An automated scanning system has cut the time it takes to fix cybersecurity vulnerabilities across public sector IT systems, reducing median remediation time for general cyber vulnerabilities from 53 days to 32, and slashing DNS-specific average fix times from 50 days to eight.
The results come from the UK government’s newly launched vulnerability monitoring service (VMS), which continuously scans more than 6,000 public bodies from doctors’ offices and ambulance trusts to hospitals and the Legal Aid Agency, tracking every identified weakness until it is resolved. The service detects around 1,000 types of vulnerabilities and processes approximately 400 confirmed findings a month, the government said.
“Cyber-attacks aren’t abstract threats, they delay National Health Service appointments, disrupt essential services, and put people’s most sensitive data at risk,” said UK Minister for Digital Government Ian Murray in a statement announcing the results at the annual Government Cyber Security and Digital Resilience conference. “When public services struggle it’s families, patients and frontline workers that feel it.”
Murray also unveiled a £210 million ($266 million) Cyber Action Plan and the launch of a first-ever government Cyber Profession, a program to recruit, train, and retain security talent across public services.
Favorable comparison
Paul McKay, VP principal analyst at Forrester, said the numbers compare favorably against private sector benchmarks.
“These median fix times are generally better than the figures vulnerability management vendors publish in benchmark studies, which log average fix time ranging from a few weeks to several months depending on vulnerability criticality and whether it is known to be exploited in other organizations,” McKay said.
The bigger problem in most organizations is not detection speed but communication, McKay said. Security teams that can’t explain why a specific finding matters tend to see vulnerabilities pile up unresolved. “Lots of security teams struggle to do this, overwhelming technology teams with lists of thousands of vulnerabilities with unrealistic SLA timeframes to fix them,” he said.
The gap between average and best-in-class performance, he added, comes down to one thing: “The ability to cleanly articulate why vulnerabilities matter in terms of the business impact and show real rather than theoretical risk exposure.”
That clarity of communication, McKay said, matters more than the tools an organization deploys.
Tools good, talk better
The UK government’s VMS uses a combination of commercial and proprietary scanning tools to detect vulnerabilities in internet-facing assets.
But McKay cautions against drawing the wrong conclusion from the results.
“Process, accountability and taking ownership for explaining why this matters to the resilience of the business is far more important than the technical tooling,” he said. “Building a robust prioritization approach and a strong trusted relationship with peer stakeholders responsible for doing the work of patching and applying fixes, matters far more than the specific tooling chosen.”
The UK’s VMS alerts responsible organizations with “specific, actionable guidance” on each finding, rather than generating raw vulnerability feeds, and tracks progress until the issue is closed.
The government cited DNS vulnerabilities as a specific example. Before the VMS, a weakness in a government DNS record could sit undetected for nearly two months. The service has closed that window to eight days.
The statement also added that the service will expand to cover additional vulnerability categories, with fix times expected to fall further as it matures.
The UK’s National Audit Office (NAO), however, flagged a challenge the VMS alone cannot fix.
The workforce challenge
Word of the success of VMS comes a month after the NAO reported that the cyber threat to government is “severe and advancing quickly,” concluding that resilience levels were lower than previously estimated, and determined the government would not meet its own 2025 cyber resilience targets. It identified skills gaps as the single biggest risk to building lasting cyber resilience.
The government said the new Cyber Profession is a direct response to those findings. Co-branded with the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT), it will “establish a dedicated Cyber Resourcing Hub, a government Cyber Academy, an apprenticeship scheme, and structured career pathways” aligned with UK Cyber Security Council standards. Manchester will serve as the primary hub, the statement added.
“The launch of the government Cyber Profession will help attract and retain the most talented professionals with the top-tier skills needed to keep the UK safe online,” NCSC CEO Richard Horne said in the statement.
DSIT did not respond to requests for additional technical detail on the VMS by the time of publication.