After years of government cyber trouble, UK turns to automated scanning to speed fixes

The British government said Thursday it has slashed the time required to fix some of the most serious cyber vulnerabilities across the public sector, pointing to a new automated monitoring service as evidence that Whitehall is finally getting a grip on long-troubled digital defenses.

Called the Vulnerability Monitoring Service, the system operates as a central scanning platform that continuously checks internet-facing systems used by public bodies, from central government departments to health and local authorities, for signs of known security weaknesses.

Officials from the Department for Science, Innovation and Technology (DSIT) said the service covers around 6,000 organizations and is leading to about 400 confirmed vulnerabilities being processed and resolved each month.

They did not disclose how often these vulnerabilities were successfully exploited, nor whether there has been any change in the absolute number of vulnerabilities or compromises across the covered organizations.

The announcement follows an unusually candid admission earlier this year that Whitehall’s long-running approach to securing its own systems had fallen short, and that a previous pledge to protect all government organizations against known cyber threats by 2030 was no longer realistic.

DSIT said Thursday that critical domain-related weaknesses in the public sector are now being fixed in a median of eight days, down from around 50 days previously, while the median time to fix other cyber vulnerabilities has been reduced from 53 days to 32 days. It added that the backlog of unresolved critical flaws has also been cut by about three-quarters.

Digital government minister Ian Murray said the faster fix times reduces the risk of attacks on essential services, including the NHS and other systems used daily by millions of people. 

“The Vulnerability Monitoring Service has transformed how quickly we can spot and fix weaknesses before they’re exploited,” he said.

It comes as cyber threats have escalated far more quickly than the government’s own defenses. State-backed actors and organized criminal groups are increasingly sophisticated, while government capability has struggled to keep pace.

Last year, the head of Britain's cyber and signals intelligence agency GCHQ, Anne Keast-Butler, warned the country was grappling with the most “contested and complex” threat environment in decades, noting there were four times as many critical attacks in 2025 than the year prior.

The underlying problem for British government departments and agencies in trying to defend themselves is their reliance on legacy technology, acknowledged the government in January, citing a report by the National Audit Office that warned the dire state of government IT infrastructure was increasing the risk of disruptive cyberattacks.