UK Government Vulnerability Monitoring System Cuts Public-Sector Remediation Times
The UK Department for Science, Innovation and Technology (DSIT) reported that its Vulnerability Monitoring System (VMS) is significantly reducing remediation times for internet-facing public-sector systems by continuously scanning roughly 6,000 government/public-sector websites and services. VMS uses a mix of commercial and proprietary tooling to check for about 1,000 vulnerability types, with a particular focus on domain/DNS-related weaknesses that could be abused by attackers; DSIT said median remediation time for DNS/domain issues fell from about 50 days to 8 days (an 84% improvement), while median time to fix other vulnerabilities dropped from 53 days to 32 days.
DSIT also stated the service is clearing a substantial volume of risk, resolving around 400 confirmed vulnerabilities per month and reducing the backlog of critical open domain-related issues by about 75%. The program is positioned as part of the government’s Blueprint for Modern Digital Government (published January 2025), with Minister for Digital Government Ian Murray emphasizing operational impacts of cyberattacks on public services (e.g., NHS disruption) and announcing a related workforce initiative to build a stronger pipeline of cybersecurity talent across DSIT and the UK’s National Cyber Security Centre (NCSC).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
UK announces Cyber Profession workforce initiative
Alongside the VMS update, the government announced a Cyber Profession program with a Cyber Resourcing Hub, a career framework aligned to UK Cyber Security Council standards, and plans for a Cyber Academy and apprenticeships to strengthen long-term cyber capability.
UK reports major reduction in public-sector vulnerability fix times
DSIT said the Vulnerability Monitoring Service cut median remediation time for domain-related vulnerabilities from about 50 days to eight days, reduced other vulnerability remediation times, and helped process roughly 400 confirmed vulnerabilities per month while shrinking the backlog.
UK launches Vulnerability Monitoring Service for public sector systems
The UK government launched the Vulnerability Monitoring Service to continuously scan internet-facing systems across about 6,000 public sector organizations for roughly 1,000 types of vulnerabilities, notify affected bodies, and track remediation.
UK publishes Blueprint for Modern Digital Government
The UK government published the Blueprint for Modern Digital Government, which later framed the rollout of new cyber resilience measures including the Vulnerability Monitoring Service.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing *CVSS-only* approaches in favor of prioritizing **known exploited vulnerabilities (KEV)**, driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly **1% of 40,000+** vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with **network edge devices** disproportionately targeted (reported as **28%** of KEV-impacted products) and recurring exposure across major enterprise stacks including **Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet**. The same research pointed to high-profile exploitation waves such as **SharePoint zero-days** impacting **400+ organizations** and rapid weaponization dynamics like **React2Shell**, which reportedly accumulated **236 public exploits** within a month. In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized **Vulnerability Monitoring Service** that continuously scans internet-facing systems across roughly **6,000 organizations** and drives remediation of about **400 confirmed vulnerabilities per month**. DSIT said median remediation time for critical domain-related weaknesses fell to **eight days** (from ~50), other vulnerabilities to **32 days** (from 53), and the backlog of unresolved critical flaws dropped by about **three-quarters**—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
Mar 26, 2026
UK Government Admits Cybersecurity Failures and Launches Major Public Sector Overhaul
The UK government has publicly acknowledged that its longstanding cybersecurity policies for the public sector have failed, leaving critical services and departments vulnerable to cyberattacks. In response, officials have announced a sweeping reset with the introduction of the Government Cyber Action Plan, backed by over £210 million in new funding. The plan establishes a dedicated Government Cyber Unit, sets minimum security standards, and mandates robust incident response capabilities across all departments. This overhaul comes after years of fragmented accountability and recurring cyber incidents, including high-profile attacks on agencies such as the Legal Aid Agency (LAA), which suffered a major breach that went undetected for months despite significant prior investment in security improvements. The Public Accounts Committee has criticized the Ministry of Justice for its handling of the LAA cyberattack, revealing that despite £50 million spent on security, the agency failed to detect the intrusion for four months and delayed taking affected servers offline. The government’s new strategy aims to address these systemic weaknesses by improving risk visibility, enforcing stricter standards, and banning ransom payments by public-sector organizations. The action plan is positioned as a radical shift to protect essential services, restore public trust, and prevent future incidents that could disrupt healthcare, legal, and other critical infrastructure.
Mar 21, 2026
CISA Orders Federal Agencies to Adopt Risk-Based Vulnerability Patching
CISA issued **Binding Operational Directive `26-04`** requiring U.S. federal civilian agencies to prioritize vulnerability remediation by risk instead of treating all flaws as equally urgent. The directive tells agencies to rank vulnerabilities using four factors: whether the affected asset is public-facing, whether exploitation can be fully automated, whether compromise could enable full system takeover, and whether there is evidence of active exploitation, including inclusion in CISA’s **Known Exploited Vulnerabilities** catalog. Based on those criteria, agencies now face remediation deadlines ranging from **three days** for the highest-risk cases to **60 days** for lower-priority flaws, while some low-risk issues may be deferred until a planned major system upgrade. CISA said the overhaul is meant to help agencies “patch smarter, not harder” as AI shortens the time between disclosure and weaponization and defenders struggle with limited resources. Agencies must immediately update vulnerability management policies, revise remediation processes within 60 days, and fully implement the directive’s timelines within 180 days; vulnerabilities meeting all four criteria also require forensic triage to determine whether systems were already compromised before patching. CISA said an initial review at one large civilian agency found only about **1%** of vulnerability instances would require the three-day response, while more than **60%** could be deferred, and the agency urged private-sector organizations to adopt similar risk-based practices alongside hardening, segmentation, and phishing-resistant MFA.
Jun 19, 2026