The UK’s National Cyber Security Centre has put a number on the threat. Frontier AI models can now attempt a full enterprise network attack for roughly £65, and the best models improved their offensive capability sixfold in just 18 months. For UK organisations still treating AI-enabled cyber threats as a future problem, that window has closed.
What the NCSC and AISI actually found
A joint blog post from the NCSC’s Technical Director for Cyber AI Research and a researcher at the AI Safety Institute (AISI) lays out where frontier AI offensive capabilities stand as of early 2026. The headline finding: Anthropic’s Claude Opus 4.6 model completed roughly half of a 32-step enterprise network simulation that would take a human specialist approximately 14 hours.
That is not a theoretical exercise. It is a structured assessment of real attack chains against enterprise-grade defences.
Critical context: The £65-per-attempt cost represents compute costs at March 2026 pricing. As model efficiency improves and inference costs fall, this figure will drop further — potentially making automated attack attempts economically viable at scale.
The critical numbers tell the story:
| Metric | Finding | Implication |
|---|---|---|
| Attack steps completed | ~16 of 32 steps | Half a professional-grade attack, autonomous |
| Human equivalent time | ~14 hours specialist work | AI compresses weeks of reconnaissance into hours |
| Cost per attempt | ~£65 (March 2026) | Orders of magnitude cheaper than hiring a threat actor |
| Improvement rate | 6x in 18 months | Capability gap closing rapidly |
| Current detection rate | Generates noticeable alerts | Defenders still have a detection advantage — for now |
Strategic insight: The sixfold improvement rate is the number that should concern boards most. If offensive AI capabilities continue on this trajectory, the window where automated attacks are “noisy and detectable” narrows considerably.
Where AI-driven attacks still fall short
The NCSC assessment is not all bad news. Current frontier models still struggle with several attack stages that require creative reasoning, and these gaps matter.
Models perform poorly at reverse engineering — the process of deconstructing compiled software to find exploitable flaws. They also struggle with novel cryptographic challenges that require theoretical reasoning rather than pattern matching. Most critically, current models cannot chain together complex multi-stage attacks end-to-end without losing coherence.
This means the attack pattern today looks more like “very competent script kiddie” than “nation-state operator.” The AI can execute known attack patterns efficiently, but it cannot improvise when things go sideways.
Reality check: These limitations are temporary. Reverse engineering and cryptographic reasoning are active areas of AI research. The NCSC is right to frame this as a “when, not if” problem.
For defenders, this creates a specific and time-limited opportunity. Organisations that invest in detection and response capabilities now — while AI-generated attacks are still relatively noisy — build institutional muscle that will matter when attacks become quieter.
Three defensive priorities the NCSC identified
The blog post outlines three areas where AI can strengthen defences. These are not theoretical suggestions — several are already in production.
Continuous vulnerability scanning and autonomous patching. The NCSC points to DARPA’s AIxCC programme and Google’s CodeMender as examples of AI systems that can identify vulnerabilities and generate patches without human intervention. For large organisations managing thousands of systems, this shifts vulnerability management from periodic scan-and-patch cycles to continuous automated hardening.
Implementation note: Autonomous patching carries its own risks. Any organisation deploying AI-driven patching needs robust rollback procedures and human oversight for critical systems. A bad patch deployed at machine speed can cause more damage than the vulnerability it fixes.
Intelligent threat detection across disparate data sources. AI excels at correlating signals across logs, network traffic, and endpoint telemetry that human analysts would struggle to connect. The NCSC specifically highlights the potential for detecting “subtle, prolonged intrusions” — the kind of low-and-slow attacks that bypass traditional rule-based detection.
Automated incident response. Blocking traffic, quarantining processes, and revoking compromised credentials at machine speed. The NCSC explicitly flags the risk here: automated responses can cause operational disruption if they fire incorrectly. The technology works, but the governance around it requires careful design.
| Defence area | AI capability | Risk to manage |
|---|---|---|
| System hardening | Continuous scanning, autonomous patching | Bad patches at scale, rollback complexity |
| Threat detection | Cross-source correlation, anomaly detection | False positives, alert fatigue |
| Automated response | Real-time blocking, quarantine, access revocation | Operational disruption from incorrect triggers |
What the NCSC is really saying about the defender’s advantage
Buried in the blog’s discussion of defensive AI is a strategic argument that deserves more attention. The NCSC describes defenders as having the ability to “shape the battlefield” — a phrase with clear military origins that reflects how seriously they take the asymmetry.
Defenders control the network topology. They can instrument every endpoint. They can correlate signals across the entire estate. And they can share intelligence globally through established communities like CiSP and FIRST.
Attackers, by contrast, operate blind. They must discover the network as they go, avoid detection across multiple systems simultaneously, and cannot easily share operational intelligence without exposing their methods.
Strategic insight: This asymmetry is real, but only if organisations actually exploit it. An organisation with poor asset visibility, inconsistent logging, and no threat intelligence sharing is handing the advantage back to automated attackers.
This is not a comfortable argument for organisations with weak fundamentals. The NCSC is clear: AI tools cannot compensate for weak baseline security. If your asset inventory is incomplete, your access controls are inconsistent, and your logging has gaps, deploying AI-driven security tools will not save you. It is like fitting a sophisticated alarm system to a building with no locks on the doors.
What UK organisations should do now, by maturity level
The NCSC’s recommendations translate into different actions depending on where an organisation sits on the security maturity spectrum.
Organisations with basic security in place (Cyber Essentials level):
- Verify your asset inventory is complete and current — you cannot defend what you cannot see
- Review access controls against the principle of least privilege
- Ensure logging covers all critical systems and is retained for at least 90 days
- Subscribe to NCSC threat advisories and CiSP if eligible
Organisations with established security programmes:
- Evaluate AI-enhanced detection tools for integration with existing SIEM and SOAR platforms
- Pilot autonomous vulnerability scanning on non-critical systems first
- Develop playbooks for AI-speed incident response with clear escalation triggers
- Conduct tabletop exercises specifically modelling AI-driven attack scenarios
Organisations with mature security operations:
- Deploy AI-driven threat detection across full telemetry stack
- Implement automated response for high-confidence, low-risk scenarios (e.g., blocking known-malicious IPs)
- Contribute to and consume threat intelligence through sector-specific sharing communities
- Review the Government’s Code of Practice for AI cyber security to ensure AI tools are not creating new attack surfaces
Take action: Whatever your maturity level, the NCSC’s baseline recommendation is clear — strong fundamentals first, AI augmentation second. No amount of AI tooling compensates for incomplete asset inventories, weak access controls, or gaps in logging.
Four non-obvious challenges in this transition
1. The AI security tool paradox. Every AI-enhanced security tool you deploy is itself an attack surface. These systems require API access, network visibility, and elevated privileges. If compromised, they provide attackers with exactly the kind of deep network understanding that makes AI-driven attacks dangerous. The NCSC references the Government’s Code of Practice for AI cyber security for this reason.
Hidden cost: Securing your AI security tools adds another layer of complexity and cost. Budget for it explicitly rather than treating AI tooling as a simple upgrade to existing capability.
2. Skills gap acceleration. AI-driven security tools do not eliminate the need for human expertise — they change what kind of expertise you need. Security teams need people who understand AI model behaviour, can interpret AI-generated alerts critically, and can design governance frameworks for automated response. These skills are scarce and expensive.
3. The detection window is shrinking. The NCSC notes that current AI attacks generate “noticeable security alerts.” This is reassuring today, but the sixfold improvement rate suggests this advantage is temporary. Organisations that wait for AI attacks to become a visible problem will find they have waited too long to build detection capability.
4. Regulatory expectations are forming. The NCSC’s blog post sits alongside the Government’s Code of Practice and broader UK AI regulatory frameworks. Organisations that ignore AI-driven cyber risk now may find themselves explaining that decision to regulators later. The compliance burden will increase, and early movers will have an easier time demonstrating due diligence.
Warning: ⚠️ The gap between “AI attacks are detectable” and “AI attacks are stealthy” may close faster than organisational procurement cycles. Security leaders should be making investment cases now, not when the threat is already mature.
What this means for UK businesses
The NCSC’s assessment confirms what the security community has been watching for two years: frontier AI has crossed the threshold from theoretical threat to practical offensive tool. The £65 price point and sixfold improvement rate make the trajectory unmistakable.
Three things determine whether your organisation will be ready:
- Baseline security is non-negotiable. Complete asset visibility, consistent access controls, and comprehensive logging. Without these, nothing else works
- Detection capability needs investment now. The window where AI attacks are noisy is your opportunity to build and tune detection systems. Use it
- Governance for AI tools must be designed, not improvised. Automated patching and automated response carry real operational risk. Build the governance frameworks before you need them
Where to start this week:
- Audit your asset inventory for completeness
- Review logging coverage against NCSC guidance
- Assess whether your security team has the skills to evaluate AI-driven tools
- Read the Government’s Code of Practice for AI cyber security
Source: Why cyber defenders need to be ready for frontier AI, National Cyber Security Centre, 30 March 2026. Authors: Paul J (Technical Director for Cyber AI Research, NCSC) and Alan Steer (Cyber Security Researcher, AISI, DSIT).
Analysis by Resultsense — making sense of AI in the UK.