01 Mar 2026 6 min read CTEM

UK Government Slashes Cyber Fix Times by 84%

Government Attack Surface Reduction - Photo by Michael D Beckwith / Unsplash

Published March 2026

The UK government's Vulnerability Monitoring Service (VMS) is a centrally funded scanning service that continuously monitors 6,000 public sector organisations for cyber vulnerabilities. Since its introduction under the Blueprint for Modern Digital Government in January 2025, the VMS has reduced median DNS vulnerability remediation from 50 days to 8 days, an 84% improvement, and cut the backlog of critical unresolved domain vulnerabilities by 75% (GOV.UK, 2026).

Alongside the VMS, the government has launched a dedicated Cyber Profession to address the skills crisis that the National Audit Office identified as the single biggest risk to public sector cyber resilience (NAO, 2025).

Here is what the service does, what tools it uses, and what it means for security practitioners.

Get updates like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

How the VMS Scans 6,000 Public Sector Organisations

The VMS is a Department for Science, Innovation and Technology (DSIT) service delivered through the Government Digital Service (GDS). It detects around 1,000 different types of vulnerabilities per month across internet-facing public sector assets. When it identifies a weakness, it alerts the relevant organisation with specific remediation guidance and tracks progress until the issue is resolved (GOV.UK, 2026).

The service covers a broad range of internet-facing vulnerabilities including web application flaws, exposed admin panels, misconfigurations, CVEs in products like Microsoft Exchange and ServiceNow, exposed API keys and passwords, open ports, and phishing domains (UK Government Security, 2025).

The results reported at the Annual Government Cyber Security and Digital Resilience Conference in February 2026:

DNS vulnerability remediation: 50 days to 8 days (84% reduction)
Other cyber vulnerabilities: 53 days to 32 days
Critical domain vulnerability backlog: reduced by 75%
Monthly throughput: approximately 400 confirmed vulnerabilities processed and resolved

The VMS is one of five flagship initiatives under the Blueprint for Modern Digital Government and is backed by the government's £210 million Cyber Action Plan.

What Scanning Tools Does the UK Government VMS Use?

The government's press release describes the VMS as using "commercial and proprietary scanning tools." The UK Government Security website provides more detail.

The primary scanning platform is Detectify, a Swedish External Attack Surface Management (EASM) tool. GDS operates two Detectify configurations: one for its existing DNS Check service and one for the VMS. All scanning traffic originates from scanner.detectify.com using dedicated IP addresses 52.17.9.21 and 52.17.98.131 (UK Government Security, 2025).

If you work in one of the 6,000 monitored public sector organisations, you should ensure these IPs are whitelisted and that your security and operations teams are aware of the scanning traffic. The VMS makes multiple connections per day to services on your domains, querying each by host, IP address, and open port. Neither GDS nor your organisation controls the timing or cadence.

Which Domains Are in Scope?

The VMS operates two tiers of monitoring. DNS Check runs automatically across a fixed set of public sector top-level domains. The broader VMS vulnerability scanning is opt-in and open to any namespace.

Monitoring Tier	Domains Covered	Registration Required?
DNS Check (automatic)	.gov.uk, .gov.wales, .llyw.cymru, .nhs.uk, .nhs.net, .nhs.wales, .nhs.scot	No. Monitored every 8 hours by default
VMS vulnerability scanning (opt-in)	Any namespace: .gov.uk, .nhs.scot, .org.uk, .org, .com, and others	Yes. Domain holder must authorise via MyNCSC or GDS online form

Source: UK Government Security, Detectify surface monitoring tool page and VMS registration guidance (2025)

This means public sector organisations on non-standard domains, including local authorities, arms-length bodies, and NHS trusts using regional namespaces, are eligible for VMS coverage provided they own the domain and can authorise monitoring.

Detectify stores data in AWS in the Republic of Ireland (UK Government Security, 2025).

This sits alongside the NCSC's own internet scanning programme, which has been operational since late 2022 from its cloud-hosted environment at scanner.scanning.service.ncsc.gov.uk. The NCSC programme provides broader UK-wide internet asset scanning, while the VMS adds structured remediation tracking and actionable guidance on top.

Why DNS Vulnerabilities Were the Priority Target

The initial focus on DNS is a deliberate tactical choice. The Detectify page on UK Government Security confirms that GDS uses the tool to monitor dangling resources and lame delegations across all .gov.uk domains and subdomains (UK Government Security, 2025).

Dangling DNS records are the classic subdomain takeover vector. When a public sector organisation decommissions a cloud service, web app, or CDN endpoint but leaves the DNS CNAME or A record pointing to it, an attacker can claim that abandoned resource and serve content under the legitimate government subdomain. The domain still looks authentic. The TLS certificate still validates. The user has no visible warning.

In a government context, a taken-over subdomain like appointments.nhs.example.gov.uk could serve a convincing credential harvesting page while appearing fully legitimate to both users and browsers. Lame delegations, where DNS is delegated to nameservers that no longer respond authoritatively, create a similar hijack opportunity.

These vulnerabilities are particularly dangerous in the public sector because of the high volume of subdomains across 6,000 organisations and the frequency of infrastructure changes, cloud migrations, and service decommissions that create dangling records. Before the VMS, these weaknesses persisted for nearly two months undetected across government.

How the UK Cyber Profession Aims to Fix the Skills Gap

The VMS addresses the technology side. The Cyber Profession addresses the people problem, which the NAO identified as the more fundamental risk.

The NAO's Government Cyber Resilience report (January 2025) found that one in three central government cyber security positions were unfilled or occupied by temporary staff. Several departments reported more than half their cyber positions vacant. Up to 70% of specialist security architect posts were filled by temporary contractors costing at least twice as much as salaried civil servants. Departments cited salary constraints and slow civil service recruitment as the primary barriers (NAO, 2025).

The Cyber Profession, co-branded with DSIT and the NCSC, includes:

Cyber Resourcing Hub to streamline recruitment across government
Government Cyber Academy for training and development
Apprenticeship scheme to build a future talent pipeline
Career framework aligned with UK Cyber Security Council professional standards
Manchester as a primary hub, building on the city's digital ecosystem and the forthcoming government Digital Campus

Building your security career? Our Cybersecurity Skills Roadmap maps the path from zero to job-ready.

What the VMS Means for Vulnerability Management Teams

Having spent 20+ years on the vendor side of cybersecurity, watching organisations buy scanning tools and struggle to operationalise them, this initiative stands out because it treats vulnerability management as a service, not a product deployment.

The VMS does not dump a report and walk away. It provides specific remediation guidance, tracks progress, and follows up until closure. That remediation tracking loop is what separates organisations that reduce their attack surface from those that generate dashboards.

If you work in vulnerability management or exposure management, this model maps closely to Continuous Threat Exposure Management (CTEM). The VMS implements the discovery, assessment, and mobilisation stages of CTEM at a national scale. For more on how that framework works, see our guide to NIST-Aligned CTEM: Moving Beyond Point-in-Time Scanning.

The architecture choice is also worth noting. Rather than building a scanning platform from scratch, the government layered a commercial EASM tool (Detectify) on top of existing NCSC capabilities and built the workflow, guidance, and tracking around it. Buy the detection capability, build the operational process. That is a model most organisations can replicate.

The open questions are around scope and sustainability. Eight days is significantly better than 50, but it is still a meaningful window for a motivated attacker. The broader 32-day cyber vulnerability remediation time remains substantial. And the Cyber Profession initiative, while structurally sound, will take years to produce results. Whether a rebrand and a Manchester hub change the salary equation enough to compete with private sector remains to be seen.

How to Register for the VMS

The VMS is centrally funded at no cost to participating organisations. Registration is available through MyNCSC or the GDS online form. GDS accepts domains in any namespace (.gov.uk, .nhs.scot, .org.uk, and others) as long as the registering organisation owns the domain and can authorise monitoring. Organisations should share zone files with the VMS team to ensure complete domain and subdomain coverage (UK Government Security, 2025).

Contact: [email protected]

Summary

The VMS stands out among government cybersecurity initiatives because it combines centralised scanning with structured remediation tracking. The operational model, find it, guide the fix, verify closure, is what makes the numbers credible rather than aspirational.

Pairing the VMS with the Cyber Profession initiative shows recognition that scanning tools without skilled people to act on findings are insufficient. Whether the Cyber Academy, Resourcing Hub, and structured career pathways can close the staffing gap against private sector competition will determine the initiative's long-term impact. Looking forward to see what other initiatives come out of the government cybersecurity space.

Subscribe for Updates

Government cyber threats are intensifying. Subscribers get practical analysis when major policy shifts and vulnerability trends affect how you defend your organisation. No sales pitches, no fluff.

Last updated: March 2026

References and Sources

GOV.UK. (2026). Government cuts cyber-attack fix times by 84% and launches new profession to protect public services. Department for Science, Innovation and Technology, NCSC. Press release published 26 February 2026. Primary source for all VMS performance statistics and Cyber Profession details.
National Audit Office. (2025). Government Cyber Resilience. Published January 2025. Found 1 in 3 government cyber roles unfilled or filled by temporary staff, 70% of security architect posts on temporary contracts, and skills gaps as the biggest risk to cyber resilience.
UK Government Security. (2025). Vulnerability Monitoring Service. Government Digital Service. Confirms Detectify as scanning platform, published IP addresses, and service registration details. Available at security.gov.uk.
UK Government Security. (2025). Detectify surface monitoring tool. Government Digital Service. Dedicated page confirming Detectify configurations, AWS Ireland hosting, and DNS Check scanning frequency. Available at security.gov.uk.
GOV.UK. (2025). Blueprint for Modern Digital Government. Published January 2025. Committed to VMS as one of 5 flagship kickstarter initiatives.