When you think of government IT projects, what comes to mind? Likely legacy systems, budget overruns, and a pace that could be charitably described as “deliberate.” But every so often, the public sector flips the script. According to new data released this week, the UK government has managed to do exactly that with its approach to cybersecurity, achieving results that would make even agile Silicon Valley startups nod in approval.
The headline stat is hard to ignore: the median time to fix critical domain-related vulnerabilities across the public sector has plummeted from 50 days to just 8 days. That isn’t a marginal gain; it’s a fundamental shift in operational tempo.
This dramatic improvement is driven by the new Vulnerability Monitoring Service (VMS), a centralized system that has quietly replaced the manual, box-ticking compliance exercises of the past with ruthless, automated efficiency. For a sector often criticized for being behind the curve, the UK’s digital defense strategy seems to have finally found its footing.
What is the Vulnerability Monitoring Service and how does it work?
Think of the VMS as a continuously running MRI scanner for the entire UK public sector’s digital anatomy. Instead of waiting for individual councils or health trusts to report a problem, the VMS proactively hunts for them.
Launched as part of the ‘Blueprint for Modern Digital Government’ in January 2025, the system continuously scans approximately 6,000 organizations. This includes everything from central government departments to local authorities and NHS health trusts. It replaces older, fragmented tools like ‘DNS Check’ and ‘Extended Monitoring,’ which required more manual intervention and were less comprehensive.
The system identifies confirmed vulnerabilities and, crucially, helps resolve them. We aren’t talking about a small sample size here; the VMS is identifying and guiding the resolution of around 400 confirmed vulnerabilities every single month. By moving from a reactive stance—waiting for a breach or an audit—to a proactive one, the government has cut the backlog of unresolved critical flaws by 75%.
How much faster are security fixes actually being applied?
The data coming out of the Department for Science, Innovation and Technology (DSIT) is stark. As mentioned, critical domain-related vulnerabilities—often the entry points for phishing attacks and spoofing—are now being patched in a median time of 8 days, down from 50.
But the improvements aren’t limited to domain issues. The median fix times for non-domain cyber vulnerabilities have also seen a significant drop, falling from 53 days to 32 days. While 32 days might still sound like a month of risk, in the context of massive bureaucratic organizations, slashing three weeks off the remediation time is a massive win.
Ian Murray, the Minister for Digital Government and Data, noted that the service has “transformed how quickly we can spot and fix weaknesses before they’re exploited,” claiming an overall cut in cyber-attack fix times by 84%. Denis Calderone, CTO at Suzu Labs, summarized the industry sentiment well: “Scanning 6,000 public sector organizations and cutting DNS fix times from 50 days to 8 is genuinely good news. Find it, assign it, track it, close it.”
Is this just software, or is there a human element?
Automation is the engine, but you still need a driver. The government admitted earlier in 2026 that a previous target—making all public sector organizations resilient to known attacks by 2030—was simply unrealistic without a major change in strategy. That strategy involves people as much as code.
The VMS rollout is part of a broader £210 million Cyber Action Plan. Alongside the software, the government has launched a new ‘Government Cyber Profession’ to address the chronic skills gap plaguing the industry. This isn’t just a recruitment drive; it includes the establishment of a Cyber Academy, new apprenticeships, and a dedicated Cyber Resourcing Hub based in the North West.
This dual approach—automating the detection while training a specialized workforce to handle the complex remediation—suggests a level of maturity in the strategy. They realized that buying a fancy scanner doesn’t help if you don’t have the surgeons to operate on what it finds.
Between the Lines
The success of the VMS signals a pivotal shift in how the state handles risk: the death of “self-certification.” previously, central government had to rely on local entities reporting their own security posture—a method prone to optimism bias and negligence. By centralizing the scanning of 6,000 organizations, the NCSC has effectively become the undeniable source of truth. This benefits the taxpayer by hardening infrastructure, but it puts immense pressure on IT vendors and local CIOs who can no longer hide behind paperwork. If a vulnerability exists, the government knows about it before the local IT director does. That transparency is the real revolution here.
