Horizon3.ai Finds Cybersecurity Execution Gap Across the Middle East

The UAE and wider Middle East region have made cybersecurity a strategic priority, driven by rapid digital transformation, national cybersecurity frameworks, and increasing geopolitical complexity. Government-led initiatives and regulations are setting high expectations for organizations to strengthen resilience, counter cyber threats, and secure critical infrastructure. Yet new research from Horizon3.ai, the “AI-native proactive security leader”, suggests many organizations are still struggling to match this ambition with operational readiness.
The Horizon3.ai Cybersecurity Report UAE 2025/2026 shows that while organizations across the region are aware of cyber risks and are investing in security, many still struggle to translate strategy into effective execution. Cyberattacks are both widespread and persistent across organizations in the UAE. The survey found that 66% of organizations experienced a cyberattack in the past 24 months, including 45% that suffered damage, and 21% that were able to repel the attack. Crucially, these incidents are not isolated. Nearly two thirds (63%) report being targeted multiple times over the same period, underscoring the sustained nature of today’s threat landscape.
Despite this repeated exposure, confidence in cyber resilience remains low. Only 12% of organizations say they are fully confident in their ability to defend against cyber threats, while the overwhelming majority acknowledge that their protections remain incomplete or could be strengthened. Preparedness for recovery is similarly uneven. Just 27% of organizations report having a contingency plan that has been thoroughly tested, while 31% have a plan in place that has yet to be validated through testing. Most concerningly, 42% say they have no contingency plan at all.
The same pattern is reflected in post-incident response practices. Only 25% of organizations always conduct a comprehensive risk analysis following a cyberattack, while 28% do so only occasionally and another 28% do not conduct such analysis at all, despite intending to. Encouragingly, cybersecurity investment is increasing across the region, with 59% of organizations reporting higher cybersecurity budgets compared to the previous year.
Yet higher spending has not automatically resulted in stronger confidence or greater resilience. “The UAE is making significant progress in digital innovation and cyber investment, but investment alone is not enough,” said Tamer Odeh, Middle East and Africa Regional Lead at Horizon3.ai. “As organizations modernize rapidly, they need to continuously validate that their defences reflect real resistance and that spending is delivering measurable risk reduction.”
The UAE’s rapid digital transformation is placing additional demands on cybersecurity. 39% of organizations say digital initiatives such as smart city programs have had a major impact on their cybersecurity requirements, with a further 36% reporting a moderate impact. At the same time, preparedness for emerging AI-driven threats remains mixed. While 38% of organizations believe they are well prepared for AI-powered cyberattacks, a significant proportion have yet to fully adopt AI-based defence capabilities, with 39% stating they do not currently use such tools but plan to implement them.
“Cybersecurity has become business-critical in an era defined by AI acceleration and geopolitical uncertainty. Organizations must take every possible step to protect their IT environments and critical services,” said Tamer Odeh, Middle East and Africa Regional Lead at Horizon3.ai. He continued: “Traditional tools and manual pentesting approaches are no longer sufficient. To address today’s aggressive cyber risks, organizations must continuously test whether they are truly resilient.”
To address these challenges, organizations need a more proactive and continuous way to validate their security posture. “Pentesting remains the most effective way to assess risk and identify what is actually exploitable and where teams need to act first,” added Odeh. He pointed to Horizon3.ai’s platform, NodeZero, described as “the world’s best and most experienced AI Hacker”, which autonomously executes production-safe penetration tests at scale. By chaining multi-domain attack paths across web applications, Active Directory, cloud environments, and identity systems, NodeZero exposes exploitable weaknesses that traditional tools cannot uncover.
The findings highlight a critical challenge for organizations across the UAE and Middle East: cybersecurity awareness and investment are increasing, but execution remains inconsistent and often untested. Without continuous validation and effective remediation, organizations risk relying on assumed resilience rather than proven security.
“Proactivity and continuity are essential for organizations that want to stay resilient in the face of today’s cyber risk,” said Tamer Odeh. “Security teams need clarity on what matters most, so they can act decisively rather than be overwhelmed.” As the region accelerates its digital ambitions, organizations that can turn cybersecurity strategy into measurable, repeatable resilience will be best placed to keep pace with an increasingly complex threat landscape.



