The Velocity Gap: Why Record Middle East Cyber Spending Is Losing to AI Attackers
The defining figure in cybersecurity this year is not the size of the regional security market, nor the volume of attacks organisations now absorb. It is the distance between the two. Across the Middle East, investment in cyber defence is climbing toward record levels even as the time attackers need to move from initial access to impact collapses, and that divergence — between what organisations are spending and how fast they are being outpaced — has become the central problem of 2026. Artificial intelligence has not merely accelerated the threat. It has rewritten the relationship between security and time.
The evidence for that widening gap is now measurable rather than anecdotal. In its State of the Market Report 2026, Help AG, the cybersecurity arm of e&, recorded a 65% reduction in the time attackers require to progress from initial access to compromise execution, alongside cases where intrusions reached impact in under 40 hours. Within the first quarter of 2026 the trajectory sharpened further. The company supported three digital forensics and incident response engagements in which the full attack chain, from initial access to action on objectives, completed within 48 hours with near-zero dwell time. Dr Aleksandar Valjarevic, Acting CEO of Help AG, set out the stakes in structural terms, noting that the volume and velocity of modern threat activity are now exceeding the limits of manual security operations and pushing automation and AI-assisted analysis from advanced capabilities into core operating requirements.
Investment Has Climbed Faster Than Resilience
The first half of the velocity gap is financial, and on paper it reads as strength. Information security spending across MENA is expected to reach $4.07 billion in 2026, with managed security services growing at 16.6% year-on-year to become the fastest-expanding segment of the market, according to Gartner figures cited in the report. GCC cybersecurity investment is projected to surpass $9.6 billion by 2032 on a sustained compound annual growth rate, drawing on P&S Intelligence analysis. The regional appetite for autonomous defence is equally pronounced, with the Cisco AI Readiness Index 2025 finding that 92% of UAE firms and 91% of Saudi firms intend to deploy AI agents capable of executing complex security tasks without human intervention.
Yet that spending is not converting into proportional reductions in risk, and the report is direct about why. Most organisations now operate with significantly expanded security capability but continue to struggle with visibility, integration, and consistent enforcement across hybrid environments. The issue, as the report puts it, is no longer whether controls exist but whether they work together cohesively. The cost of that incoherence remains stubbornly high. The average data breach in the Middle East now reaches $7.29 million, 61% above the global average, according to the IBM Cost of a Data Breach Report 2025. Help AG attributes the persistence of these costs to four structural forces operating at once: attack complexity increasing faster than defensive integration, tool adoption outpacing operational maturity, digital exposure expanding across cloud and operational technology, and threat actors scaling through AI, automation, and identity exploitation. Investment, in short, has bought capability faster than organisations can operationalise it.
AI Is the Mechanism Closing the Distance for Attackers
If the financial half of the gap explains why defenders feel exposed despite spending, the second half explains how attackers are pulling ahead. Artificial intelligence is no longer an emerging capability within the threat landscape but an operational one, actively shaping how attacks are executed, scaled, and refined. The report identifies three defining shifts. AI is accelerating the attack lifecycle through automated reconnaissance, large-scale generation of targeted phishing, and continuous testing of authentication mechanisms. It is amplifying the dominant attack vectors, given that 90% of compromises now originate from identity, phishing, and application exploits, techniques AI allows attackers to scale with greater precision. And it is compressing time-to-impact, the 65% acceleration that sits at the centre of the velocity problem.
Mohamad Kontar, Offensive Cybersecurity Manager for Saudi Arabia at Help AG, described how far the offensive playbook has shifted. He explained that what once required time, contextual understanding, and iterative refinement can now be generated and adapted with significantly less friction through large language models, enabling a wider range of attack variations to be produced more rapidly. The structural consequence, in his assessment, is that AI has not changed the nature of attacker behaviour but has significantly compressed the time required to execute it. That compression matters because it attacks the one resource defenders have always relied upon. For decades the operating model was consistent — detect, analyse, patch, contain — and even against fast adversaries, defenders retained meaningful time to respond before escalation. That assumption is now eroding, and the erosion is what turns a manageable threat into a structural one.
The UAE Surge Showed How Quickly the Gap Can Open
The most striking demonstration that this is not a theoretical concern arrived early in 2026. Following the escalation of regional tensions in late February, reported attack volumes in the UAE rose from approximately 200,000 per day to between 500,000 and 700,000 daily attempts, according to national authorities cited in the report. The disruption activity scaled in parallel, with Help AG observing more than 114,000 DDoS attacks in the first quarter alone, over 70% of them multi-vector and therefore harder to mitigate. Destructive wiper malware, designed to destroy data irreversibly and cripple recovery beyond the initial breach, re-emerged as a distinct vector after a quieter period.
What the surge illustrated was the speed at which operating conditions can change rather than the raw numbers alone. Threat patterns that the 2025 outlook had identified as emerging — compressed attack lifecycles, the operational use of AI, and closer alignment between cyber activity and geopolitical developments — materialised within months. The report’s conclusion on this point is unambiguous: the velocity gap identified in 2025 has not narrowed, it has widened. For chief information security officers, the lesson embedded in the episode is that external events now translate into cyber pressure almost instantly, leaving little room for the deliberate response cycles that earlier models assumed.
That reality is reshaping how practitioners describe their own work. Sarith Bhavan, Head of Cybersecurity and Technology Platform Operations at Mubadala, observed that cybersecurity entered 2026 with a fundamentally different relationship to time, with AI adoption, increasingly sophisticated attacks, and geopolitical instability compressing the timelines security teams once relied on. In his account the question has shifted from how to prepare for disruption to how to operate through it, with resilience repositioned as part of the operating fabric rather than a recovery layer activated after the fact.
Closing the Gap Means Building Security That Learns
If speed is the problem, the resolution the report advances is not simply more speed but a different operating model, one in which defence compounds rather than resets. Srivatsa Venkatesh, Director of Cyber Defence at Help AG, argued that the next phase of SOC maturity is no longer about responding faster but about building systems that learn continuously from every incident, improve detection coverage in real time, and reduce future attack opportunity with each investigation completed. The defining question, in his assessment, changes from how fast a team responded to how effectively it learned and how much harder that learning made the environment to attack. The measurable outcomes Help AG reports from this approach point in that direction: more than 60% of alerts now handled by automation with human oversight reserved for final review, over 145 security scenarios fully automated, and cyber threat intelligence turnaround improving by 30% across 2025.
The human layer remains central to that model rather than peripheral to it, a point the report’s contributors return to repeatedly. Majid Ahmed Khan, VP Services for Presales at Help AG, captured the balance in noting that AI can prioritise the signal while human expertise defines the decision. The principle holds across the wider regional picture, where continued investment in talent development and nationalisation is strengthening the human layer even as automation expands. The destination, then, is neither fully automated defence nor a return to manual operations, but a deliberate partnership in which machine speed matches adversary speed and human judgment supplies the context that machines cannot.
Whether organisations across the region close the velocity gap or merely manage it will depend less on how much they spend than on how coherently they operate. The report’s final reckoning is that cybersecurity maturity is no longer measured by the depth of individual capabilities or the scale of deployed tooling, but by the degree of cohesion achieved across them. In an environment where attackers have weaponised time, the organisations that endure will be those that stop treating each incident as an event to survive and start treating it as intelligence to compound.
