Home  /  Blog  /  Zero-Day Vulnerability Response: The 2026 Playbook for India

● Vulnerability Management

Zero-Day Vulnerability Response: The 2026 Playbook for Indian Enterprises

When a zero-day vulnerability drops in technology you depend on, the first 48 hours determine the impact. The structured playbook for assessing exposure, applying mitigations, and rolling out patches.

Published 18 May 2026 8 min read Codesecure Security Team Vulnerability Management

Key Takeaways

  • The first 48 hours after a critical zero-day announcement determine impact. Speed of triage, mitigation and patching are the only variables that matter.
  • Three core questions: Are we exposed? What can we do without patching (mitigation)? When can we patch?
  • Pre-built asset inventory and SBOM determine your speed. Companies that discover "are we even exposed?" during the incident are already behind.
  • Mitigation is often available within hours, full patching takes days to weeks. The bridge between is the critical risk window.
  • Communication matters: leadership, customers, regulators all want answers. Pre-built communication templates accelerate response under stress.

Why Zero-Day Response Is a Distinct Discipline

Zero-day response is not just emergency patching. It is a structured incident management discipline triggered by external events outside your control. The challenge: you have a fully-disclosed exploit available to attackers, often before vendor patches are available, and you must reduce exposure in compressed time.

In 2024-26, the most consequential zero-days for Indian enterprises were in edge devices (Fortinet FortiOS multiple CVEs, Citrix NetScaler CVE-2023-3519, Ivanti Connect Secure CVE-2024-21887, ConnectWise ScreenConnect CVE-2024-1709). Each affected thousands of Indian businesses and provided initial access for ransomware groups within days of disclosure.

The First 48 Hours: Triage Playbook

Hour-by-hour structure for the first 48 hours after a critical zero-day is announced:

  • Hours 0-4: Initial triage. Read the advisory, identify the CVSS score, determine if proof-of-concept exists, identify affected versions. Make a go/no-go call on incident activation.
  • Hours 4-12: Exposure mapping. Use asset inventory + CMDB + SBOM to identify every system running affected versions. External attack surface scanning to confirm internet-exposed assets.
  • Hours 12-24: Mitigation. Apply vendor-recommended workarounds (config changes, ACLs, WAF rules) for exposed assets. Engage detection engineering for indicators of compromise.
  • Hours 24-48: Patching wave 1. Critical internet-exposed assets patched within 24 hours of patch availability. Test patches in lower environments only if absolutely necessary, prefer patch-then-verify for critical exposure.
  • Hours 48+: Patching wave 2 (internal assets), retrospective scan for compromise indicators, post-incident review

Zero-Day Readiness Review

45-minute call benchmarking your asset inventory, SBOM, exposure monitoring and patching SLAs against zero-day response requirements.

Book Free Review →

Exposure Mapping: The Speed Bottleneck

The biggest delay in zero-day response is almost always answering "are we exposed?" Enterprises that have not invested in asset inventory and SBOM scramble during the critical first day. The fix is preparation, not reaction:

  • Authoritative asset inventory with software versions, regularly synced from EDR, vulnerability scanners, configuration management
  • SBOM for proprietary products so you know which open-source libraries are in your codebase
  • External attack surface monitoring (EASM tools like Censys, Shodan API, Detectify, in-house alternatives) so you know what is internet-exposed even if it should not be
  • Cloud configuration scanning for cloud-deployed instances of affected technology
  • Third-party visibility for vendor exposure that affects you

Mitigation Before Patching

Patches take time. Mitigations buy you that time. Standard mitigation categories:

  • Network isolation: take the affected service off the internet temporarily, restrict access to a known IP allowlist
  • Config-based mitigation: disable the vulnerable feature, enforce specific configuration that breaks the exploit
  • WAF/IPS signatures: vendor-provided or community-developed signatures that block exploit traffic
  • Compensating monitoring: enhanced detection on the affected systems pending patch
  • Account/credential rotation for systems that may have been compromised in the window before mitigation

Emergency Patching Discipline

Production patching under emergency conditions creates its own risks (downtime, regression, broken integrations). Structured approach:

  • Critical exposure first: internet-exposed, identity-adjacent (AD, SSO), revenue-critical
  • Patch validation: vendor patches have occasionally been incomplete or introduced regressions. Track community feedback in the first hours after patch release.
  • Change management exception: emergency CAB approval, documented risk acceptance
  • Rollback plan: for every patch, document rollback procedure before applying
  • Post-patch validation: verify the patched version is actually running, not just installed

Managed Vulnerability Service

Continuous external attack surface monitoring, vulnerability triage, patch prioritization and emergency response retainer. India-based team.

Contact Us →

Communication During Zero-Day Response

Communication during zero-day response is as important as technical execution. Stakeholders waiting for information escalate concern. Pre-built templates accelerate the work:

  • Internal leadership update (hourly during first 24 hours): exposure status, mitigation status, ETA to patch, business impact
  • Internal technical brief: detection signals, IOCs, mitigation steps for security and IT teams
  • Customer communication if your product is affected or you require customer-side action
  • Regulator notification if exploitation is confirmed (CERT-In, DPB, sector regulators)
  • External press response if visibility is high; prepared statement, no speculation

Post-Incident Review

After the response, a structured retrospective improves the next response. Questions to answer:

  • Discovery to exposure-mapped: how long? Can we get faster?
  • Mitigation deployment time: bottlenecks identified
  • Patching time by asset category: any categories chronically slow?
  • Compromise detection: any evidence of exploitation in the window before mitigation? Forensic depth-of-investigation?
  • Communication gaps: missing stakeholders, late updates, conflicting messages
  • Asset inventory accuracy: gaps that emerged during response
SHARE

Frequently Asked Questions

What patching SLA should we target for critical CVEs?

Industry-mature: 7 days for critical internet-exposed, 14 days for critical internal, 30 days for high, 90 days for medium. Emergency zero-days with active exploitation should compress critical to 24-48 hours. Many Indian enterprises operate at much slower SLAs and accept significantly higher risk.

Should we apply patches to production without testing?

For active-exploitation zero-days on internet-exposed assets, the risk of waiting often exceeds the risk of regression. Apply with documented risk acceptance and a tested rollback plan. For non-critical exposure, normal change management applies.

How do we know if we have been exploited during the zero-day window?

Threat hunting for known IOCs (vendor and community-provided), log review for anomalous activity on affected systems, forensic image of representative affected assets if exposure was significant. Some zero-day exploitations leave subtle traces that require dedicated forensics.

What about zero-days in libraries we depend on?

Same playbook applies, but SBOM is the critical input. Knowing exactly which products contain the affected library is the difference between hours and weeks of response. Maintain SBOM for proprietary products; subscribe to dependency vulnerability feeds (GitHub Advisory, OSS Index).

Should we participate in zero-day intelligence sharing?

Yes, for mature programs. CERT-In, sectoral ISACs (e.g., FS-ISAC for finance), and vendor-specific PSIRTs provide early warning. Participation often gives access to mitigation guidance hours or days before public disclosure.

How does DPDP affect zero-day response?

DPDP requires notification when personal data may have been affected. Zero-day exploitation creates exactly that scenario for many systems. Pre-built breach response runbooks aligned to DPDP timelines (with Board oversight) make the legal response manageable under technical-response stress.

What is virtual patching?

Mitigation via WAF/IPS signatures that block exploit traffic before it reaches the vulnerable system. Vendor-provided or community-provided. Useful as immediate mitigation, but not a substitute for actual patching, signature evasion is possible.

CS

Codesecure Security Team

ISO/IEC 27001:2022 Certified Threat Intelligence Practitioners

Codesecure Solutions is an ISO/IEC 27001:2022 certified cybersecurity firm in Chennai. Our threat intelligence and incident response practice tracks ransomware, BEC, supply chain attacks and phishing campaigns targeting Indian businesses across India, UAE, Singapore and Australia.

✓ ISO/IEC 27001:2022 Certified

Be Ready for the Next Zero-Day Before It Drops

Codesecure helps Indian enterprises build zero-day response readiness: asset inventory, SBOM, exposure monitoring, patching discipline, communication templates. ISO/IEC 27001:2022 certified.

Get a Free Readiness Review See Services

Related Articles

Threat Intelligence

Supply Chain Attack Prevention

Zero-days in upstream software become your zero-days.

Read article →
Threat Intelligence

Top Ransomware Groups Targeting India

Edge device zero-days are the most common ransomware entry vector.

Read article →
VAPT

Why Regular VAPT Is Critical

Continuous testing catches what scanners miss before attackers do.

Read article →
Codesecure footer background
Codesecure

Codesecure Solutions delivers manual, OSCP-led VAPT, ISO 27001, SOC 2 and DPDP compliance to businesses across India, UAE, Australia, Singapore and the Middle East with named consultants and fixed-price proposals.

ISO/IEC 27001:2022 Certified

Copyright ©2026 Codesecure All Rights Reserved