In an era where automation, AI, and ideology converge to redefine the cyber threat landscape, the rules of engagement are rapidly changing. From nation-state-backed attacks to industrialized cybercrime-as-a-service models, the scale and sophistication of digital conflict is reaching new heights. In this Dubai Diaries exclusive, Alain Sanchez, EMEA Field CISO at Fortinet, shares a data-backed view of the most pressing trends shaping cybersecurity today—from the rise of AI-generated code and deepfake-enabled phishing to the targeting of critical infrastructure and operational technology. His insights offer a wake-up call for regional CISOs and business leaders: cyber resilience is no longer optional—it’s foundational.
How have cyber threats evolved in recent months, and what are some of the most concerning trends your team has observed globally?
The FortiGuard Labs team has observed a trend that reflects the use of automation across every stage of the attack chain. The reconnaissance phase is increasing, operating as a systematic scan of vulnerabilities; cybercriminals launched over 36,000 of these scans per second in 2024 which represent a 16.7% increase. Automation also extends to phishing, credential theft, and even malware development. Cyber adversaries use AI-powered tools like FraudGPT and ElevenLabs to craft more and more convincing phishing lures, reusing real topics users have been working on, generating deepfake videos, and cloning executive voices.
As 41% of all code is now AI-generated, cybercriminals no longer need to write code or breach a system directly; threat actors can purchase access, tools, and infrastructure through a rapidly growing Cybercrime-as-a-Service (CaaS) marketplace. The result is an industrialized cybercrime economy that dramatically lowers the barrier to entry, expands the volume of attacks, and increases their success rate.
Furthermore, in 2024, FortiGuard Labs tracked a 42% surge in stolen credentials offered on darknet forums. That’s more than 100 billion unique records—email addresses, passwords, session tokens, and multifactor bypass data—freely traded and sold. Automation is also fueling scale. Fortinet’s intrusion prevention sensors recorded over 97 billion exploitation attempts in the second half of 2024, many targeting vulnerabilities disclosed years ago.
IoT devices, estimated to be 19.8 billions in 2025, are also a major target, accounting for over 20% of all exploits. In addition, routers, surveillance cameras, and firewalls with outdated firmware or default credentials are being recruited into botnets, used for lateral movement, or exploited for persistent access.
What role are hacktivist groups and cybercrime syndicates playing in today’s threat landscape, and how are their methods changing?
The threat landscape of 2024 was marked by another rise of cybercriminal groups, including new ransomware actors, the increasing sophistication of hacktivist attacks, and the ongoing operations of state-sponsored espionage groups.
Hacktivist groups such as CyberVolk, Handa- la, and KillSec started leveraging ransomware, marking a strategic shift towards more disruptive attacks. This development blurs the line between ideological activism and financially motivated cybercrime. Hacktivists also adopted more aggressive tactics in 2024, using Telegram as their primary coordination platform. Over 60% of hacktivist campaigns focused on geopolitical causes, with hashtags such as #SavePalestine, #OpIsrael, #OpIndia, and #OpUSA dominating the narrative.
These groups motivated by ideology are targeting critical infrastructures. Their attacks, called wipers, are looking to affect the pillar services of entire countries such as energy, telecommunications, and healthcare. The rise of such attacks has led governments to extend the scope of their legal frameworks. NIS2, the new update that came into effect on October 18th 2024 in Europe, aims precisely at broadening the scope of sectors identified as critical.
We also observed a rise in hacktivist exchanges aiming at refining their illegal practices in Telegram channels. These become an open university of crime, publishing available exploit code and fully functional exploits that we found later used in ransomware by APT groups in public campaigns.
Why are critical infrastructure and civilian services so vulnerable, and how can organizations build better defenses?
Let’s remember that the use of intelligent sensors brings significant benefits in quality control, energy rationalization, and advanced telemetry, across all sectors. In addition, there are significant economic benefits in connecting industrial production sites.
As a result, operational technology (OT) has become a pillar of efficiency, productivity, and stability in almost industrial and pharmaceutical sectors. Industries face an urgent and evolving risk as they become increasingly targeted by persistent, and AI-driven cyberthreats. Drawing on the 2025 Fortinet Global Threat Landscape Report, we see a sobering picture: OT systems are not just collateral damage; they’re becoming primary targets. Cybercriminals are using advanced persistent threats (APTs) to home in on industrial networks not simply to steal data but to disrupt critical services, demand ransoms, or embed themselves for future exploitation.Some of these attacks remain purposely dormant until a series of operational conditions occur that will make the attack even more devastating.
As threat actors become faster, stealthier, and more resourceful, defending critical OT infrastructures requires holistic security measures. It now demands advanced correlation between events occurring in very different and distant places. Response scenarios need to reflect operational maturity and act on intelligence, not just collect it. A threat-informed defense is paramount for OT environments that need to be updated with the very latest telemetry to respond accurately and timely.
Fortinet has been designing its fully integrated platform for 25 years to precisely insure synoptic visibility and response capabilities all across complex IT ecosystems.
With the increasing complexity of attacks, how important is it for organizations to invest in employee cybersecurity training and multi-layered defense strategies?
It is paramount. As the cybersecurity landscape becomes increasingly sophisticated, the demand for skilled professionals is becoming critical. As a leader in analysing the impact of the skills shortage, Fortinet regularly organizes C-Talk debates to help organizations in developing creative strategies for attracting and retaining new talent across the public and private sectors.
In the past year, nearly 90% of organizational leaders said their enterprise experienced a breach that they can partially attribute to a lack of cyber skills. This teaching from the Fortinet Skills Gap Report operated as a wake-up call, inspiring organizations in introducing new strategies to recruit, hire, and retain qualified cybersecurity professionals. These open discussions, that I had the honour of chairing all across EMEA, represent significant progress in enhancing recruitment and upskilling techniques. These executive exchanges are recognized as a concrete step in addressing the cybersecurity workforce gap. They have shown that the public and private sectors can effectively partner to collectively remove traditional barriers to entry as possible.
What practical steps can CISOs and IT leaders in the Middle East take today to improve their readiness for digital conflict or large-scale cyber disruptions?
The pattern is clear: attackers are optimizing for speed, scale, and stealth. Defenders must do the same. Traditional security models that rely on static controls, point-in-time assessments, or delayed patch cycles are increasingly inadequate.
Tackling the current threat landscape in the Middle East isn’t just a technology conversation— it’s a business continuity conversation. Cyber threats no longer wait for vulnerabilities to be exposed. Their reconnaissance efforts monitor all levels of the network, including compromised credentials and other weaknesses available on darknet forums, so they can strike before your team can respond.
For this reason, we must see a shift towards Continuous Threat Exposure Management (CTEM), which means continuously monitoring attack surfaces, prioritizing vulnerabilities based on risk, threat intelligence, and exploit availability—not just CVSS scores, and automating detection and response to reduce dwell time and accelerate containment.
