Summary

• GCHQ has developed a blueprint for a national cyber defence capability using agentic AI.
• The agency says AI, quantum, space, and hybrid threats are changing the security environment for the UK and its allies.
• The message for businesses is direct: cyber resilience, supply-chain assurance, encryption, and machine-speed defence are becoming economic infrastructure issues.

GCHQ has developed a blueprint for a new national cyber defence capability that would use agentic AI to support machine-speed defence against threats to the UK.

Anne Keast-Butler, director of GCHQ, set out the plan in the agency’s inaugural annual lecture at Bletchley Park, alongside a broader warning that the UK and its allies face a narrowing window to stay ahead in artificial intelligence, quantum computing, space, and cyber security.

The speech placed AI at the centre of the modern security environment. Keast-Butler said frontier AI is exposing weaknesses in technologies society relies on every day, while increasingly sophisticated agents and greater system autonomy are changing both opportunity and risk. GCHQ has spent recent months developing a national cyber defence blueprint intended to embed agentic AI into machine-speed cyber defence.

Cybersecurity has long been described as a board-level issue, but the combination of AI-enabled attack tools, critical infrastructure dependency, and state-backed hybrid activity is making it part of economic resilience. The systems at stake include the data networks and operational infrastructure that support the NHS, energy, transport, telecoms, finance, logistics, and digital public services.

GCHQ’s National Cyber Security Centre already provides guidance and incident support across the economy. The proposed AI-enabled capability points to a faster operational tempo. If attackers can use AI to accelerate reconnaissance, phishing, vulnerability discovery, malware adaptation, and social engineering, defenders will need better automation, richer telemetry, faster triage, and clearer rules for when autonomous systems can act.

The speech also linked cyber resilience to quantum readiness. Keast-Butler warned that operational quantum computers will be able to defeat the cryptography that protects sensitive systems today, and called for businesses to act in line with NCSC timelines. Encryption migration now sits alongside AI security as a practical planning issue, not a distant research concern.

Russia’s hybrid activity against the UK and Europe formed another major strand of the lecture. Keast-Butler referred to threats stretching from the seabed to cyberspace, including critical infrastructure, democratic processes, supply chains, and public trust. That framing pulls cybersecurity away from a narrow IT discipline and into the protection of the real economy.

Organisations that operate or support critical services will need stronger identity controls, better incident response, resilient supply chains, tested recovery plans, and security architectures that can cope with AI-assisted attackers. Boards will also need to understand where automation is safe, where human approval remains essential, and how AI-driven defence systems are governed.

Agentic AI in cyber defence carries its own risks. Systems that can detect, investigate, and potentially act at speed must be auditable, constrained, and resilient against manipulation. Poorly governed autonomy can create false positives, operational disruption, or new attack surfaces. National-scale cyber automation will therefore need not only technical sophistication, but transparent accountability between government, industry, and regulators.

GCHQ’s message is that cyber resilience is becoming inseparable from national competitiveness. Companies that treat security as a compliance exercise will be poorly placed in an environment where AI compresses the time between vulnerability and exploitation. The more practical response is to assume that machine-speed attack and defence are becoming part of the normal operating environment.