The UK Government has embarked on a pioneering project, deploying advanced Artificial Intelligence (AI) models to strengthen its cyber defence capabilities. Led by the Government Cyber Coordination Centre (GC3), a collaborative effort between the National Cyber Security Centre (NNCSC) and other government bodies, the initiative aimed to identify and mitigate previously unknown vulnerabilities within public sector code.
The pilot involved a series of weekly hackathons where teams utilised 'frontier' AI systems, such as Claude Mythos and GPT-5.5, to scan public code repositories across various government departments. These cutting-edge AI models, known for their rapidly evolving cyber capabilities, were tasked with finding potential weaknesses before they could be exploited by malicious actors. The UK AI Security Institute (AISI) provided specialist support and evaluation expertise throughout the process.
The exercise proved highly successful, leading to the identification of 407 findings in total. These included critical weaknesses that could have exposed government services to authentication bypasses, data breaches, and remote code execution. While some vulnerabilities were already understood and managed by existing controls, others were entirely new discoveries. All critical weaknesses have since been remediated, and importantly, no evidence of exploitation was found for any of the identified issues.
One of the key advantages demonstrated by the AI models was their ability to trace vulnerabilities across different service boundaries, a feat that traditional scanning tools often struggle with. The AI also effectively linked business logic with technical details, providing a more comprehensive understanding of potential risks. The project, which involved nine government organisations over a month, incurred a cost of £13,000 in AI 'tokens'.
The Government's strategy of encouraging open-source code by default, with justified exceptions, played a role in this initiative. While this openness can create shared visibility that attackers might exploit, it also fosters cleaner, more maintainable code and allows for quicker deployment of new capabilities once robust pre-publication scrutiny is complete. The successful pilot suggests a promising avenue for enhancing the UK's overall cyber resilience, aligning with the broader objectives of the Government Cyber Action Plan.
Labour's Shadow Digital Secretary has yet to issue a formal response to the pilot's findings, but the party has consistently called for robust investment in cyber security and responsible AI development to protect critical national infrastructure and public services.