AI-driven cyber threats are shrinking response windows: Can India keep up?

As AI accelerates vulnerability discovery and exploitation, Cert-In is pushing faster remediation and automation. The challenge is whether enterprises can respond quickly enough

As artificial intelligence begins to compress the time it takes to discover and exploit software vulnerabilities, India’s cybersecurity framework is being forced to respond in kind. The latest blueprint issued by the country’s nodal agency for all things related to cybersecurity – Cert-In – acknowledges this shift, noting that AI-assisted cyber threats are accelerating reconnaissance, vulnerability discovery, and attack execution across digital infrastructure.

 

This compression of attack timelines is at the heart of Cert-In’s push for faster remediation. But the question is not just about intent. It is about whether enterprises can realistically keep up.

 

Kunal Ruvala, Senior Vice President and General Manager, India at Palo Alto Networks, said the urgency behind these changes is rooted in how quickly the threat landscape is evolving.

 

 

“Threat actors today are able to identify exposed services and target newly disclosed vulnerabilities within very short timeframes, often within hours of disclosure,” Ruvala said.

The shift from detection to response

The Cert-In blueprint starts with a structural premise: AI has changed the speed and scale of cyberattacks. As per the blueprint document, threat actors are increasingly using AI to automate reconnaissance, identify exposed services, generate exploits, and even orchestrate multi-stage attacks across systems.

 

Last month, Google reported what it described as its first confirmed case of a zero-day exploit being developed with the help of AI tools, indicating that exploitation itself is beginning to follow the same acceleration curve.

 

The implication is not just more attacks, but less time to respond. Cert-In explicitly notes that organisations can no longer rely on periodic assessments or reactive patching cycles, and must instead move towards continuous monitoring and rapid remediation.

The bottleneck is no longer vulnerability discovery. AI-driven systems such as Anthropic’s Mythos have already demonstrated how quickly vulnerabilities can now be identified. The company said it scanned over 1,000 open-source projects in a month, identifying more than 23,000 vulnerabilities, of which 6,202 were initially classified as high or critical severity.

 

Data from its own disclosure pipeline also highlights the gap. Of these, only a fraction have been formally reported to maintainers, fewer acknowledged, and just 97 vulnerabilities had been patched.

Can Indian enterprises meet aggressive timelines?

Cert-In’s framework sets an aggressive benchmark, including significantly tighter remediation expectations, reflecting a shift from periodic patching to near-continuous response.

 

According to Ruvala, the direction is aligned with reality, but readiness remains uneven.

 

“Cert-In’s 12-hour patching recommendation reflects the growing reality that vulnerability-to-exploit timelines are shrinking rapidly, especially as threat actors increasingly use AI and automation to identify and weaponise vulnerabilities faster,” he said.

 

He noted that large Indian enterprises, particularly in sectors such as banking, telecom, and technology, have made progress in strengthening detection and response capabilities. However, preparedness still varies widely.

 

According to Ruvala, factors such as asset visibility, legacy infrastructure, cloud maturity, and the level of security automation in place continue to determine how quickly organisations can respond.

 

“Organisations with centralised security operations, continuous monitoring, and automated patch management workflows are better positioned to respond within tighter timelines,” he added.

Is fast response limited to large enterprises?

While large enterprises may be better equipped today, the gap is not permanent. Ruvala said mid-sized organisations can meet these expectations, but only if they move away from manual processes.

 

“Mid-sized organisations can realistically comply, but only if they adopt automated, risk-based remediation approaches rather than relying on manual security operations,” he said.

According to him, the challenge for these organisations is less about awareness and more about execution. Limited visibility across distributed environments, fragmented tooling, and resource constraints continue to slow down response cycles. However, newer models are beginning to close that gap.

 

Ruvala pointed to cloud-delivered security platforms, managed detection and response services, and AI-driven automation as key enablers that allow smaller teams to operate at scale.

 

“These technologies are helping narrow this gap by enabling faster threat detection and operational scalability without requiring very large security teams,” he said.

What breaks when timelines shrink?

Even for organisations that are aware and willing, execution remains the hardest part. Ruvala said the biggest bottlenecks are deeply operational.

 

“The biggest operational bottlenecks in meeting 12-hour remediation timelines are change-management complexity, patch-validation windows, and risk prioritisation at scale,” he said.

 

Beyond that, enterprises also struggle with fragmented tool chains, alert fatigue within security operations teams, and the challenge of validating patches without disrupting business continuity.

 

According to him, not every vulnerability requires immediate remediation, which makes prioritisation critical.

 

“Enterprises need risk-based triage to prioritise critical vs. routine patches within such aggressive timelines,” he added.

 

This creates a structural mismatch. While attackers can move within hours, enterprise workflows still depend on coordination-heavy processes that take significantly longer.

 

The scale at which automated activity is now operating adds to this pressure.

 

According to the Thales Bad Bot Report 2026, bots accounted for roughly 53 per cent of internet traffic in 2025, with nearly 40 per cent classified as bad or unverified. This means that a significant share of traffic interacting with systems is already automated and potentially malicious.

 

The report also noted that AI is changing how these systems behave. Bots are increasingly able to mimic legitimate user behaviour, follow expected interaction flows, and operate within normal application boundaries, making detection more difficult.

Are Indian systems more exposed than global peers?

In terms of exposure, India is not an outlier. Ruvala said Indian internet-facing systems face risks comparable to global markets, largely because attackers operate at scale and do not differentiate based on geography.

 

“Indian internet-facing systems are exposed to many of the same rapid exploitation risks being observed globally,” he said.

 

He added that attackers are increasingly using automated scanning and AI-assisted reconnaissance to identify vulnerabilities quickly, making exposure a function of visibility and response rather than location.

 

At the same time, inconsistent security maturity and visibility gaps across organisations continue to create opportunities for exploitation.

Why automation is no longer optional

Cert-In’s blueprint places strong emphasis on continuous monitoring and automation, and industry feedback suggests that this is not just a recommendation, but a necessity.

 

Ruvala said manual security models are no longer sustainable in an AI-driven threat environment.

 

“AI-driven security automation is becoming increasingly critical in helping organisations meet aggressive remediation and response timelines,” he said.

 

Security teams today are dealing with massive volumes of alerts, vulnerabilities, and telemetry across distributed systems, making manual triage impractical.

 

According to Ruvala, AI-powered systems can accelerate detection, correlate signals across environments, automate investigation workflows, and prioritise remediation based on real-time risk.

 

This becomes particularly important as attackers themselves adopt AI to scale operations and reduce the time between reconnaissance and exploitation.

 

“The industry is increasingly moving towards platform-based and autonomous SOC models that combine AI, automation, and unified visibility,” he said.

 

Without such systems in place, sustaining aggressive timelines at scale will remain difficult for most organisations.