30APR

Airbus signs for Ultra Cyber from Cobham

4 min read

08:16UTC

Airbus signed a definitive agreement to acquire Ultra Cyber from Cobham, bringing UK MoD sovereign cryptography programme work inside a European defence prime.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

MoD cryptography moves under Airbus; the PRA and MoD clearance review will set sovereignty precedent.

Airbus signed a definitive agreement during the window to acquire Ultra Cyber from Cobham, extending the cross-border cyber-sector consolidation track into UK MoD-cleared programme contracts ¹. The deal moves Ultra Cyber's UK Ministry of Defence (MoD) sovereign cryptography and cyber-defence programme work inside a European defence prime headquartered in Toulouse. The Prudential Regulation Authority (PRA) and MoD clearance reviews are the gating events; transaction value was not disclosed in the public announcement.

Ultra Cyber holds List X site clearances, MoD-cleared cryptographic key management work and embedded-hardware programme contracts that have historically required UK consolidated ownership for tender eligibility. Airbus is a continental prime with its own cleared-personnel base in France and Germany; the integration question is how MoD cleared-programme contracts pass through the change of consolidated ownership without a sovereign-of-control condition. The MoD review will be the determining political event.

The transaction lands in the same ten-day window as the Beazley takeover, which moves UK Lloyd's-market commercial cyber expertise to Swiss ownership. Two transactions, two different layers of UK cyber capability, both moving outside UK consolidated control. NCSC's SilentGlass commercial launch the same week is the offset, keeping UK government IP onshore while putting product into the channel. The political question is whether MoD-cleared cryptography ought to require sovereignty-of-control conditions on foreign acquisition, with the Airbus review setting the precedent for any subsequent transaction the National Security and Investment Act screens.

Deep Analysis

In plain English

Ultra Cyber holds UK government security clearances and works on cryptography, the mathematical codes that protect government and military communications. Cobham, its current owner, agreed to sell it to Airbus, the European aerospace group headquartered in Toulouse. The UK government has powers under a 2021 law to block or attach conditions to foreign purchases of sensitive defence companies. Whether ministers use those powers here will set a precedent for future European acquisitions of cleared British technology firms.

Deep Analysis

Root Causes

Ultra Cyber's position results from a structural decision taken when Cobham acquired Ultra Electronics in 2021: private equity ownership of List X cleared facilities concentrated MoD-cleared programme capability in a portfolio company without a long-term ownership commitment. Cobham, backed by Advent International, is a financial acquirer rather than a strategic defence prime.

The decision to divest Ultra Cyber to Airbus is a portfolio exit, not a strategic consolidation. MoD's relationship with its cleared cryptography contractor is therefore being shaped by Cobham's fund return timeline rather than by any national-security planning horizon.

What could happen next?

Precedent
The MoD's clearance review will establish whether European NATO-allied ownership satisfies List X sovereignty-of-control requirements, with direct implications for every future transaction involving UK cleared-facility acquisition by a European defence prime.
Short term · 0.8
Risk
If the MoD review attaches a sovereignty-of-control condition requiring UK management of List X work, Airbus faces an integration constraint that could reduce the commercial value of the transaction relative to the undisclosed purchase price.
Medium term · 0.7
Consequence
Ultra Cyber's cleared-personnel pool and List X sites transfer to an Airbus-owned structure, immediately expanding Airbus UK's addressable UK MoD cleared-programme tender market.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2018 attempted Broadcom takeover of Qualcomm was blocked by President Trump's Committee on Foreign Investment in the United States (CFIUS) on grounds that moving Qualcomm's 5G standard-setting work into Singaporean-incorporated (then Broadcom) ownership would undermine US technology leadership.

The structural parallel with Airbus/Ultra Cyber is a foreign acquirer buying a company whose primary value is not revenue but national-security-relevant intellectual property and cleared programme relationships. CFIUS acted pre-emptively on a theoretical sovereignty risk; the UK's NSI Act provides comparable powers.

Counter-parallel: The 2014 Cobham/Aeroflex merger passed CFIUS and UK national-security review without sovereignty conditions, despite Aeroflex producing microelectronics used in US military communications systems. Cobham subsequently became an active acquirer of UK defence technology assets, including Ultra Electronics.

The precedent suggests that cleared-contract ownership has historically survived foreign ownership changes when the acquirer is a Western-allied entity, though the Ultra Cyber List X clearances are a more direct sovereignty-sensitive instrument than Aeroflex's microelectronics work.

Cobham has not disclosed the transaction value for the Ultra Cyber divestiture. Based on comparable cleared-facility transactions (Leidos's acquisition of Dynetics in 2020 at approximately 3.5x revenue, and SAIC's acquisition of Engility at 2.2x revenue in 2019), Ultra Cyber's undisclosed deal value likely sits in the £150-350 million range, depending on the EBITDA multiple applied to its MoD contract base.

The strategic premium Airbus pays is not the revenue multiple but access to List X cleared sites and the cleared-personnel pool that accompanies them. Building equivalent MoD List X clearances from scratch takes three to five years; Cobham's Ultra Cyber clearances transfer with the acquisition.

For Airbus's UK Cyber and Intelligence business in Newport, the deal provides cleared facilities that expand the addressable tender market for UK MoD classified programme work without the clearance-build wait time.

Consensus view: IISS's Military Balance cyber programme assesses that the Airbus/Ultra Cyber deal tests the outer limit of the UK National Security and Investment Act 2021 (NSI Act): Ultra Cyber holds List X site clearances and embedded-hardware programme contracts for UK MoD cryptographic key management work that would ordinarily require UK sovereign ownership on tender eligibility grounds.

Airbus is not a NATO-non-aligned acquirer; it is a European defence prime with cleared-personnel bases in France and Germany. The NSI Act empowers ministers to impose conditions on change-of-control; the question is whether Airbus's NATO-allied status is sufficient mitigation for the sovereignty condition.

Counter-view: The French Institute of International Relations (IFRI) defence programme argues that the UK's anxiety about European defence prime ownership of cleared UK capability is inconsistent with the post-Brexit AUKUS framing, where the UK is deepening defence integration with the US and Australia while simultaneously restricting technology transfer to European partners.

From Paris, the Airbus/Ultra Cyber transaction is a natural consequence of European defence consolidation that the UK should accommodate rather than obstruct, given its own interest in Airbus aerospace supply chains.

Key tension: Whether the UK government's MoD clearance review will attach a sovereignty-of-control condition that requires Ultra Cyber's List X work to remain under UK consolidated management even within an Airbus group structure, or whether Airbus's European NATO-allied status is treated as a sufficient sovereignty proxy.

Sources:PrivSource

Mentions:Airbus →UK Ministry of Defence →Prudential Regulation Authority →IISS →Qualcomm →NATO →Germany →France →United States →NCSC →Beazley →Brexit →Broadcom →National Security and Investment Act →Ultra Cyber →Cobham →NCSC SilentGlass →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

PrivSource· 30 Apr 2026

Read original →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.