, and resilient by design.