At this year’s CYBERUK 2025, we’re sharing how AI and machine learning advances have been used to train automated cyber defence agents, with the decision-making capability to counter future threats at machine speed. Under our leadership of the Autonomous Resilient Cyber Defence (ARCD) concepts research, funded by the Defence Science and Technology Laboratory (Dstl), we collaborated with some of the UK’s strongest players in AI and Cybersecurity. Together, we uncovered novel approaches to AI decision making for incident response and recovery, including a world-first demonstration of autonomous cyber defence in a representative military Industrial Control System.
Simulating AI defence in real-life scenarios
Machine Learning is a mature technology for identifying abnormal behaviour in cyber systems. However, Security Orchestration, Automation and Response (SOAR), traditionally relies on rules-based playbooks that struggle to scale and be mission or context aware, a particular concern for the rapidly evolving Defence use case. In conventional machine learning, approaches requiring large datasets struggle when applied to the diverse cyber defence problem.
This is where Reinforcement Learning (RL) comes in. RL is a machine learning technique that trains an agent, or multiple agents, to make decisions aiming to achieve specific objectives (e.g. mission completion, availability). RL agents learn through trial and error and without explicit instructions, to maximise a reward signal within a training environment. RL enables automated cyber defence decision making to determine optimal response and recovery actions when a cyber-attack is detected.
As part of the Autonomous Resilient Cyber Defence (ARCD) programme, promising RL concepts were advanced through scrutinising large bodies of research and developing testing and simulation tools. These concepts include two contrasting Multi Agent RL (MARL) approaches, Graph Neural Networks and a Cyber First Aid demonstrator. We have also conducted pioneering human sciences research, built Human Machine Teaming (HMT) prototypes and have evaluated these with military users to explore how different autonomy modes can help build trust and encourage adoption of such technologies.
Through our extensive research over three years, great strides have been made to evidence the feasibility and identify key challenges for operational use of autonomous cyber responses on real world networks, to realise the benefits of improving resilience against emerging cyber threats.
About ARCD
The ARCD project was funded by Dstl between March 2022 and March 2025. It’s an industry-wide collaboration, bringing together a diverse community of experts, researchers, and stakeholders dedicated to tackling some of the most complex challenges in cyber defence. More information, including our recent newsletter is available at www.fnc.co.uk/arcd.
