The UK government has made significant strides in enhancing its cybersecurity by identifying and patching hundreds of software vulnerabilities, following a series of innovative internal hackathons. These events were designed around the utilization of cutting-edge AI models and were organized by the Government Cyber Coordination Centre (GC3), a collaborative effort initiated by both the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT).
The overarching objective of these weekly in-person gatherings was to leverage advanced AI models to scan a variety of public code repositories across nine different government departments. Instead of enforcing a single method of operation, the GC3 equipped participants with model access, thereby allowing teams the autonomy to develop their own tools. Over the course of several weeks, teams could observe what strategies proved effective, gradually refining their methods based on successful outcomes.
In total, the hackathons yielded 407 findings, uncovering critical vulnerabilities such as issues related to authentication bypass, data exposure, and remote code execution. While some vulnerabilities were already recognized and addressed through existing compensating controls, others represented new zero-day threats. A report published on June 21 revealed that all identified critical and high-risk weaknesses deemed exploitable were remediated, and no incidents of exploitation had been recorded.
The report emphasized the unique capabilities of AI models in tracing vulnerabilities that cross service boundaries—an aspect that traditional scanning tools often struggle with. These advanced models were also able to link business logic with technical details, allowing departments to focus on validation and remediation through established frameworks.
Different teams within the hackathon adopted varied methodologies in their approach. One notable group developed five unique domain-specific “Claude Skills” aimed at crafting a reusable and consistent approach applicable across all open-source repositories selected for review. Another team opted for a hybrid strategy, utilizing conventional scanning tools such as Gitleaks, Trivy, Semgrep, and Hadolint to generate initial findings. They subsequently employed AI models to refine these findings, checking compliance against frameworks like OWASP and CWE, which ultimately helped to compile individual findings into cohesive attack paths for further analysis.
In an even more structured approach, one team devised a six-stage agentic pipeline, with each stage designed to read from and challenge its predecessor, ensuring a robust examination process.
### Frontier Models Deliver Strong Performance
The lesson learned during the hackathon initiative was multifaceted. The GC3 reported some key takeaways that could potentially shape future cybersecurity strategies. One of the most significant insights was that the optimal results arose from utilizing frontier models as “tightly scoped components within a structured pipeline.” By breaking down traditional vulnerability management workflows into specific, task-focused segments, teams were able to enhance efficiency.
Moreover, the GC3 discovered that with an appropriate architecture and task design, a variety of near-frontier and frontier models demonstrated similar efficacy in code scanning. However, human expertise remained indispensable to deconstruct complex challenges and provide broader context for technical findings. The need for an effective triage system also emerged as vital since AI agents could generate candidate vulnerabilities at a pace that outstripped human validation abilities. The combination of thorough upfront scoping and structured internal filtering was shown to enhance focus, ultimately minimizing costs. Impressively, the entire hackathon initiative had a budget of just £13,000 ($17,467) in tokens.
Looking ahead, the GC3 recognizes a pressing need to integrate prioritization, review, and patch-generation processes without disrupting existing human-centered workflows. This presents a complex challenge, especially in light of external factors that could influence ongoing projects.
One such factor is the recent export ban imposed by the US government on Anthropic’s advanced AI models, specifically the Mythos and Fable systems. This new regulation, announced late on a Friday, restricts access to the company’s most powerful AI models for non-American users, raising questions about the future of similar hackathon initiatives and their reliance on these advanced technologies. As the UK government ventures further into the realm of AI-assisted cybersecurity, the implications of international developments will warrant close attention, affecting how effectively it can safeguard its digital infrastructure.