A first-hand account of the UK Flywheel event at the National Theatre: part love letter to the UK cyber ecosystem, part demolition of the comforting myths around funding, government “capability”, and NCSC’s role. From the NCSC Annual Review to West Midlands Cyber Hub, this is what the day looked like from the founder trenches rather than the podium.

Executive Summary (TL;DR)

UK Flywheel brought 150 founders, investors, CISOs, civil servants and policy people into the National Theatre to ask a simple question: how does the UK turn strong cyber capability into genuine global leadership? The day, anchored by Alastair Paterson of Harmonic Security, felt less like a vendor event and more like a civic intervention in the life of the ecosystem.

I frame the discussion through four concerns I didn’t get to voice on stage: the absence of real early-stage capital (“the first £50k”), the ongoing regional imbalance beyond London/Manchester/Cheltenham, the lack of coherent lifecycle support from startup to scale-up, and the need for practitioner-led design instead of consultant-driven initiatives. These themes sit in tension with Ollie Whitehouse’s NCSC Annual Review 2025 presentation, which celebrates technical excellence but leaves the organisation’s constitutional drift unresolved.

The Q&A that followed exposed a deeper dissonance. When Tyler Oliver asked about early-stage liquidity, the response, that there is “plenty of money at the low end”, collided with the lived reality of most founders in the room. My own question, why HMG keeps building systems that compete with the market, highlighted the blurred line between NCSC as steward, regulator, delivery arm and de facto vendor, with Active Cyber Defence, Early Warning System and Police Cyber Alarm as examples.

Against this, Dave Palmer’s intervention cut through: the problem isn’t a “missing middle” of funding, it’s a missing ladder. Everyone wants to back scale-ups; almost no one wants to fund the first rungs. The pitches that followed, from HuntBase, Revenge.ai, Tulpa and others, showed the breadth of talent and ambition in the ecosystem, while the list of absentees underlined how geographically lopsided it remains.

The piece closes by situating Flywheel alongside the launch of WM Cyber Hub, and the subsequent open letter to the Government signed by 60+ senior leaders. Flywheel wasn’t perfect, but it was honest, and in a system overloaded with strategy documents and showcase events, honesty about capability, gaps and regional reality is a much better starting point than spectacle.

Contents

Introduction & The Curtain Rises

It’s a strange thing, walking into the National Theatre for a cyber event. The place smells faintly of ambition and old velvet, the ghost of a thousand earnest monologues. For a moment, I half-expected someone to appear on stage and declaim, “Friends, Romans, security vendors…” but no, this was UK Flywheel, a day that managed to be both theatrical and entirely authentic (event link).

The organiser was Alastair Paterson, formerly of Digital Shadows and now founder of Harmonic Security. He’s one of those rare people who’s made some proper money, done the Bay Area circuit, and still has the decency to come home and try to make things better. What was refreshing, genuinely refreshing, was that it didn’t feel like a Harmonics gig at all. It felt like a civic act: an attempt to pull energy back into the UK cyber ecosystem rather than suck it out.

And he’d done it. The room was stacked: four of the five UK cyber startups that have exited north of £100 million, a crowd of founders, policy people, senior civil servants from NCSC, DSIT, DCIP, and a small army of investors and analysts. If cyber had a parliament, this was its noisy backbench rebellion, and I loved that about it.

Act I — What I Wanted to Say

I didn’t get to say everything I wanted. Four points in particular were burning a hole in my pocket.

First, the UK’s problem isn’t at the top end of funding, it’s the bottom. It’s the low-end, entry-level money that’s missing, the “first £50k” that gets prototypes breathing. Everyone wants to talk about Series A or “the missing middle,” but the real vacuum is before that.

Second, the regions. We can’t keep pretending that London, Manchester, and Cheltenham are the only viable postal codes for innovation. The system needs connective tissue: how do we support and scaffold regional ecosystems so that a founder in Wolverhampton has the same early-stage oxygen as someone in Shoreditch? Right now, most public and quasi-public programmes still gravitate toward the already cyber-affluent regions, leaving the rest of the country fighting for scraps.

Third, lifecycle support. We keep throwing one-off programmes and accelerator badges at founders, but there’s no coherent pathway through startup, scale-up, and beyond. Companies fall into a trough between innovation grant and export-ready maturity: a desert of practical help, customer access, and technical mentoring. We need continuity, not confetti: a joined-up sequence that grows capability over years, not quarters.

Fourth, practitioner-led design. Too many initiatives are dreamt up by consultants who’ve never shipped a product or managed an incident. The real progress comes from builders; people who understand code, risk, and delivery. Policy should be written by practitioners, not PowerPoint. We need a cyber ecosystem that’s led by engineers, operators, and founders, not overseen by professional observers and facilitators.

I’d have said all that, and more if I had chance, but time ran away, and the panels rolled on. Some of my bugbears are slightly too regionally specific so this is a good point to cut off.

Act II — Ollie and the NCSC Capability Review

After the introductions, Ollie Whitehouse, CTO of the NCSC, got up to give his talk, centred almost entirely on the newly released NCSC Annual Review 2025, the organisation’s annual capability and posture briefing.

The Review itself had three big themes, which Ollie reflected:

First, NCSC capability continues to be technically excellent. There’s strong progress on threat response, AI assurance work, vulnerability coordination, and public-facing incident guidance. The engineering teams remain exceptional: easily world-class.
Second, role drift remains unresolved. The Review simultaneously positions the NCSC as a regulator, a delivery arm, and an ecosystem steward, which is constitutionally impossible. Even DSIT calls it “the jewel in the crown” while quietly eroding its remit.
Third, centralisation persists despite regional rhetoric. The Review talks a lot about regional engagement, but everything gravitational still sits in London, Manchester, and Cheltenham: talent, programme authority, and procurement power.

I wrote a full analysis of the Review the week before Flywheel, “The NCSC Annual Review 2025: Between Capability and Stasis“, and my conclusion was blunt:

The NCSC is capable in parts, impressive in places, but strategically unanchored.
Its challenge is not performance, but purpose.

I suspect that Ollie, of course, sees it differently, and that for him, the Review is a badge of honour, proof of mission, momentum, and mastery, despite some inherent challenges. Still, it was a solid scene-setter. It put the national picture on the table before the founders started asking the awkward questions, which is exactly what happened next.

Act III — Funding Fairy Tales

Tyler Oliver, of HuntBase IO, asked a sensible question about funding and liquidity at the low end. The response was a surprise as out came the old chestnut: “There’s plenty of money at the low end”.

Ollie said it, and I nearly choked on my coffee. Everyone in that room, every founder, has heard that fairy tale before. Go and talk to the funders, he said, there’s a room full of people here. We’ve all talked to the funders.

Osney Capital? Lovely people. You sit down, they ask how you’re doing, and then they explain why they can’t fund you; I know one poor sod who’s met them six times. Give them some money already. Midven? Same story. Government-funded to fund innovation, yet somehow allergic to actually releasing capital. My son calls them funding protectors: custodians of money that’s meant to move but never does.

So no, there isn’t “plenty of money at the low end”. There are plenty of meetings. There are plenty of decks being politely declined. There are plenty of advisory boards that confuse visibility with value.

Act IV — Why Does HMG Keep Competing with the Market?

After Tyler, I got in next and asked Ollie a question I’d been sitting on for a while:

“Why does government keep building systems that compete with the market?”

It landed like a spanner in a gearbox. Ollie bristled, as can be his style, and came back swinging:

1. “We commission everything; we don’t build”.
2. “We wouldn’t have to if people were building what we need”.

It’s a very Ollie answer; blunt, efficient, and missing the point.

Because the truth is, that’s not entirely accurate. Active Cyber Defence (ACD) and its Early Warning System (EWS) look suspiciously in-house. There’s no public data, no tender trail, no supplier footprint (check the gov catalogues and invoices). The open-source work, DKIM, DMARC, SPF scanners, that’s great, genuinely (and just announced they’re being retired). But there’s a clear line between open tooling for the community and proprietary capability that bypasses the market.

And if “commissioning” simply means “we wrote it but gifted it to GitHub” (they haven’t for ACD or EWS), then that’s just a semantic trick. The Police Cyber Alarm, now up for re-compete with Purview, its current supplier, is the perfect case study: half loved, half loathed, but undeniably duplicative (with ACD/EWS). This is what happens when the state decides to be both regulator and vendor, even ending up competing against itself!

It was déjà vu. I’d met Ollie before during the NCSC for Startups programme (great programme, sorely missed, see point 3 of Act I above). After months of hoop-jumping, we finally got our 30 minutes with the great man. His advice? “Make as much hay as you can, fast. I don’t have any leads for you” It was brutally honest and completely unhelpful, I suspect because we do overlap with ACD. That’s been the through-line ever since, a kind of gruff utilitarianism that mistakes proximity for partnership.

Act V — A Practitioner Speaks

Dave Palmer previously from Darktrace (and now somewhere altogether more interesting) was the adult in the room. Dave’s a developer and engineer at heart; honest, technically fluent, allergic to jargon. He dismissed the “missing middle” narrative outright. Not because he thinks funding is abundant, but because the framing is wrong. There isn’t a missing middle; there’s a missing ladder (point 3, in Act I above). Everyone wants to fund scale-ups; no one wants to fund start-ups.

The real-world test is simple: if you need proof points to get money, and you need money to build proof points, you’re in a recursive loop that only established founders can escape. Every funder’s checklist starts with “Have you done this successfully before?” which is like telling a pilot he can only fly if he’s already landed.

And the obsession with MRR? Please. The moment someone says, “Well, if you’ve got £25k MRR, we can talk”, I want to hand them a mirror. If I had £25k MRR, I wouldn’t need you. If I had £100k MRR, I’d be on a yacht.

Act VI — The Pitches

The pitch session was equal parts chaos and charm. Tyler from HuntBase opened with an investigation-tooling demo that drew appreciative nods. James Patrick Evans from Revenge.ai followed; his pitch veered into deep-tech territory so fast that the people listening looked like they needed subtitles. I threw him a lifeline:

“What makes it different to Sonar?”

It wasn’t heckling; it was translation. Once prompted, he landed it beautifully: predictive analytics on malware code lineage, pattern mapping, genuine machine-learning insight. That’s the stuff Flywheel is meant to surface.

Then there was Richard Porter from Tulpa (as genial as ever), and the usual roll call of familiar faces: Hayden from RiskLedger, Jamie from CyberSmart, Rob Kearney and Saj Huq from Plexal, Ronan Lavelle from Validato, Andrew Elliot, James Stanley, and Susan Lowe from DSIT. I lost track of how many conversations started with “Did you see that tender?” and ended with “We should talk”.

The absentees were telling too: Jonathan Wood from Muse Cyber, Melissa from SiteHop (force of nature, and on a trade mission), the Goldilocks crew currently Stateside, and Amit from Acubit IT. Their absence wasn’t a snub, just a reminder of how geographically unbalanced our scene remains, and how everyone is chasing their own particular dream. London fills the room; the regions fill the silence.

Act VII — Alistair and the Gold Standard

Back to Alistair. He opened the event by pointing to Israel as the gold standard, a system where angels, VCs, and CISOs form a single ecosystem rather than competing factions. There’s connective tissue, not competitive tension. In Israel, innovation isn’t an act of rebellion; it’s policy made flesh.

We, by contrast, excel at fragmentation. We’ve got strategy papers stacked higher than the Shard, each proclaiming that “the UK is third in AI capability”. Third in what sense? We’ve got expertise, yes. We’ve got competence, certainly. What we lack is the mechanism, the coordination that turns capability into capital.

Ben Dewar-Powell, ex-Tide and now at the “AI Security Institute”, said something sharp that stuck with me: “Failure avoidance is a serious blocker to innovation”. He’s right. Our public sector treats experimentation like a reputational hazard. Nobody wants to fail safely; they’d rather succeed bureaucratically.

Until we address that, until departments are rewarded for collaboration instead of control, we’ll keep spinning around the same axis, mistaking movement for progress.

Act VIII — Search for a Name

Somewhere between the last lightning pitch and the first pint at the pub, James Stanley from DSIT teased me about the West Midlands Cyber Hub name. “Great name”, he said, deadpan. Fair. It’s literal, clunky, and very me. And for a brief moment, I wondered whether we needed something sleeker, something more “brandable”, something with a bit of metaphorical gloss.

But after a week of tossing names around, I realised something very simple: WM Cyber Hub is exactly the right name. It’s straight-talking. It’s Birmingham. It says what it is on the tin, which is more than you can say for half the innovation programmes in this country. At some point, you stop trying to be clever and start trying to be truthful. WM Cyber Hub it is.

My perspective is different: tighter, more immediate, more rooted in the early-stage grind. I’m looking at Flywheel through the lens of someone trying to build capability in the regions, get founders their first £50k, and create actual ladders instead of rhetorical ones. Not contradictory to the letter, just a different vantage point on the same ecosystem. And WM Cyber Hub exists precisely at that vantage point.

Curtain Call Conclusion

Walking out of the National Theatre that evening, I realised the symbolism was almost too neat. A day about cyber staged in a temple of performance, but, for once, the performances were real.

I should say, in the spirit of honesty, that I didn’t see every act in this particular play. Life, customers, trains and timing meant I slipped out after the showcases and missed a few of the later panels and breakout sessions, only to reappear for a couple of pints during the informal drift at the end. So this write-up reflects the parts I witnessed first-hand, the scene-setting, the questions, the pitches, the corridor conversations, rather than the entire day’s choreography. The open letter captures the full arc; what I’ve written here is the founder’s slice of it.

Even so, one thing was unmistakable: Alistair deserves real credit. He managed to convene a room that felt less like a sales pitch and more like a movement. The ecosystem needs that kind of energy, not performative optimism, but genuine stewardship. Let’s hope that energy is maintained and doesn’t go the way of the world. Sustainable action and accountability is what’s needed.

There were egos, of course. There always are. But there was also intent, and that’s rarer than funding. If the UK wants to be serious about innovation, it needs fewer ministries and more wharves. Less centralisation, more decentralisation. Less commissioned theatre, more community workshop. Flywheel wasn’t perfect, no event ever is, but it was honest, and honesty is a far better starting point than spectacle.

In the weeks after the event, the open letter was published: a genuinely impressive act of consensus signed by more than sixty senior leaders across the UK security ecosystem. You can read it here: https://www.harmonic.security/blog-posts/open-letter-65-signatories-urge-government-to-take-four-steps-to-make-uk-a-global-cyber-leader

It’s heartening to see that level of unity, and the recommendations are strong. My only small disappointment, and perhaps this is just me being old-fashioned, is that the letter has since moved from the neutral UK Flywheel site to Alistair’s Harmonic company blog. I’ve always tried to keep my ecosystem and policy work separate from my company work; it keeps the community space cleaner, more shared, and less accidentally branded. But that may simply be a matter of personal style, and it certainly doesn’t detract from the significance of the moment or the quality of the message.

Appendix — Open Letter to HM Government (Full Text)

I’m reposting the letter in full just in case it ever goes the way of the Internet and falls off a cliff.

19 November 2025‍

On the 6th October Harmonic Security hosted the inaugural UK Cyberwheel Event at the National Theatre. This brought together more than 30 founders, 25 cyber VCs and 20 CISOs alongside other top players in the ecosystem to have a conversation about the UK cybersecurity startup ecosystem and how we turn this into global leadership.

‍Today, we’re sending an open letter to the Government, signed by 65 of those that attended the event calling for it to use its power and influence to ‘open doors’ and bridge the gap between early stage companies and leading public sector organisations / large enterprises via the four steps below.

‍Britain builds brilliant technology. It’s time our Government became its best customer.

On the 9th October 2025 at the National Theatre, Harmonic Security hosted the inaugural ‘Building the UK Cyber Flywheel’ event. It brought together 150 founders, investors, CISOs, government leaders to start an honest conversation about what it will take for the UK to lead in cybersecurity globally.

Participants agreed that the UK has the raw material: Exceptional technical talent, academic strength, and a growing number of startups tackling real problems. But we need to translate technical excellence into global ambition. The UK Government has a crucial role to play via UK-first security procurement and helping to stimulate the market for early stage companies. Specifically, we, the undersigned members of the UK technology and cybersecurity community, urge the Government to do the following:

1. Become a better customer and market-maker

– Act as a convener. Bring together CISOs, boards, and government buyers to meet and trial UK innovators. The FTSE 100 remains inaccessible to most early stage companies and the Government can act as a crucial bridge between them and the UK’s largest companies.

-Procure from startups. DSIT and other departments should actively buy from emerging UK companies, not just large incumbents. It should look to learn lessons from the Israeli government backing startups which have emerged from the Israel Innovation Authority (IIA)

– Reform the existing Government Digital Marketplace which is currently too orientated towards cloud services so it becomes open to AI and cyber companies to make procurement faster and safer.

– Allow reference use of contracts and logos so startups can win export deals and private-sector work.

– Open up networks such as NCSC’s i100 to vetted early-stage companies to build trust and standards alignment.

– Open up the annual Cyber UK event to startups as it’s currently dominated by large vendors. The ‘Cyber Den’ startup pitching session does attract 12 months of NCSC support to the winner, but the £1200 per ticket makes it inaccessible and deters attendance. Making it free for qualifying startups, and promoting it more widely, could add kudos to any winners and stimulate the wider ecosystem.

2. Targeted tax credits for those backing British technology

– Use the forthcoming budget to create a co-fund or tax rebate for FTSE 250 and critical-sector organisations that pilot UK-made AI or cybersecurity technologies.

– Increase Entrepreneur’s lifetime relief back to £10m (which was reduced to £1m in the 2020 budget) to bring it inline with the US Qualified Small Business Stock (QSBS). This will provide a capital gains tax exclusion to encourage more founders to start their companies in the UK.

– Extend the Government R&D tax credits system so that it rewards British enterprises that buy sovereign, verified technology, not just those that develop it as is the case currently.

3. Help us build a culture that celebrates commercial success

– Promote a culture that actively celebrates commercial success and entrepreneurship.

– Encourage entrepreneurial universities through bursaries and spin-off incentives.

– Celebrate founders by funding highly-selective trade missions for only the best startups and ambassador programmes for already successful UK entrepreneurs.

– Sponsor founders to attend major global events to build confidence and exposure.

4. Strengthen the ecosystem and global reach

– Create the UK’s answer to Israel’s Unit 8200 through building upon recommendations in the Strategic Defence Review to spend 10% on novel technology and expand the existing Joint Cyber Reserve Force.

– Harness proven talent. Establish initiatives that channel the experience and capital of exited UK cyber founders and senior engineers into supporting early-stage innovation, investment, and skills development.

– Allow companies to leverage UK’s secure government ‘brand’ where those organisations work successfully with MoD and NCSC to encourage global reach of capabilities and programmes.

To conclude, the UK cyber sector is genuinely world class and there is funding available for companies ready to scale globally and ‘dream big’. We are not seeking ‘handouts’ from the Government, more that it uses its power and influence to ‘open doors’ and bridge the gap between early stage companies and leading public sector organisations / large enterprises.

Those receiving the letter include, the Rt Hon Liz Kendall MP, Secretary of State for Science, Innovation and Technology, Lord Vallance, Minister of State for Science, Innovation, Research and Nuclear, Ian Murray MP, Minister of State for Digital Government and Data, Baroness Lloyd of Effra CBE, Parliamentary Under-Secretary of State in the Department for Science, Innovation and Technology.