CERT-In’s AI Vulnerability Blueprint: Why Indian CISOs Need Machine-Speed Risk Operations in the Post-Mythos Era

Summary

A Qualys India perspective highlights CERT-In's blueprint for AI-assisted vulnerability exploitation, demanding 12-hour containment for known exploited vulnerabilities. This contrasts sharply with India's average 263-day breach lifecycle, necessitating a shift to machine-speed Risk Operations Centers (ROCs). The article emphasizes that advanced AI models can autonomously discover and weaponize vulnerabilities, making traditional CVE matching obsolete and requiring continuous validation of exploit-path closure for regulatory compliance.

Full text

Table of ContentsThe End of Linear Cyber Risk: Why Mythos-Class AI Changes the Vulnerability EquationIndias Threat Reality: What the Data Actually ShowsThe 12-Hour Remediation Test: What CERT-Ins Section 9 ExpectsThe Operating Model Shift: From Human-Speed to Machine-Speed Risk OperationsThe Four Pillars of Operating Model ShiftThe Conclusion CERT-In Already ReachedFrequently Asked Questions A Qualys India perspective on CERT-In’s blueprint, the post-Mythos threat landscape India faces, and why the operating model needs to change. Key Takeaways Mythos-class AI changes the vulnerability equation from CVE matching to autonomous exploit discovery, turning known, unpatched weaknesses into weaponized exploits at machine speed. CERT-In’s 2026 blueprint expects 12-hour containment for known exploited vulnerabilities on internet-facing and crown-jewel systems, with continuous validation and evidence of closure. India’s average breach lifecycle of 263 days is structurally misaligned with CERT-In’s 12-hour remediation requirements, six-hour incident reporting, and same-day containment expectations, creating both compliance and operational risk. The new operating model is a closed-loop Risk Operations Center (ROC): detect, prioritize, validate, remediate, and prove, running continuously at machine speed. Regulatory alignment now depends on evidence of exploit-path closure, not ticket closure or static compliance documentation. Qualys ETM, along with TruRisk, TruConfirm, TotalAI, and TruRisk Eliminate, delivers the hyper-prioritization, safe validation, and autonomous remediation needed to meet CERT-In expectations at scale. What happens when access to a frontier AI model disappears overnight? On June 12, 2026, Anthropic received a US export control directive, which required it to suspend access to Fable 5 and Mythos 5 for all foreign nationals, including its own employees. Both models were disabled worldwide. For Indian CISOs, the signal was clear: a foreign government judged this class of AI cyber capability serious enough to control. But the underlying cybersecurity threat did not disappear. Anthropic stated that comparable capability already exists in publicly accessible models, such as GPT-5.5, and the UK AI Security Institute found GPT-5.5 statistically tied with Mythos Preview on expert cyber benchmarks. India lost some defensive access when Mythos was suspended. Attackers did not lose the capability. Autonomous, expert-level vulnerability discovery and exploitation remain available through unrestricted public models and leaked models circulating on the dark web. CERT-In saw this coming. It’s May 25, 2026, the “Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure” calls for 12-hour remediation, continuous validation with evidence of closure, AI governance, and India-resident log retention. The question is whether current security operating models can meet it. The End of Linear Cyber Risk: Why Mythos-Class AI Changes the Vulnerability Equation Mythos-class AI is not a faster version of a traditional vulnerability scanner. Traditional scanners match software version strings against CVE databases. They are, at their core, pattern-matching engines: they find what is already known to be vulnerable and tell you about it. Mythos represents a genuine inflection point in cybersecurity. It can read code, form hypotheses, run software, debug failures, and produce working exploits. The model identified thousands of high and critical-severity vulnerabilities. Of 198 findings reviewed by professional security contractors, 89% received the same severity rating the model had assigned, and 98% were within one severity level. But what caught the industry’s attention were the vulnerabilities Mythos uncovered: A 27-year-old denial-of-service vulnerability in OpenBSD’s TCP SACK implementation. A 17-year-old remote code execution flaw in FreeBSD’s NFS server. A 16-year-old out-of-bounds write in FFmpeg’s H.264 codec. For India, the decisive point is that GPT-5.5 remains generally available. Anthropic has publicly estimated that comparable capability will reach open-source models on a horizon of roughly 12-18 months. Forecasts like that are uncertain by nature, but the direction is not. When that diffusion happens, the access-control problem disappears entirely. Any actor with a capable GPU cluster can run the same class of reasoning that is currently finding critical vulnerabilities across global software infrastructure. Between 2021 and mid-2025, India recorded 2M+ cybersecurity incidents, according to CERT-In’s reported figures. This served as the baseline before Mythos-class capability existed. The trajectory from here is not linear. Source: eimt.edu.eu India’s Threat Reality: What the Data Actually Shows Indian security teams have the data. What is missing is the operating urgency. Across 2025 and mid-2026, the pattern is clear: ransomware-as-a-service victim counts are rising, vendor portals and supply-chain access are becoming preferred entry points into BFSI, DDoS campaigns are targeting power, telecom, and government portals, and APT groups are using MSI installers, DLL sideloading, and open-source RATs against defence establishments and critical infrastructure. The hardest-hit sectors remain banking, finance, healthcare, and hospitality. Most successful attacks are not exotic zero-days. They exploit known vulnerabilities, unpatched systems, cloud misconfigurations, and vendor-portal access paths. Mythos-class AI changes the speed and scale at which those weaknesses can be found and weaponized. The economics are unambiguous. IBM put India’s average breach cost at ₹22 crore and the breach lifecycle at 263 days. Shadow AI was among the top three cost drivers, adding ₹1.79 crore to the average breach. Yet only 42% of Indian organizations reported having any policy to manage AI or detect Shadow AI use. That now collides with 12-hour vulnerability containment, India’s CERT-In mandate sets, 6-hour incident reporting, RBI and SEBI obligations, DPDP breach notification, and potential penalties up to ₹250 crore. The point is not that any single fine is imminent. The point is that a 263-day average detection-and-containment lifecycle is colliding with a regulatory environment that increasingly expects responses measured in hours, coinciding with an attacker capability that now compresses discovery-to-exploitation into the same timeframe. The 12-Hour Remediation Test: What CERT-In’s Section 9 Expects The CERT-In blueprint 2026, which Indian CISOs must now operationalize, covers nine areas, fourteen sections, and a three-phase implementation roadmap. The real shift is not in the summary, but in Section 9’s remediation expectations. Its indicative expectations are: Known exploited vulnerabilities on internet-facing and crown-jewel systems: contain, patch, or mitigate within 12 hours Critical externally exposed vulnerabilities: within 1 day Known exploited vulnerabilities on internal systems: within 1 day Critical internal vulnerabilities on high-value systems: within 3 days High-severity vulnerabilities: within 5 days, based on risk prioritization Where no patch is available: deploy temporary mitigations (isolation, access restriction, WAF/API protection, enhanced monitoring, or feature disablement) until a fix exists Consider what 12 hours means operationally. A vulnerability surfaces on an internet-facing system at 9 AM; CERT-In expects the exploit path to be closed, or a documented compensating control to be in place, by 9 PM the same day. For organizations whose change advisory board meets weekly and whose patch cycle runs two to four weeks from discovery to deployment, even the 12-hour bar is structurally out of reach. That breaks the old operating model. CERT-In also requires cyber incidents to be reported within six hours, which makes delayed detection and slow escalation a compliance risk. The blueprint i

Entities