Weekly hacking sessions across nine departments used Claude and GPT models to find critical flaws in public code, all of which have been fixed
The UK Government Cyber Coordination Centre, known as GC3, ran a series of weekly hackathons that surfaced 407 security findings across public code repositories belonging to nine government departments. The total cost in AI tokens: £13,000, roughly $16,000.
Every critical vulnerability identified has been remediated. None showed evidence of prior exploitation.
How it worked #
GC3 is a partnership between the National Cyber Security Centre (NCSC) and the Department for Science, Innovation and Technology (DSIT). The hackathons were run as weekly in-person events, with additional involvement from the AI Safety Institute (AISI).
The teams used advanced AI models, specifically Anthropic’s Claude Mythos and OpenAI’s GPT-5.5, alongside traditional scanning techniques and human oversight.
Among the 407 findings were vulnerabilities serious enough to potentially allow authentication bypass, data exposure, and remote code execution.
The project found that architectural design and multi-stage pipelines mattered far more than which specific AI model was deployed. The structured methodology, combining automated scanning with expert human review, proved to be the differentiating factor.
That £13,000 price tag covers only the AI token costs, not personnel or infrastructure.
Why this matters beyond Whitehall #
The case study, published on GOV.UK around mid-June 2026, focused on publicly available government code repositories. A follow-on phase targeting closed-source code is already anticipated.
The NCSC has also issued guidance specifically addressing the new risks that AI itself introduces to cybersecurity, threading the needle between promoting open-source code practices and managing the security implications of making code publicly accessible.
What this means for the cybersecurity market #
The results validate a specific thesis: AI augments human expertise rather than replacing it. The hackathon’s success wasn’t driven by letting models run unsupervised. It came from combining AI scanning with structured human review in carefully designed pipelines.
For investors watching this space, the key metric to track going forward is the closed-source phase. Scanning public repositories is one thing. Finding vulnerabilities in proprietary government systems, where the code isn’t available for community review, is a fundamentally harder problem. Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our