- AI cyber capabilities are now doubling every four months, government-backed tests show.
- New models can find vulnerabilities and generate exploit code without human expertise.
- Businesses of all sizes, not just critical sectors, are now potential targets.
The UK government has warned that artificial intelligence is rapidly lowering the barrier to cyberattacks, allowing systems to identify software weaknesses and generate exploit code at a speed and scale not seen before. In a joint letter issued on April 15, 2026, ministers said the shift marks a move away from attacks led by a small pool of highly skilled criminals to a landscape where advanced tools can replicate those capabilities. The warning follows testing of Anthropic’s Mythos model, which officials said is “substantially more capable” at cyber offence than earlier systems, as quoted in the letter.
Data from the government-backed AI Security Institute suggests the pace of change is accelerating sharply, with frontier AI cyber capabilities now doubling roughly every four months, compared to every eight months earlier. Ministers also pointed to parallel developments across the industry as evidence that the shift is not isolated, adding that attackers are expected to target “ordinary companies, of every size, in every sector." Against this backdrop, the government has set out three immediate steps for businesses to strengthen their defences.
Here are the three steps businesses are being urged to follow
1. Treat cyber security as a leadership issue, not just an IT task
The government is asking boards to take direct responsibility for cyber risk, warning that it can no longer be delegated solely to technical teams. Businesses are urged to regularly review cyber threats at board level, adopt frameworks such as the Cyber Governance Code of Practice and ensure clear incident response plans are in place. The letter also highlights the importance of rehearsing responses to major cyber incidents and considering how tools like cyber insurance could support recovery.
2. Fix basic weaknesses and secure Cyber Essentials certification
Despite the rise of advanced AI threats, ministers stress that most successful cyberattacks still exploit simple vulnerabilities such as outdated software, weak passwords and missing data backups. Businesses are encouraged to obtain Cyber Essentials certification, which the government says significantly reduces the likelihood of a damaging cyber incident. Organisations are also advised to apply these standards across their supply chains to avoid weak links that attackers could exploit.
3. Use official guidance and act on early threat warnings
The government is urging businesses to actively follow advice from the National Cyber Security Centre and sign up to its Early Warning Service. This free service provides alerts about potential cyber threats, giving organisations time to respond before incidents escalate. Regulators are also expected to issue sector-specific guidance, reinforcing the need for businesses to stay updated as AI-driven risks continue to evolve.
The letter makes it clear that while AI is accelerating the scale and sophistication of cyber threats, the response is not entirely new. Businesses that act early and strengthen basic defences are likely to be better positioned as these risks grow, while those that delay may find it harder to keep pace with a rapidly changing threat landscape.
