What is UK Government's Plan for National Cyber Defence?

Amid the explosion of frontier AI models and their unique cyber strengths, the UK Government is calling on AI companies to bolster the country’s national cyber defence capabilities.

A commitment of £90 million (US$120m) has also been made to secure defences of small and medium sized businesses, which forms the backbone of the economy. 

Taken in the context of Anthropic’s Claude Mythos Preview and OpenAI’s GPT 5.4-Cyber – capable models that can hunt for vulnerabilities at machine speed – the repercussions of the adversarial usage of these would be momentous. 

“Today I’m making a call to action for leading AI companies and UK innovators to work with the UK Government to build AI cyber defence capabilities,” says the UK’s Security Minister, Dan Jarvis MBE.

“We’ve already made the UK a top destination for AI investment and want to take this work a step further in a generational endeavour to protect the UK from a new era of threats.

“This work sits alongside all the action we’re taking, through the National Cyber Action Plan, to work with businesses and strengthen cybersecurity across the country.”

Towards national cyber resilience 

In what the security minister calls a “generational endeavour” the co-operation between the public and private sector here can “protect our nation’s most critical networks by autonomously identifying and addressing vulnerabilities at a speed and scale no human can match.”

With hostile states deploying AI, the number of security incidents managed by the National Cyber Security Centre more than doubled in 2025.  

“We know our adversaries will increasingly apply AI tooling,” says NCSC CEO, Richard Horne in his keynote speech at CYBERUK 2026. 

“As we have seen in the media in recent days, frontier AI is rapidly enabling discovery and exploitation of existing vulnerabilities at scale. 

“Illustrating how quickly it will expose where fundamentals of cyber security are still to be addressed, such as code shipped by tech producers with significant vulnerabilities, organisations that are not patching with the completeness or urgency they should or that are failing to grasp the nettle of replacing old legacy systems.”

The government is also inviting enterprises to sign a voluntary Cyber Resilience Pledge, binding signatories to three “concrete actions”.

Industry response 

The industry response to the Government’s security commitment in the wake of AI has been optimistic but with caveats. 

“This is a positive signal from [the] government and its right to push cyber security into the boardroom,” notes Trevor Dearing, Director of Critical Infrastructure at Illumio. 

“But we need to be clear about the scale of the problem. Despite more spending, more tools and more people, the impact of cyberattacks keeps getting worse.

“That’s because most security models still optimise for compliance and detection, not for limiting real‑world damage when breaches inevitably occur. 

“The UK government is right to promote clear cyber commitments through its Cyber Resilience Pledge. Research shows that organisations that prioritise resilience see lower breach costs, stronger customer trust and greater operational stability. 

“But while voluntary pledges may help set direction, they won’t deliver consistent outcomes at scale. To succeed, the focus must be on delivering measurable returns through reduced risk and improved resilience.”

Ev Kontsevoy, CEO of Teleport says that the Government’s call for collaboration in AI-driven cyber defence is a “step in the right direction”. 

“I want to emphasise the need for urgency, because the speed of AI development is currently far outpacing the speed at which the traditional cybersecurity industry is responding,” Ev explains. 

“Building cyber resilience in the AI-age begins by establishing identity as the core part of infrastructure AI runs on, unifying all human and non-human identities into a single layer secured with cryptographic, hardware-backed trust and short-lived privileges. 

“Only then can organisations truly enforce limits on what AI accesses and who receives this information.”