Cybersecurity: Self-Attack is the Best Defense
- Photo Info
- Download
Cybersecurity: Self-Attack is the Best Defense
- Security expert Tamer Odeh: “Organizations should regularly attack themselves to test their cyber resilience.”
- With over 200,000 cyberattacks reported daily by the UAE CSC, organizations are struggling to protect their systems against cyberattacks.
- The consequences of cyber incidents range from financial losses to long-term damage of trust.
Dubai, 25 September 2025 – By focusing mainly on defensive tools, organizations in the UAE risk overlooking the real priority: strengthening resilience through offensive security. This statement comes from Tamer Odeh, Middle East and Africa Regional Lead at Horizon3.ai. He notes that regulators such as the Central Bank of the UAE (CBUAE), which conducts regular stress tests of the banking sector, and the Dubai Financial Services Authority (DFSA), which requires firms in the DIFC to maintain strong cyber risk management and resilience frameworks, already set high benchmarks for financial institutions. Similar approaches have long been mandated in Europe, where the European Central Bank (ECB) has required stress tests for years. “Organizations across all industries would be well advised to adopt the same mindset and subject themselves to regular resilience testing,” said the security expert.
In such a stress test — known in technical terms as a “penetration test” or simply “pentest” — so-called white-hat hackers are commissioned by an organization to break into their own network in order to uncover weaknesses. But according to Tamer Odeh, this no longer requires human hackers: “Today, autonomous stress-testing platforms are available directly from the cloud, ready to use and affordable.”
The security expert explained: “Autonomous pentests represent what is known as an offensive security approach. This makes it possible to uncover vulnerabilities that often remain undetected in traditional audits. Organizations gain clear insights into which safeguards are effective and where action is urgently needed.”
The UAE Cyber Security Council (CSC) reports that cyberattacks against the nation’s strategic sectors now surpass 200,000 each day, targeting critical infrastructure, seeking to steal sensitive data, and posing a direct threat to national security*. This highlights how cyberattacks have become a major risk factor for businesses – with consequences ranging from severe financial losses and operational downtime to lasting damage to customer and partner trust.
Rising Demands for Cyber Resilience
Odeh also points to the increasing regulatory requirements placed on organizations as governments worldwide strengthen their cybersecurity frameworks. In the UAE, regulators such as the Central Bank of the UAE (CBUAE), the Dubai Financial Services Authority (DFSA), and the Telecommunications and Digital Government Regulatory Authority (TDRA) are steadily raising the bar for compliance, particularly for organizations operating in critical sectors. Odeh stresses that cyber risks extend far beyond a company’s own operations, encompassing suppliers and distribution partners as well: “Any attack on a business partner can quickly spill over to all connected organizations. That is why regulators now increasingly expect organizations to demonstrate resilience across their entire supply chain.”
Pentests “Affordable for Every Mid-Sized Company”
The security expert stresses that autonomous, cloud-based penetration tests are now “affordable for every mid-sized organization.” “The costs scale with the size of the IT network,” explained Tamer Odeh. He notes that what was once a tool designed primarily for large enterprises has become accessible for SMEs as well — easy to use without the need to hire external hackers. Odeh also emphasizes that pentest costs should be viewed in relation to the potential damages from cyberattacks. As highlighted at the Shaping a Secure Enterprise conference held in Dubai in January, the annual cost of cybercrime is projected to soar to $10.5 trillion globally by 2025.
All Connected Devices are at Risk
In addition to low costs and ease of use, Tamer Odeh highlights another key advantage of a cloud-based pentest platform: it extends testing beyond computers to include all connected machines and devices. “If cybercriminals take control of security cameras on office premises, the entire organization’s safety is at risk,” he warned — underlining that the call for greater cyber resilience goes far beyond traditional IT systems.
He also stresses the urgency: the window between the discovery of a new vulnerability and its exploitation by attackers is shrinking rapidly. Companies therefore have less and less time to assess whether their own networks are at risk. “Given the complexity of today’s IT environments, it is practically impossible for organizations to determine in time whether they are affected by every newly emerging flaw — let alone manage the immense costs involved,” Odeh explained.
AI as a Driver of Attack Scenarios
Organizations of all sizes remain far too complacent, warns Odeh. Most IT departments have already lost oversight of the many potential weaknesses in their networks. This is hardly surprising, he explains, as IT environments grow ever more complex while attacks become faster and more sophisticated.
According to Odeh, one factor is accelerating cybercrime more than any other: artificial intelligence. Complex attacks can now be automated and executed with minimal effort — not only by state actors, but increasingly by well-organized cybercriminal groups. These methods are used across industries and can remain undetected for long periods, causing significant damage before being uncovered.
Horizon3.ai’s AI-driven autonomous pentest platform NodeZero has shown in customer engagements that corporate defences can often be breached within minutes. NodeZero even incorporates social-engineering tactics, exploiting human weaknesses — for instance, when an employee uses their pet’s name as a password after sharing it publicly on social media. “In most cases, just one weak spot is enough to give attackers access to an organization’s digital infrastructure,” Odeh cautioned.
Vulnerability Scanners Are Not Enough
Most businesses are aware of the growing cyber threat, says Odeh, but many still rely on the wrong defenses. “It’s not uncommon for organizations to run 20 to 40 different security tools at the same time, yet they have little idea how well these actually work together,” he explained.
A particular blind spot is the reliance on vulnerability scanners. While scanners identify numerous flaws and even assign risk ratings, they do not reveal which issues are truly critical for a specific organization. “No IT team can possibly patch every single vulnerability disclosed each day,” Odeh stressed. What matters is prioritisation — focusing on the weaknesses that genuinely put the business at risk. “That clarity only comes through systematic, simulated attacks on your own environment, because only then do the weaknesses emerge that really matter to you,” he concluded.
About Horizon3.ai and NodeZero: Horizon3.ai provides a cloud-based platform, NodeZero, enabling organizations and public authorities to simulate self-attacks on their IT infrastructure to assess their cyber resilience through penetration testing (pentesting). Thanks to its cloud model, the platform offers affordable, regular pentesting, making it accessible to mid-sized companies. Horizon3.ai continuously monitors the cybercrime landscape to ensure that newly discovered vulnerabilities are swiftly integrated into the cloud system. NodeZero not only identifies security flaws but also offers tailored recommendations for remediation. Through this platform, Horizon3.ai helps organizations meet rising regulatory demands for cyber resilience in Governance, Risk & Compliance (GRC), with guidelines recommending an internal self-attack at least once a week.
Trademark notice: NodeZero is a trademark of Horizon3.ai
Further information: Horizon3.AI Europe GmbH, Prielmayerstrasse 3, 80335 Munich, Web: www.horizon3.ai
PR Agency: euromarcom public relations GmbH, Web: www.euromarcom.de, Email: team@euromarcom.com
- - - -