The UK government announced that its new Vulnerability Monitoring Service (VMS), a centralized platform continuously scanning internet-facing public sector systems for known weaknesses, has sharply reduced the time to fix serious flaws and the backlog of unresolved issues.
The service, which monitors around 6,000 public sector organizations, has helped cut unresolved security issues by roughly 75% and reduced the median time to fix critical vulnerabilities from about 50 days to approximately eight days.
Officials said the VMS detects around 1,000 different types of weaknesses each month and provides specific guidance to agencies on how to remediate them. Alongside this capability, the government is launching a dedicated “Cyber Profession” initiative to recruit, train, and retain cybersecurity experts, including a Cyber Resourcing Hub and a Cyber Academy to support long-term defensive capabilities across the public sector.
The UK government said these efforts are designed to protect public services from cyber-attacks and strengthen national cyber resilience. The announcement outlined plans for structured career pathways aligned with Cyber Security Council standards and emphasized improved detection, prioritization, and response across departments.
Denis Calderone, CTO, Suzu Labs:
“Scanning 6,000 public sector organizations and cutting DNS fix times from 50 days to 8 is genuinely good news. Find it, assign it, track it, close it. That’s how vulnerability management should work. Worth noting though that the 84% number is specifically for domain-related issues. Other vulnerability types went from 53 days to 32, so closer to a 40% improvement. Still real progress, just not quite as dramatic.
“The part that should give everyone pause is that these vulnerabilities were sitting across the public sector for years and nobody knew. NHS trusts, legal aid, ambulance services. Turning on a scanner and finding this much is a win, absolutely, but it also tells you just how blind these organizations were before. You can’t fix what you can’t see.
“And this is why it kind of bugs me that the government exempted itself from the Cyber Security and Resilience Bill it’s putting on the private sector. You have to wonder what the numbers would look like if they pointed these same scanners at their own departments with actual legal obligations behind them.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“Reducing median remediation time from roughly 50 days to single digits across thousands of public sector organizations is meaningful progress. It shows that when vulnerability management is treated as an operational priority, measurable improvements follow.
“At the same time, modern attack cycles move quickly. Even an eight-day exposure window can be significant. The real takeaway is not improved scanning alone, but operational follow through. Most organizations already have visibility into weaknesses. The challenge is translating findings into prioritized, accountable remediation and consistently shrinking the time between discovery and fix.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The UK government’s implementation of the Vulnerability Monitoring Service (VMS) marks a significant move from reactive patching to proactive, centralized security management for 6,000 public sector organizations. This initiative drastically reduces the average time to fix critical vulnerabilities from fifty days to just eight, effectively eliminating the window of opportunity that state-sponsored attackers and ransomware groups exploit for initial access. The focus on DNS vulnerabilities is a key strategic choice, as these frequently overlooked misconfigurations are the main method used for covert redirection and data interception.
“Complementing this technical solution is the new “Cyber Profession” initiative, which includes a Cyber Academy and a Resourcing Hub in Manchester, aiming to tackle the persistent skills shortage that has historically hindered public sector cybersecurity resilience. Crucially, the VMS approach reorients cybersecurity from a reactive “firefighting” mode to ongoing risk management. By combining this technical capacity with a structured “Cyber Profession” development program, the government is also addressing the human resource deficit that often undermines sustained resilience.
“While scanning tools are essential, they don’t resolve vulnerabilities on their own; skilled professionals and clear accountability are what truly fix them. Other governments would benefit from observing this model. This includes mandatory, continuous scanning of Internet-facing assets, coordinated centrally but executed by individual agencies. Talent development programs that establish cybersecurity as a viable career path can close security gaps more effectively than any regulation or budget increase.
“When governments treat patching speed as a national security metric, attackers lose their advantage: time.”
The UK government lately has been known to come up with some good ideas on the cybersecurity front. This is one of those good ideas because it forces those who are responsible for defending government networks to actually defend those networks in a way that reduces the attack surface.
Like this:
Like Loading...
Related
This entry was posted on February 27, 2026 at 2:02 pm and is filed under Commentary with tags UK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
6,000 organisations scanned as UK vulnerability monitoring service cuts unresolved flaws by 75%
The UK government announced that its new Vulnerability Monitoring Service (VMS), a centralized platform continuously scanning internet-facing public sector systems for known weaknesses, has sharply reduced the time to fix serious flaws and the backlog of unresolved issues.
The service, which monitors around 6,000 public sector organizations, has helped cut unresolved security issues by roughly 75% and reduced the median time to fix critical vulnerabilities from about 50 days to approximately eight days.
Officials said the VMS detects around 1,000 different types of weaknesses each month and provides specific guidance to agencies on how to remediate them. Alongside this capability, the government is launching a dedicated “Cyber Profession” initiative to recruit, train, and retain cybersecurity experts, including a Cyber Resourcing Hub and a Cyber Academy to support long-term defensive capabilities across the public sector.
The UK government said these efforts are designed to protect public services from cyber-attacks and strengthen national cyber resilience. The announcement outlined plans for structured career pathways aligned with Cyber Security Council standards and emphasized improved detection, prioritization, and response across departments.
Denis Calderone, CTO, Suzu Labs:
“Scanning 6,000 public sector organizations and cutting DNS fix times from 50 days to 8 is genuinely good news. Find it, assign it, track it, close it. That’s how vulnerability management should work. Worth noting though that the 84% number is specifically for domain-related issues. Other vulnerability types went from 53 days to 32, so closer to a 40% improvement. Still real progress, just not quite as dramatic.
“The part that should give everyone pause is that these vulnerabilities were sitting across the public sector for years and nobody knew. NHS trusts, legal aid, ambulance services. Turning on a scanner and finding this much is a win, absolutely, but it also tells you just how blind these organizations were before. You can’t fix what you can’t see.
“And this is why it kind of bugs me that the government exempted itself from the Cyber Security and Resilience Bill it’s putting on the private sector. You have to wonder what the numbers would look like if they pointed these same scanners at their own departments with actual legal obligations behind them.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“Reducing median remediation time from roughly 50 days to single digits across thousands of public sector organizations is meaningful progress. It shows that when vulnerability management is treated as an operational priority, measurable improvements follow.
“At the same time, modern attack cycles move quickly. Even an eight-day exposure window can be significant. The real takeaway is not improved scanning alone, but operational follow through. Most organizations already have visibility into weaknesses. The challenge is translating findings into prioritized, accountable remediation and consistently shrinking the time between discovery and fix.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The UK government’s implementation of the Vulnerability Monitoring Service (VMS) marks a significant move from reactive patching to proactive, centralized security management for 6,000 public sector organizations. This initiative drastically reduces the average time to fix critical vulnerabilities from fifty days to just eight, effectively eliminating the window of opportunity that state-sponsored attackers and ransomware groups exploit for initial access. The focus on DNS vulnerabilities is a key strategic choice, as these frequently overlooked misconfigurations are the main method used for covert redirection and data interception.
“Complementing this technical solution is the new “Cyber Profession” initiative, which includes a Cyber Academy and a Resourcing Hub in Manchester, aiming to tackle the persistent skills shortage that has historically hindered public sector cybersecurity resilience. Crucially, the VMS approach reorients cybersecurity from a reactive “firefighting” mode to ongoing risk management. By combining this technical capacity with a structured “Cyber Profession” development program, the government is also addressing the human resource deficit that often undermines sustained resilience.
“While scanning tools are essential, they don’t resolve vulnerabilities on their own; skilled professionals and clear accountability are what truly fix them. Other governments would benefit from observing this model. This includes mandatory, continuous scanning of Internet-facing assets, coordinated centrally but executed by individual agencies. Talent development programs that establish cybersecurity as a viable career path can close security gaps more effectively than any regulation or budget increase.
“When governments treat patching speed as a national security metric, attackers lose their advantage: time.”
The UK government lately has been known to come up with some good ideas on the cybersecurity front. This is one of those good ideas because it forces those who are responsible for defending government networks to actually defend those networks in a way that reduces the attack surface.
Share this:
Like this:
Related
This entry was posted on February 27, 2026 at 2:02 pm and is filed under Commentary with tags UK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.