Posted inTHE LEDE

How geopolitical volatility and AI are reshaping regional cybersecurity

As traditional cyber defense faces more AI-powered attacks, businesses could be better off if they ditch fragmented tools for unified AI-native security platforms
by enterpriseam adminMENA+ Edition
Read Full Issue

Geopolitical volatility and the rising prominence of cloud and data infrastructure in businesses are reshaping the regional architecture of cybersecurity. As more businesses move core operations to the cloud (a trend that began well before the war), the data center has replaced localized (office) servers as the main target.

What worked before may not be working now: A war-driven surge of cyberattacks against businesses and infrastructure in our region and beyond means the traditional way of how cybersecurity worked — often involving managing risks by layering several niche, disconnected tools — might be at a point of diminishing returns, experts tell us. With AI making the tempo and the nature of attacks unpredictable, chief information security officers (CISOs) are increasingly facing what industry experts call “alert fatigue,” which is compounded by the need to manage the disjointed tools they deploy to defend against different types of threats.

You can get your cue from M&A activity in the cybersecurity market: When Googlefinalized its USD 32 bn acquisition of the AI-native, cloud security provider Wiz in March, it was the latest sign that the model of layering security tools on top of each other could be under duress as new innovators emerge.

“A hyperscaler bought a cloud security specialist, not a traditional security vendor… That’s the clearest signal of where the market is heading,” cloud infrastructure and security specialist Jeff Cooper tells EnterpriseAM. By promising an AI-native, cloud-based platform that centralizes the fragmented security tools stack, the Israeli-born startup is pitching a new model that is able to deal with the new landscape of threats by providing “a unified security platform that improves the speed with which organizations can detect, prevent, and respond to threats.”

The risk landscape

What was already here, just amplified: Distributed denial-of-service (DDoS) remains the opening move of any geopolitical flare-up. DDoS volumes rose eightfold in the first half of March, according to StormWall data that EnterpriseAM has seen. “Iranian-aligned actors have reportedly used it as a first layer to create disruption and divert attention while conducting more serious attacks behind the scenes, including data exfiltration, wiping, infrastructure targeting, or coordinating with physical attacks,” Pam Lindemoen, Retail and Hospitality Information Security and Analysis Center (RH-ISAC) Chief Security Officer, tells EnterpriseAM.

The targeting of national infrastructure follows the same long-running playbook: 53% ofattacks in the war’s first days hit government institutions, dominated by DDoS, defacements, and claimed data breaches. Infrastructure attacks have become a tool of decentralized retaliation and economic pressure.

And we’re seeing the rise of proxy targets, with retail and hospitality becoming an obvious target given the visibility generated by any disruptions in these sectors. “By impacting these high-visibility sectors like retail and hospitality, hacktivists aim to translate geopolitical tensions into tangible economic and public-facing disruptions,” Lindemoen tells us.

What's genuinely new: Three shifts stand out. The first is tempo and targeting specificity in the Gulf region, particularly from Iran-linked organizations over the past several years, Cooper tells us. The second is the rise of AI-driven novelties, with attacks that don’t match most existing detection signatures. “There’s no playbook. There’s no pattern to match,” Cooper says, marking a sharp break from traditional security operations centers, which are largely built around pattern recognition. The third is the appearance of credible physical threats against civilian cloud infrastructure (aka data centers), a development Cooper frames as “unprecedented” given how current protections in place are inadequate. “That gap between the physical threat and the physical defense posture is where I think the real exposure lives right now,” he adds.

The new normal: The threat baseline established during this surge is not going to recede, experts tell us. “The cyber war did not begin with the military conflict, and it will not end with any military ceasefire,” Lindemoen says, noting that many Iran-aligned threat groups operate outside direct state control and are therefore not always bound by ceasefire agreements. “This is the new normal for the foreseeable future,” Lindemoen adds. EFG Hermes Group CISO Osama Hijji is blunter: “The truth is, we are under attack around the clock, 24/7, every minute and every second.”

The pre-war signal was also clear well in advance — cyber attacks surged days before bombs started dropping, affecting government and financial services, according to CloudSek. “The cyber war started about 11 days before the physical war did, for instance — and because we have offices in the Gulf, we started seeing attacks hitting our perimeter there,” Hijji tells us.

If the truce materializes (and holds)? “We have no truce; cyber warfare continues and never stops,”Hijj adds.

AI is now both the weapon and the shield

The reason layered defenses are buckling against this new threat profile is, in large part, AI. The technology is simultaneously accelerating attacks and becoming indispensable to defense, and the asymmetry between the two is what's reshaping the architecture beneath every security system.

On the offensive side, AI is enabling attacks that don’t fit any established pattern. Hijji described one incident at EFG Hermes in which attackers attempted to feed a customer-facing AI chatbot manipulated information and links, prompting the model to “lure customers into something the attacker designed” — a class of attack that didn't exist a generation of security tooling ago. The Iran-linked Handala campaign against Stryker in March is the other end of the spectrum: A credential-driven attack — a simple but efficient type of attack as old as cybersecurity as a field.

On the defensive side, AI is being baked into the security layer rather than bolted on top. Cooper describes the architectural shift toward AI-native security as moving toward integrated and centralized capabilities that could keep organizations resilient over the next three to five years.

But confidence in AI-leveraged defense is building up at a slower rate than AI-powered attacks — and for good reason. “As confidence builds and track records get established, the industry will gradually extend the boundaries of what AI is allowed to do autonomously. But we’re not there yet, and pretending we are is how you end up with an AI-driven outage that wasn’t necessary,” Cooper explains.

How does the use of AI look on the defense side? It’s all about automation — and AI needs to get better with fewer false positives and false negatives so that automation can scale. “If AI detects activity on a specific low-risk server or component, letting it act without a human is defensible. But major changes to production, configuration changes that affect multiple systems, or shutting down a critical component absolutely require a human,” Cooper says. For now, a reasonable bridge to maximize AI potential would be to allow it to “identify a potential event, then hand off to a human with a scripted, predictable response,” he adds.

But the balance of power is tilted towards attackers, an asymmetry that keeps every CISO up at night. “It’s easier to find a novel offensive use of AI than it is to build a reliable defense against one,” Cooper says. “You’re often waiting on a vendor, or building it yourself, and either way, your legacy systems may not plug into AI tooling without a meaningful technology refresh first,” he adds. That means the pace of AI-enabled attacks far outpaces cyber defenders’ ability to build new protections. “That gap is the real problem,” Cooper tells us.

And that asymmetry is precisely why the market is consolidating on cloud-native, AI-first security platforms — the only architecture with the promise of data scale and update velocity to keep the gap from widening.

Humans, meanwhile, are not out of the loop, but their role is being redefined. “Human in the loop isn’t a single rule applied uniformly. It’s a sliding scale tied to the consequence of the action,” Cooper says. AI can autonomously handle low-risk anomalies on a single server, but major changes that touch multiple systems still need human judgment. AI also gets it wrong in both directions with false positives and false negatives.

And what is our region doing about it? We know Saudi Arabia and the UAE are going all in on AI-leveraged security. In Saudi Arabia, 15% of all AI research output focuses on security, privacy, and cryptography — the highest within-country ratio globally, according to the Stanford Institute for Human-Centered Artificial Intelligence’s 2026 AI Index Report. The UAE comes third globally after India, with 12% of its AI research output focused on these segments.

A new-ish defense playbook… and a bigger bill

What’s next? As the trends of AI-driven attacks and the centrality of the cloud in business operations becomes more cemented, CISOs need to get their house in order to address the mix of old and new threats. This will require CISOs to build their defenses on three non-negotiable strategic pillars that move beyond the layering philosophy of the last decade.

#1- Treating credentials as the most likely point of failure. “Credential security remains the most common and most underestimated exposure in enterprise security today,” Cooper says. He recommends consolidating on a dedicated identity provider, on the logic that identity vendors prioritize hardening as their core business in a way general-purpose infrastructure does not. The Stryker breach is the cautionary tale: stolen credentials, exploited at scale.

#2- Consolidating rather than sprawling — and this is where players like Wiz come in. Maintaining discipline across many disparate tools is harder than across a unified platform. “Thoughtful consolidation on trusted specialist vendors almost always beats vendor sprawl,” Cooper says. Maintaining discipline across many disparate tools is harder than across a unified platform, he adds.

The third is building for compartmentalization. Cooper's analogy is the Titanic: “The Titanic lacked adequate isolation. One catastrophic breach, and water moved freely through the entire hull.” The fix in shipbuilding was compartmentalization, and the same logic now governs cloud-native security architecture — contain the breach so it doesn't spread.

We are yet to see how building cyber defenses on similar pillars could impact budgets, largely because AI is yet to deliver on its potential to cut costs in so many other sectors. Firms like Uber are already reporting ballooning AI costs, and there is the risk that the compute cost required for AI-driven defense could end up exceeding the human salary lines they were meant to displace.

But so far, CISOs are expecting their budgets to change more in shape than in size. Security spending rose from 0.57% to 0.75% of revenue in 2025, while IT spending climbed from 3.2% to 3.9%, according to the RH-ISAC’s 2026 CISO Benchmark Report. 54% of surveyed CISOs expect incremental budget increases this year — a measured rise rather than a step change, and about 90% expect spending on AI-related security to grow, but mostly through reallocation rather than new funds.

Tags: