The UK's Largest Home Defence Exercise in Decades Is Coming. National Resilience Now Includes the Checkout
The 2027 exercise and updated War Book will test the nation's plans for hybrid attack. The point of sale, where regulated goods change hands, belongs in the same conversation.
The UK will hold its largest home defence exercise in several decades in 2027, stress testing updated War Book plans across government, the military and civilian agencies. We believe true national resilience now extends to the point of sale. Regulated, high-risk goods, explosives precursors above all, still cross checkouts where the only detection layer is one member of staff deciding whether a transaction feels suspicious. A sovereign, auditable AI screening layer, running on hardware the merchant owns, inside UK jurisdiction, with every automated decision sealed to a verifiable audit record, belongs in the national resilience conversation alongside cyber attacks and energy supply.
What is the UK's largest home defence exercise in decades?
On 14 July 2026 the Government published its first Annual Statement on National Resilience alongside an updated National Risk Register. Darren Jones, Chief Secretary to the Prime Minister, announced that the Home Defence Programme will deliver the largest UK home defence exercise in decades in 2027, a multi-day exercise testing the country's preparedness for hybrid attacks, reported as Operation ALBISTON SHADOW. The government War Book crisis plans are being updated for the first time since 2004, with increased emphasis on aligning military and civilian efforts if international hostilities affect the UK, and a public preparedness campaign launches later in 2026.
“We will rigorously test these plans through the largest UK home defence exercise in several decades in 2027, to ensure that should the worst ever happen, we will always be ready.”
Why should national resilience extend to the point of sale?
Because the point of sale is where regulated goods pass from lawful commerce into private hands, it is critical infrastructure for counter-terrorism in the same way a power grid is critical infrastructure for energy security. The resilience conversation already treats attacks on critical infrastructure as a whole-of-society problem. The checkout deserves the same status. Every lawful sale of a regulated explosives precursor is a transaction, and transactions are observable, recordable and checkable at the moment they happen. If the country is rehearsing for the worst, the checkout where regulated precursors are bought should be part of the rehearsal.
What did the official account of 7 July 2005 find about the purchases?
Fifty-two people were killed in London on 7 July 2005, and we write about that day only with its full weight in view. The official account, laid before Parliament in May 2006 as HC 1087, found that the bomb ingredients were all readily commercially available and not particularly expensive, and that the first identified purchase of materials was on 31 March 2005. Its conclusions state that 'the planning was deceptively simple', with the whole operation costing less than £8,000 and financed in ways that would arouse little suspicion. The devices were made in a rented ground-floor flat at 18 Alexandra Grove in Leeds.
At the inquests, Lady Justice Hallett raised concerns about the ease with which the four bombers were able to purchase and store hydrogen peroxide without raising any suspicion, and supported sensible regulation of precursor supply. We will never claim that any system would have prevented that day. What we can say, soberly, is that the purchases that preceded it are exactly the kind of pattern a screening layer at the point of sale is designed to surface.
How does the UK screen explosives precursor sales today?
Far better than in 2005, and still not well enough. Hydrogen peroxide above 12 per cent is now a regulated explosives precursor: a member of the public needs a Home Office explosives precursors and poisons licence to buy it, and the retailer must check the licence and photo ID. Since 1 October 2023, under the Poisons Act 1972 as amended and the Control of Explosives Precursors and Poisons Regulations 2023, suppliers must report suspicious transactions within 24 hours. The published regime asks suppliers to do three things.
- Verify business customers, including name, address, photo ID, nature of business and VAT number, and keep records for 18 months.
- Report a suspicious transaction, disappearance or theft within 24 hours of forming suspicion.
- Make that report through the online reporting service, the chemical reporting team email inbox on weekdays, or the 24-hour anti-terrorist hotline.
Every element of that regime depends on an individual member of staff at an individual supplier recognising suspicion at the point of sale, and there is no published mechanism linking purchases made across different retailers. This gap is not new. The Government's own 2012 review of progress after the inquests recorded over 90,000 leaflets and posters distributed to suppliers, and a proof-of-concept software tool to identify suspicious transactions automatically, scheduled for completion by March 2013. Fourteen years on, the published regime still runs on human vigilance, a web form and a telephone line.
Would an AI screening layer at the checkout be mass surveillance?
No, and this is the part we hold ourselves to hardest. Screening regulated, high-risk goods is not scanning the population. It is checking a narrow class of transactions that Parliament has already decided require licences, identity checks and 24-hour reporting. The right architecture keeps it that way: the model runs on hardware the merchant owns, inside the UK, rule-bound to the substances the law already regulates, and every decision it takes is sealed into an audit record that regulators, courts and citizens can independently verify. That last point matters most, because it means the screening itself can be inspected, and the public can confirm the AI only did what the law allows. We do not believe national security screening can responsibly run through a foreign cloud, where the business is one tenant among tens of millions and the data sits outside UK jurisdiction.
How would sovereign AI screening make detection materially stronger?
The Government's own counter-terrorism strategy, CONTEST 2023, says AI 'could radically speed up the process of threat detection', describes self-initiated lone actors as 'fiendishly hard to detect and disrupt', and notes that 'individuals and small groups do frequently display some indicators of their terrorist intent, both online and in person'. Purchases are among the most concrete indicators there are. An AI screening layer at the point of sale would check each regulated transaction as it happens and pass flags upstream to the national reporting system, with sovereign on-premise deployments running the check inside a gated sandbox on the merchant's own hardware. Detection of precursor-purchase patterns would be materially stronger than today's manual, fragmented reporting, because connecting the indicators would no longer depend on one person's judgement in one shop on one afternoon. That inference is our argument, not a CONTEST claim, and we make it openly.
What does it mean to prepare so the worst days are never repeated?
The 2027 exercise exists because preparation is a duty, not a prediction. The same logic applies at the checkout. The lesson of 7 July 2005 is not that any system could rewrite the past. It is that the purchasing patterns existed, and no system connected them. A country that rehearses hybrid attacks on its infrastructure and updates its War Book for the first time since 2004 should also ask how a regulated substance travels from a shelf to a licence holder, and how quickly a pattern across many shelves becomes a flag someone can act on. We prepare so the worst days are never repeated.
Frequently asked questions
When is the UK's largest home defence exercise, and what will it test?
In 2027. On 14 July 2026 the Government published its first Annual Statement on National Resilience alongside an updated National Risk Register. Darren Jones, Chief Secretary to the Prime Minister, announced that the Home Defence Programme will deliver the largest UK home defence exercise in decades: a multi-day exercise testing the country's preparedness for hybrid attacks, reported as Operation ALBISTON SHADOW. The government War Book crisis plans are being updated for the first time since 2004, and a public preparedness campaign launches later in 2026.
Do you need a licence to buy hydrogen peroxide in the UK?
Above 12 per cent, yes. Hydrogen peroxide above that concentration is a regulated explosives precursor. A member of the public needs a Home Office explosives precursors and poisons licence to buy it, and the retailer must check the licence and photo ID. That regime did not exist in 2005, which is part of why the 7 July purchases drew no alert at the time.
What must a UK supplier do if a precursor sale looks suspicious?
Report it within 24 hours. Since 1 October 2023, under the Poisons Act 1972 as amended and the Control of Explosives Precursors and Poisons Regulations 2023, suppliers must report suspicious transactions within 24 hours, by web form or telephone. Those are real protections. The gap we point to is that the duty rests on an individual member of staff recognising suspicion at an individual till, and there is no published mechanism linking purchases made across different retailers.
Why does screening at the checkout have to be sovereign rather than cloud based?
Because the civil liberties answer has to be checkable rather than promised. The right architecture runs the model on hardware the merchant owns, inside the UK, rule-bound to the substances the law already regulates, with every decision sealed into an audit record that regulators, courts and citizens can independently verify. We do not believe national security screening can responsibly run through a foreign cloud, where the business is one tenant among tens of millions and the data sits outside UK jurisdiction.
This is the architecture Mickai exists to provide. Mickai is a British Sovereign Intelligence Operating System, built and live: AI that organisations own and run offline on their own hardware, in their own jurisdiction, with autonomous agents confined to a gated sandbox under per-action clearance. Every consequential action is sealed before it executes into the Open Audit Record, a post-quantum signed, hash-chained ledger that regulators and courts can verify offline, protected by 104 filed UK patent applications with 2,340 claims. If national resilience is about to be rehearsed at national scale, the checkout should be on the list. Read how the audit layer works at /oar, or start with the case for sovereign AI at /sovereign-ai.
