Frontier AI Models Are An Opportunity For Security Teams To “Get Ahead” Of Threats, Says UK’s NCSC
Speaking at Infosecurity Europe, the NCSC’s Director of Operations said the latest AI models are ‘democratizing PenTesting and red teaming’ within the UK government.
Frontier AI models are being used within the UK government to discover security vulnerabilities that would have previously taken “weeks or months” to find, according to a senior official at the UK’s National Cyber Security Centre (NCSC).
Speaking at Infosecurity Europe in London, Paul Chichester, Director of Operations at the NCSC, said the latest generation of AI models represents an opportunity that security teams must take advantage of to improve security outcomes.
“One of the real positives about the frontier AI models is they’re being used to find vulnerabilities before the adversary does,” Chichester said. “We’re democratizing pentesting and red teaming. In the government, we’re finding vulnerabilities that would have taken weeks or months to find.”
The comments come as frontier AI models like Claude Mythos continue to demonstrate rapid advances in cybersecurity capability. The UK’s AI Security Institute (AISI) reported that the best-performing frontier models can now autonomously execute multi-stage attacks on vulnerable networks, with the time horizon for reliable autonomous cyber operations doubling roughly every five months.
Researchers have already used Claude Mythos to exploit Apple’s flagship security features, while Google has disrupted the first AI-developed zero-day exploit campaign.
The NCSC published guidance in April urging cyber defenders to prepare for the impact of frontier AI, noting that poorly secured systems will increasingly have their vulnerabilities discovered by these models, whether by defenders or attackers.
But Chichester framed the current moment as one of both disruption and opportunity. “Attackers aren’t omnipotent,” he said. “Think about how you can use this for your advantage.”
Act Now, Don’t Wait
Chichester outlined a series of practical steps organizations should be taking now, including reducing the attack surface, addressing legacy systems, and strengthening identity and access controls.
“We can’t patch everything. We all have systems we can’t patch,” he said. “Architecting is going to be an important part of the future.”
He highlighted the importance of incident preparation, saying that exercising remains the single most impactful step organizations can take. “I’m often asked what’s the one thing organizations should do. I always say exercising.”
Chichester acknowledged the uncertainty facing security leaders as geopolitical tensions reshape the threat landscape, but said the answer is action, not hesitation.
“We’re in a time of massive uncertainty. Now is the time to be doing things. Don’t wait for certainty, because it’s never coming.”
