Scaling application security and attack surface monitoring inside a single enterprise is a massive headache. In June 2026, the Department for Science, Innovation and Technology (DSIT) of the UK Government joined us on stage at Infosecurity Europe to share the reality of a challenge that puts even the largest corporate hurdles into perspective. The DSIT from the UK Government joins Detectify on stage at Infosecurity Europe 2026Now, imagine an environment where public sector cybersecurity responsibilities range from elite, highly mature central government departments down to local parish councils with exactly zero security budget or dedicated staff.That is the actual operational reality of public sector cybersecurity at scale.Managed centrally by the DSIT, the challenge involves owning security for more than half a million domains and 9,000 internal customers. While the setting is public sector, the structural nightmares being tackled are identical to what every major global enterprise faces during rapid cloud expansion, mergers and acquisitions (M&A), or shadow IT explosions: unmapped infrastructure, forgotten assets, and localized engineering teams dealing with competing priorities.To address this challenge, the UK Government shifted its entire strategy away from top-down, legacy compliance and partnered with Detectify to achieve continuous attack surface monitoring, centralized visibility, noise reduction, and aggressive, outside-in automation. Here is how they solved the visibility crisis and built a framework to outpace the escalating speed of modern threats.Scaling AppSec against the 0-day clockThe macro trends hitting AppSec right now are relentless. According to the official CVE database, the industry has seen a staggering 2x spike in new CVEs over the past few years alone. Worse, the barrier to entry for exploiting those vulnerabilities has cratered.The data from the ZeroDayClock tracks a stark reality:Yesterday: A few years ago, the Mean Time to Exploit (MTTE); the window between a vulnerability being disclosed and an attacker weaponizing it, stood at over a month.Today: That window has shrunk down to just 1.6 days, driven heavily by advancements in automated AI code generation.Tomorrow: The projection indicates MTTE will drop below 1 day before the end of this year (2026). Moving into next year, automated exploits are projected to strike within an hour, or even minutes, of disclosure.Meanwhile, the broader industry’s Mean Time to Respond (MTTR) still lags anywhere from several days to well over a month. To make matters worse, traditional safety valves like bug bounty programs are currently being flooded with automated AI slop, making them almost unusable.Faced with a rapidly evolving threat landscape, the UK Government team realized they couldn’t rely on legacy, defensive frameworks. They needed continuous, automated vulnerability monitoring and active verification. This is where Detectify’s continuous and automated capabilities came into play, helping them stay ahead of the rapidly shrinking MTTE window.Overcoming the alignment challenge centrallyWhen managing thousands of distinct municipal and federal entities, issuing top-down mandates rarely works. How do you get entirely separate teams aligned on security when they are balancing fiercely competing operational priorities?The strategy implemented by DSIT focused on centralizing procurement and eliminating friction. Instead of forcing individual local councils or departments to fight for independent budgets and source their own tooling, solutions were procured and developed centrally. This approach had a dual benefit: it saved massive amounts of taxpayer money, and it allowed internal public-sector customers to consume critical security intelligence easily, for free, with zero setup friction.But tools are only effective if teams understand the output. While the personnel across these thousands of organizations are incredibly competent, many lack a formal cybersecurity background.Rather than enforcing rigid action, the focus shifted entirely to education and clear explanations. Security teams found that when local entities were provided with the necessary context, they became entirely self-motivated: once teams had the understanding needed, that was usually enough to prompt action. When a local parish council finally understood why an open port or unpatched asset put their community’s data at risk, they fixed it willingly.Operationalizing attack surface monitoring across 300,000 assetsFinding a bug is easy; orchestrating remediation across thousands of entities is where most AppSec programs fall apart.To scale this across the entire country, the government rolled out its centrally developed Vulnerability Monitoring Service (VMS), powered by Detectify. Operating as a unified attack surface monitoring infrastructure, the VMS unlocked continuous, automated coverage for 300,000 active assets across 6,000 public sector bodies.But technology alone didn’t move the needle; the human element did. A dedicated central outreach team was deployed specifically to bridge the security maturity gap. They discovered that despite all the fancy Slack integrations or complex API webhooks available to modern developers, good old-fashioned, personalized email outreach was the most effective way to break through the noise. Because separate departments inherently work in their own isolated systems, reaching out directly via email proved to be the absolute most effective way to get people to engage and resolve flaws.The results speak for themselves: public sector data shows that since deploying the centralized VMS, the median time to resolve critical Domain Name System (DNS) weaknesses dropped from nearly two months down to just eight days, an 84% reduction in exposure time.Eliminating false positives to save public resources In public sector cybersecurity, alert fatigue has a very literal financial consequence:“Noise means someone’s time and resources,” the team emphasizes. “It literally means taxpayer money is going to waste if someone is drowning in noise.”To keep remediation teams focused on what truly matters, the central scanning infrastructure must rely on payload-based assessment to remain highly accurate and strictly low-noise. Relying on traditional tech version lookups or passive CVE database matching creates a mountain of false positives: software banners routinely lie, and backported security patches frequently break simple version-based logic.To solve this, the VMS architecture relies heavily on payload-based assessment. By actively firing a safe, simulated exploit payload against a target asset, the system doesn’t guess if a vulnerability exists based on a text-based version number. It actively proves whether the asset is exploitable in its live runtime environment.Detectify’s unique capability is being able to execute this level of active, high-fidelity verification consistently across a full attack surface of this immense size. It’s a scale of payload testing that traditional tools simply can’t match. This active verification strips out the noise. When the platform surfaces an alert, local remediation teams know it’s a real, verified risk, meaning zero taxpayer time is wasted chasing ghosts.Reducing false positives with Detectify Protecting half a million domains requires a fundamental shift in mindset. You cannot scan your perimeter once a quarter, and you cannot expect non-security teams to decode cryptic vulnerability reports. By centralizing attack surface monitoring through the VMS, enforcing high-fidelity payload testing to kill false positives, and investing heavily in direct security education, the UK Government has created a definitive blueprint for enterprise-scale AppSec. Detectify’s payload-based assessments enable this high-fidelity scanning, allowing the platform to eliminate false positives and differentiate between theoretical vulnerabilities and actual, exploitable risks.The post Real-world attack surface monitoring at massive scale: how the UK Government protects over half a million public sector domains appeared first on Blog Detectify.