CERT-In Mandates Surge in Security Testing as AI Threat Landscape Forces Tech Industry Rethink

CERT-In Mandates Surge in Security Testing as AI Threat Landscape Forces Tech Industry Rethink​

The latest guidelines issued by the Indian Computer Emergency Response Team (CERT-In) signal a critical pivot in technology security practices. In response to increasingly sophisticated cyber threats powered by artificial intelligence (AI), vendors and Original Equipment Manufacturers (OEMs) are now being directed toward continuous vulnerability assessments and accelerated patching schedules. The advisory, issued on June 10, has met with a degree of industry acceptance, even among those noting the associated compliance costs.

Understanding the New CERT-In Guidelines​

The new guidelines demand significant shifts in how technology providers manage their products. They require companies to move toward continuous vulnerability assessments and maintain accurate Software Bills of Materials (SBOMs). A core directive is immediate disclosure of serious vulnerabilities and adoption of accelerated patching protocols.

These requirements are designed to strengthen supply chain integrity against modern cyber threats. Vendors have been explicitly advised to continuously assess existing vulnerabilities and immediately notify affected organizations and the relevant agency upon discovery.

AI Shifts the Cyber Threat Paradigm​

Cybersecurity experts agree that artificial intelligence has dramatically altered the pace and nature of cyber warfare. Jaydeep Singh, general manager for India at cybersecurity firm Kaspersky, noted, "We've entered an era where attackers and defenders are both armed with artificial intelligence and the margin for error has never been smaller."

The industry recognizes that these guidelines respond to a crisis that is difficult to ignore. As Malcolm Gomes, COO of Privy by IDfy, stated, requirements around continuous assessments feel less like regulatory overreach and more like an urgent response to a changing threat environment.

The Cost of Preparation Versus Remediation Risk​

Many organizations are currently questioning the complexity and compliance burden associated with these advanced security mandates. However, industry leaders warn that the cost of inaction is far steeper. Gomes emphasized, "The cost of preparation may feel significant today, but the cost of remediation, reputational damage, and potential penalties can be far greater."

A cyber incident involving personal data transcends a mere cybersecurity issue; it becomes a privacy, trust, and regulatory challenge. CERT-In's recommendations thus underscore this urgent shift toward proactive security management.

Accelerated Patching and Market Adoption​

The document outlines specific indicative timelines for patching critical vulnerabilities. Emergency releases are suggested for certain AI-exploitable critical flaws, with high-severity vulnerabilities affecting IT systems given a seven-day window.

While some measures align with established mature security programs in larger organizations, smaller vendors and startups may find the continuous assessments and SBOM upkeep challenging due to resource constraints. Nonetheless, experts concur that the risks addressed by these controls do not diminish based on organizational size.

Navigating Mandates and Future Obligations​

Currently, the guidelines remain voluntary, allowing businesses flexibility to adapt and calibrate measures to their specific contexts, as noted Sarmad Ahmad, senior associate at Ikigai Law. However, the urgency of the recommendations demands close attention, particularly in government procurement sectors.

Companies are increasingly being required to demonstrate robust cybersecurity practices before securing contracts across vital sectors like banking, healthcare, and government. While CERT-In has not issued fresh compliance mandates, the industry debate has moved past whether defenses need evolution; it is now focused on whether organizations can move quickly enough to keep pace with AI-enabled adversaries.