The law under review is the amendment to the Staatsschutz- und Nachrichtendienst-Gesetz that the Nationalrat passed on July 9 last year. It gives the DSN, Austria’s domestic intelligence service, the power to monitor messages on services like WhatsApp and Signal, encrypted or not. The trigger conditions are terrorism, activities that endanger the constitutional order, and espionage. Orders run for three months and can be extended. Before anything happens, the Rechtsschutzbeauftragter in the Interior Ministry reviews the request and the Federal Administrative Court has to approve it.

On paper that is a layered system. In practice I have yet to meet anyone in Vienna’s security community who can explain how a court is supposed to meaningfully review a surveillance technique it cannot inspect.

How we got here

The vote last July was ugly. ÖVP and SPÖ carried it, FPÖ and the Greens voted against, and even inside the coalition the NEOS deputies Krisper and Scherak broke ranks. That fracture mattered. In January, FPÖ and the Greens filed a Drittelbeschwerde, a constitutional challenge that requires one third of the Nationalrat. Sixty-two deputies signed. When the parliamentary far right and the Greens agree that a law goes too far, the Constitutional Court tends to listen carefully.

There is also precedent, and it is not on the government’s side. In 2019 the same court struck down Austria’s first attempt at a Bundestrojaner. The judges called covert surveillance of computer systems a grave intrusion into private life under the European Convention on Human Rights, permissible only within extremely narrow limits. The Interior Ministry’s lawyers have spent the years since trying to draft around that ruling. June 22 is the test of whether they succeeded.

The part nobody wants to say out loud

Here is the technical reality the political debate keeps avoiding. You cannot wiretap Signal. End-to-end encryption means there is nothing useful on the wire. There are only two ways in. Either the provider hands over the messages, which Signal will not and structurally cannot do, or the state installs spyware on the target device by exploiting a vulnerability in the operating system.

The second option is what this law actually authorizes, whatever the legislative language says. And the budget figures confirm it. The impact assessment attached to the reform set aside ten million euros from 2026, followed by roughly two million per year in license fees through 2029. License fees. Nobody pays recurring license fees for a tool they built themselves. Austria is shopping at an international spyware vendor, and the shortlist of companies selling state-grade mobile exploitation is not long. The same paperwork mentions an IMSI catcher for location data, almost as an afterthought.

So the state becomes a customer in the exploit market. That has consequences the law does not address. Every zero-day a government buys and keeps alive is a vulnerability deliberately left open in phones carried by everyone else, including ministers, judges and the DSN’s own officers. People in allied services have been blunt with me about this trade-off for years. You do not get a Trojan that only works on terrorists.

Why the timing is awkward for everyone

The government will argue necessity, and it has material. Sylvia Mayer, running the DSN since January, says openly that Russia is the largest espionage threat and that among Vienna’s thirteen thousand accredited diplomats, some delegations are more than one fifth intelligence officers. The Egisto Ott verdict in May, four years and one month for spying for Moscow from inside the old BVT, gave Austria its first major espionage conviction of the new era. The services finally have political momentum after a decade of being the embarrassment of European counterintelligence.

The opposition will argue proportionality, and it also has material. The 2019 ruling. The technical impossibility of limiting spyware once deployed. The fact that the agency asking for this capability is the institutional successor of the office Ott worked for. Trust is the currency here, and Austrian domestic intelligence has been printing very little of it.

The court has said it intends to announce its decision in the days after the hearing. Whichever way it falls, the law is supposed to enter into force in 2027, which means the procurement process is presumably already moving. That is the thread I find more interesting than the constitutional question. If the judges uphold the law, Austria signs a contract with a spyware vendor within months. The name on that contract, and the export jurisdiction behind it, will tell us more about the future of Austrian surveillance than anything said in court on June 22. I intend to find out what it is.

On 4 May, the Austrian Foreign Ministry confirmed an ORF report from the previous evening. Three Russian diplomats had been declared persona non grata over the antennas on the roof of the embassy on Reisnerstrasse in the 3rd district and on the Donaustadt compound described above. The installations, according to ORF’s sources, were used to intercept data transmitted by international organisations based in Vienna over satellite internet. The three have already left.

This is the largest single Russian expulsion in Austria’s post-2022 period and brings the cumulative total to 14 since the full-scale invasion. The 14 figure, set against the seven-thousand-or-so hostile officers operating in this city and the dozens of accredited Russian personnel still in Vienna, is small. The story matters less for the numerical impact than for what it signals about how the new coalition is actually treating the espionage portfolio.

Foreign Minister Beate Meinl-Reisinger framed it in unusually direct language for an Austrian foreign minister: “Espionage is a security problem for Austria. In this government, we have initiated a change of course and are taking consistent action against it.” Then, more pointedly: “It is unacceptable for diplomatic immunity to be used to conduct espionage.”

Both sentences should be read in the context of what the Austrian government did before reaching the expulsion decision.

The Russian ambassador was summoned to the Foreign Ministry in April. Vienna asked Moscow to waive the immunity of the three officers so that the prosecutor’s office could open a case. Russia refused, which is the answer everyone in the building expected. Once that refusal was on the record, the only remaining instrument was a PNG declaration. That sequence, asking for immunity to be lifted before going to expulsion, is itself meaningful. It tells you the Justice Ministry would have preferred to prosecute, not deport. That is the institutional logic of the §319a draft I wrote about last month coming into view. The government is signalling that it wants foreign espionage on Austrian soil treated as a criminal matter rather than a diplomatic one.

The technical layer matters, and I will be brief about it because there are people in this city who know more than I do about exactly what those antennas were doing. The basics are these. When an international organisation in Vienna sends and receives traffic over satellite, the uplink and downlink are not magic. They are radio waves with side lobes that bleed off the main beam, and they pass over rooftops in defined geometric patterns. Anyone with the right antenna at the right altitude in the right place can pick up that traffic. Decrypting it is harder, but the volume of communications moving through the IAEA, UNOV, the OSCE and the EU Agency for Fundamental Rights, accumulated over years, gives serious cryptanalytic teams plenty to work with. Embassy rooftops are uniquely valuable platforms for this work because of immunity. Nobody, including DSN, can come up and look at the equipment.

The Donaustadt compound is what makes this case sharper than the standard embassy SIGINT story. The site sits within walking distance of the UN City complex. The line of sight is, to put it generously, ideal. Anyone who has walked along Wagramer Strasse on a clear afternoon understands the geometry instinctively. The question that has been quietly asked in Vienna’s diplomatic circles for years is why nobody acted on this earlier.

Part of the answer is that DSN until recently was not in shape to act. Sylvia Mayer took over on 1 January as the first female director of the agency. The Russian ambassador was summoned in April. The expulsions were announced on 4 May. That is the operational rhythm of a service that has decided to spend its first major political capital on this file. Mayer herself was on the podium at the press conference. Asked why these installations were a particular threat, she limited herself to saying it had to do with their size and nature, and declined to comment on the timing. The decline to discuss the timing is the whole story. The timing is a political choice, not an intelligence one. The antennas have been there for years.

There are limits to what I will read into a single expulsion. Austria has now expelled 14 Russian diplomats in four years, which compared to other European countries is still on the low side. The bulk of accredited Russian personnel are still here, doing whatever they do, with the same immunities. The Donaustadt compound is still in operation. The antennas, as a class of equipment, are not going anywhere, and Russia will rotate in new staff under different cover within months. The structural facts of Vienna’s exposure have not changed.

What has changed, possibly, is the political ceiling on what can be done about that exposure. For most of the past decade, the standard official Austrian position was that Vienna’s hosting role required a particular kind of equidistance, and that expulsions complicated relationships with international organisations that depended on diplomatic stability. That position has been quietly retired by the current government. Meinl-Reisinger’s “change of course” line is not rhetorical. It maps onto a sequence of concrete decisions: the §319a draft, the summoning of the ambassador, the public request for immunity waiver, the public expulsion. These are not the actions of a government still committed to the bridge.

The next move belongs to Moscow. The Russian embassy called the expulsions “outrageous” and “politically motivated,” and warned of a “harsh” response, calling the bilateral relationship “at a historical low.” In recent pattern, “harsh response” usually means a reciprocal expulsion of Austrian diplomats, often more than the original number, and visa frictions for Austrian citizens. The relationship will degrade further. That is also part of the price of the course change, and the government appears to be prepared to pay it.

The piece I wrote last month argued that the §319a draft was real progress but that the Ott verdict would tell us more than the law itself. The expulsions on 4 May added a third data point to that picture. Taken with the verdict that landed on 20 May, the bill, the expulsions and the conviction are starting to look less like isolated events and more like a deliberate sequence. Vienna, for the first time in a long time, is acting like a country that takes its espionage problem seriously.

Whether that lasts beyond the next election cycle is a question I will not answer today. It depends on which parties are at the table after the next vote and what they decide to do with the institutional momentum the current government has built. The political risks are real. The operational improvements are also real. Both things can be true.

The European conversation about the gray zone is happening at full volume. White papers, conferences in Brussels and Helsinki, ECFR reports, Council conclusions in March, a CSIS analysis that finally puts numbers on the sabotage. The actual operational people who would have to do something about it, at least in this country, are still treating it as somebody else’s file.

There is a doctrine emerging inside European intelligence services that finally, openly, names what has been happening for the past several years. Blaise Metreweli, the new chief of MI6, set it out in her first public speech on 15 December. “We are now operating in a space between peace and war,” she said. “This is not a temporary state or a gradual evolution.” Then she listed what that space contains: arson, sabotage, cyberattacks on critical infrastructure, drones over airports and military bases, aggressive undersea activity, and what she called the deliberate creation of fractures inside societies.

That speech was, by the careful reading of a few people I trust in London, a doctrinal moment. Metreweli spent very little time on China and almost none on terrorism, the two priorities that have dominated British intelligence work for two decades. She did not really mention the United States at all, which is itself a signal. The framing was entirely about Russia and about a Europe that has to start acting on the gray zone rather than just documenting it.

Joseph Fitsanakis sharpened the argument in a 5 May intelNews piece. His point, distilled, is that European intelligence services were built for a strategic environment in which they complemented American primacy. Their job was to support NATO, fill in regional gaps, provide national-level warning, and feed the larger US machine. That model is operationally insufficient now. Trump’s pivot, including the January withdrawal from the Helsinki-based Hybrid CoE, was the formal closure of the old arrangement. What Europe needs instead is autonomous intelligence structures capable of supporting an actual independent strategy. Most European services are not there yet, and the gap is widening.

The case for the doctrine, if you want it in numbers, is overwhelming. CSIS counted 219 suspected Russian hybrid warfare incidents in Europe between 2014 and 2025, with 46 percent of them occurring in 2024 alone. German media revealed in February that the Bundeskriminalamt counted 321 sabotage cases inside Germany during 2025. In September 2025, between 19 and 21 Russian-launched drones crossed into Polish airspace, forcing NATO Article 4 consultations and the closure of several airports. Drone sightings shut down operations at Munich Airport. Lithuania declared a state of emergency over repeated Belarusian balloon incursions. At the February Munich Security Conference, BND president Martin Jäger put the global Russian intelligence officer count at 60,000, not including informants. Whatever the precision on that figure, the scale is unmistakable.

This is the strategic backdrop. Now the part that actually matters from where I sit.

Austrian neutrality, as written into the Constitution in 1955, was designed for a different kind of conflict. The architects had in mind blocs, armies, formal alliances. The neutrality law commits Austria not to join military alliances, not to host foreign military bases, and not to participate in aggressive war. None of those conditions are triggered by the activity Metreweli described. A drone over Vienna’s airport does not require Austria to declare its alliance status. A cyberattack on the IAEA does not engage the army. A sabotage operation against a logistics hub in Lower Austria does not breach any of the formal conditions of neutrality. So Austria sits, technically neutral, while operations against its partners, its institutions, and increasingly its own infrastructure are run through its territory.

This is the part of the doctrine that nobody in Vienna wants to address out loud. Neutrality, as a legal category, is operationally meaningless in a gray-zone conflict. The conflict does not generate the moments that neutrality is built to manage. There is no declaration of war, no troop movement, no formal alliance request. There is only constant, low-grade, deniable pressure. And in a country that hosts the IAEA, UNOV, the OSCE, OPEC, the EU Agency for Fundamental Rights, several thousand accredited foreign personnel, and the seven-thousand-or-so hostile intelligence officers I have written about before, the absence of a formal war does not mean the absence of strategic stakes. It just means Austria is currently choosing not to act on them.

The §319a bill I covered last month is the dim reflection of this realization inside the Justice Ministry. The drafters know, even if they cannot put it in the explanatory memorandum, that the current legal framework is calibrated for a world that no longer exists. Closing the espionage loophole is the easy half. The harder half is asking whether a country can credibly call itself neutral when its capital is the operational backyard for at least one belligerent in an ongoing European conflict.

I do not see the DSN reaching that question on its current trajectory. Sylvia Mayer took over as director on 1 January. The service is still rebuilding from the BVT collapse, and the allied agencies I speak with regularly describe DSN as analytically respectable and operationally thin, which is the wrong shape for “between peace and war” work. The doctrine Metreweli outlined assumes a service capable of running disruption operations against hostile networks on its own initiative. That is not what DSN does, and it is not what DSN, given Austrian political reality, will be doing any time soon.

The political reality is the second-order problem. The FPÖ leads the polls. The party has spent the past decade building its base on a soft-Russia, hard-neutrality position, and there is no electoral incentive for them to revisit it. If they form the next government, or play kingmaker in the next coalition, the most likely outcome is that Austria stays inside the EU institutional framework on paper while drifting operationally outside the European gray-zone response architecture. Other European services will adjust by routing around Vienna. I have already heard variations of that sentence in a couple of allied capitals over the past year.

So what does Metreweli’s doctrine actually mean for this country.

It means the choice is becoming explicit. Either Austria modernizes its understanding of neutrality to allow active counter-hybrid work, including offensive cyber, disruption of hostile networks on its own territory, and meaningful operational sharing on hybrid campaigns against partners. Or it accepts that its strategic position will erode quietly, year by year, until the city is treated by allied services as a permissive environment to be worked around rather than worked with.

The Constitution does not actually prevent the first option. The Constitution prevents joining a military alliance. It does not prevent treating sabotage, cyberattacks, drone incursions and hybrid operations against European partners as serious matters that Austria acts on. That is a political choice presented as a legal constraint. Most Austrian politicians find the legal framing convenient because it spares them the conversation.

Metreweli’s speech, read carefully, was an invitation. She was telling other European services that the UK is moving from documenting to acting. She was telling Moscow that the cost calculus is about to change. She was telling Washington, very politely, that London no longer believes the transatlantic intelligence relationship is what it once was. And she was telling neutral countries that the gray zone does not respect their preferred categories.

Vienna has not yet had this conversation with itself. It will. The only question is whether it happens because Austrian politicians chose to have it, or because allied services stopped waiting.

Section 256 of the Criminal Code criminalises espionage only when it is directed against the Austrian state. So if a Russian, Chinese or Iranian officer sits in a Viennese café and tasks a contact to collect on the IAEA, surveil a dissident who fled here precisely because she thought the Republic would protect her, or lift material from an OSCE delegation, none of that is a crime under Austrian law. The targeted state can complain. The targeted institution can withdraw cooperation. Austria itself has nothing to charge.

This is what produces the “spy capital” cliché. The figure people quote is 7,000 hostile officers operating in this city. It comes from the Austrian Center for Intelligence and Security Studies and is several years old. I have my doubts about that level of precision, since counting people whose entire job is not being counted is a strange exercise. But the structural fact the number gestures at is real, and any allied service will tell you the same thing about Vienna without much prompting.

On 9 March, the Justice Ministry circulated a draft bill that finally moves to close §256. Falter obtained the text and reported on 3 April. Bloomberg followed the same morning. The draft is now sitting with the ÖVP-NEOS coalition partners.

The headline change is a new §319a, criminalising espionage against international organisations headquartered in Austria, with prison terms of six months to five years. The IAEA, UNOV, the OSCE, the EU Agency for Fundamental Rights, all of them become protected. Operating against them from Austrian soil becomes a domestic offence rather than a diplomatic embarrassment that the Foreign Ministry has to manage privately.

That is the part everyone is writing about. The two changes underneath it are more interesting.

The first widens the legal concept of Nachteil der Republik, detriment to the Republic. Under the draft, the conduct does not have to actually harm Austria. It is enough that it is capable of endangering the country’s reputation, security or prosperity. So espionage against another EU member state, conducted from here, becomes prosecutable on the theory that hosting it could damage Austria’s relations with the partner. This shifts the offence from a results-based crime toward something closer to abstract endangerment. The Constitutional Court has historically not been comfortable with that kind of construction, and the provision will end up there sooner or later.

The second targets what the trade calls disposable agents. These are the low-skilled people, often very young, recruited through Telegram or Signal to do small, discrete tasks. Photograph a building. Drop a package. Walk behind a target for an afternoon. The Bulgarian cell that worked through Jan Marsalek and was convicted in London last year relied heavily on this model, including in Vienna. Under current law, prosecuting them was awkward, because their individual contribution was small and their knowledge of the wider operation was usually genuine ignorance. The draft makes participation itself the offence, including for volunteers.

The political pressure behind all of this is coming, very specifically, from one courtroom on Landesgerichtsstrasse.

The Ott trial

The trial of Egisto Ott opened on 22 January. Ott is a former officer of the BVT, the domestic intelligence service that was dissolved after the 2018 raid that, more than anything else, destroyed Austria’s standing inside the European intelligence community for most of the next decade. The indictment runs to 172 pages. The headline charge, which is what makes this politically explosive rather than just embarrassing, is supporting a foreign intelligence service to the detriment of Austria.

Prosecutors say Ott pulled large volumes of personal and operational data from national and international police databases between 2015 and 2021, kept some of it in a private Gmail account, and passed it through Marsalek, the fugitive Wirecard COO who has been in Russia since 2020. The list of alleged products is bad. Addresses of Russian dissidents living in Austria. Phone metadata of senior interior ministry staff. At one point in 2022, a laptop containing classified EU electronic security hardware that ended up with Russian intelligence.

The allegation that should make any journalist in this region uncomfortable is that Ott provided Marsalek with the Vienna address of Christo Grozev, the Bellingcat investigator who has spent years exposing GRU operations from Salisbury to Berlin. Marsalek arranged for the apartment to be broken into. Grozev eventually left Austria after being told the threat to him was credible. Anna Thalhammer at Profil, who has been writing on Ott and Marsalek for years, is a witness in the trial and has described being a target of disinformation and physical surveillance in this city.

The personal details are not the point. The point is that the same investigation that produced Ott’s arrest also surfaced what the Bulgarian cell had been doing in Vienna for months, and almost none of it was prosecutable here. That is the political fact that finally moved the bill.

Two things missing from the conversation

The first is operational capacity. Writing §319a into the Criminal Code is one parliamentary vote. Building the kind of counter-intelligence service that can actually make a §319a case against a foreign professional working under official or commercial cover in Vienna is several budget cycles, at minimum.

The DSN took over from the BVT in late 2021 and is still rebuilding. Sylvia Mayer started as the first female DSN director on 1 January. Allied services I have spoken to over the past two years tend to describe the DSN as analytically competent and operationally thin, and the gap between those two things is exactly where §319a cases live. I am not saying nothing will happen. I am saying that for the first two or three years after this passes, the cases that get charged will probably look like the Bulgarian one, meaning they will fall into Austria’s lap because someone else made the original arrests.

The second is press freedom. The widened Nachteil der Republik language is broad enough that I can already see a future prosecutor reaching for it against a journalist who publishes material the government finds awkward, particularly anything connected to allied state operations on Austrian soil. I want a clear source-protection carve-out in the final text. Falter’s reporting did not mention one. The Justice Ministry will presumably say existing media protections apply. In practice they do not always apply, especially when the story embarrasses a partner government.

What this actually changes

It changes what the prosecutor can charge once a case has been built. That is a real change.

It does not change the geographic and institutional facts that make Vienna useful in the first place. It does not change the diplomatic immunities attached to the several thousand accredited foreign personnel in this city. It does not change the political reality that the FPÖ, currently leading in the polls, has spent the better part of a decade benefiting from the absence of pressure on this question and has every interest in the new law being enforced as gently as possible if and when they are in government.

The Ott verdict is the test, not the law. If a jury sitting through 172 pages of evidence and ninety witnesses cannot bring itself to convict a former officer on the espionage count, the new statute will not matter, because no prosecutor will want to be the one to bring the next case. If they do convict, the Republic will have signalled, for the first time in a long time, that it is prepared to treat espionage on its territory as the serious matter it has always been.

Having spent over a decade in intelligence and security operations, from securing diplomatic missions for the German Federal Foreign Office to advising law enforcement on digital threats, I have observed a consistent pattern. Organisations do not fail because they lack firewalls or antivirus software. They fail because they do not know what they are exposing to the internet in the first place.

The Problem No One Talks About

Every organisation has an attack surface. It includes every domain, subdomain, IP address, open port, exposed API, cloud instance, and forgotten staging server connected to the internet. For a company with even a modest digital footprint, this can amount to hundreds of potential entry points.

The challenge is visibility. Most SMEs have no systematic way to inventory their external-facing assets. A marketing team spins up a subdomain for a campaign and never takes it down. A developer leaves a test environment exposed with default credentials. An old mail server runs an unpatched version of Exchange. Each of these is an open door.

Large enterprises address this through dedicated security operations centres and expensive enterprise tools. But for a company with 50 or 100 employees, these solutions are neither accessible nor affordable. This gap between awareness and capability is where most breaches begin.

Attack Surface Management: From Military Doctrine to Cyber Defence

The concept of attack surface management (ASM) has its roots in military intelligence. Before any operation, you map the terrain. You identify vulnerabilities in your own position before the adversary does. The same principle applies to cybersecurity.

Modern ASM platforms automate the process of discovering, cataloguing, and continuously monitoring an organisation’s external-facing digital assets. They scan for exposed services, misconfigurations, known vulnerabilities, leaked credentials on the dark web, and other indicators of risk.

What makes ASM fundamentally different from traditional vulnerability scanning is scope and continuity. A vulnerability scan checks known assets at a point in time. ASM discovers unknown assets and monitors them continuously. It answers the question most security teams cannot: What do we not know about our own exposure?

The European Dimension

For European organisations, the stakes are compounded by regulation. The NIS2 Directive, which came into full effect across EU member states, imposes strict cybersecurity requirements on a far broader range of companies than its predecessor. Entities classified as “essential” or “important” must implement risk-based security measures, conduct regular assessments, and report incidents within tight timeframes.

GDPR adds another layer. A breach resulting from an unmonitored attack surface does not just cause operational damage. It triggers mandatory notification requirements and potential fines of up to 4% of global annual turnover.

Despite these pressures, most European SMEs still rely on periodic penetration tests, conducted once or twice a year, as their primary security assessment. In a threat landscape where new vulnerabilities are disclosed daily and attack infrastructure is automated, annual testing is the equivalent of checking your locks once a year in a neighbourhood where break-ins happen every week.

Continuous Monitoring as the New Baseline

The shift from periodic assessment to continuous monitoring is not optional. It is a necessity. Attackers use automated reconnaissance tools that scan the entire IPv4 address space in minutes. If an organisation exposes a vulnerable service, it can be discovered and exploited within hours, sometimes within minutes.

This is the operational reality that led me to develop SecurityScanner.ai, an attack surface management platform designed specifically for the European market. The platform provides continuous external monitoring, automated vulnerability detection, dark web credential monitoring, and AI-driven risk assessment. It is built from the ground up with GDPR-compliant infrastructure and priced for organisations that do not have six-figure security budgets.

The philosophy behind it is straightforward. Every organisation, regardless of size, deserves the same level of visibility into its attack surface that was previously only available to large enterprises and government agencies.

What a Proper ASM Workflow Looks Like

For organisations beginning to take attack surface management seriously, the process follows a clear logic.

Discovery is the first phase. You cannot protect what you do not know exists. This means automated enumeration of all domains, subdomains, IP ranges, cloud assets, and third-party services associated with your organisation. The results are often surprising. Most companies discover 30 to 40 percent more external assets than they were aware of.

Assessment follows discovery. Each discovered asset is evaluated for known vulnerabilities, misconfigurations, exposed sensitive data, outdated software, and weak encryption. This is where automated scanning intersects with threat intelligence, correlating discovered exposures against actively exploited vulnerabilities in the wild.

Monitoring makes the process continuous. New assets, new vulnerabilities, and new threats emerge constantly. A platform like SecurityScanner.ai runs these checks on an ongoing basis, alerting security teams to changes in their attack surface before adversaries can exploit them.

Dark web intelligence adds a critical layer that traditional scanning misses entirely. Stolen credentials, leaked databases, and mentions of your organisation on underground forums represent threats that exist outside your network perimeter but directly impact your security posture. Integrating dark web monitoring into the ASM workflow provides early warning of compromised accounts and data breaches.

The Intelligence Perspective

From an intelligence standpoint, attack surface management is fundamentally an exercise in counter-reconnaissance. You are attempting to see yourself the way an adversary sees you, and to close gaps before they are exploited.

This is not theoretical. In my advisory work with law enforcement and government institutions, I have seen repeatedly how even well-resourced organisations are compromised through forgotten assets. A subdomain pointing to a decommissioned server. An exposed admin panel with weak authentication. A cloud storage bucket with public read access. These are not sophisticated attacks. They are failures of visibility.

The lesson is clear. Cybersecurity is not primarily a technology problem. It is an intelligence problem. And like all intelligence problems, it begins with knowing your own terrain.

Conclusion

The European cybersecurity landscape is at an inflection point. Regulatory pressure is increasing. Attack automation is accelerating. And the gap between enterprise-grade security and SME capability remains dangerously wide.

Attack surface management is not a luxury. It is the foundation upon which all other security measures depend. Without continuous visibility into your external exposure, every other investment in cybersecurity is built on incomplete information.

For organisations ready to take this step, the tools now exist to make it practical and affordable. The question is no longer whether you can afford to implement continuous attack surface monitoring. It is whether you can afford not to.

We used to say that intelligence work was like looking for a needle in a haystack. It was difficult, sure, but at least we knew that if we found something sharp and metallic, it was probably the needle.

Those days are over.

Today, AI isn’t just hiding the needle; it’s dumping thousands of “fake needles” into the pile every second. They look real, they shine like metal, and they even feel sharp. But they are decoys. The modern analyst’s nightmare isn’t a lack of information it’s Information Overload on an industrial scale. We aren’t just looking for the truth anymore; we are trying to survive a flood of convincing lies.

The Weapon of Exhaustion

We often think of cyber warfare as hackers breaking down firewalls or stealing secrets. But the new threat is subtler and perhaps more dangerous. It’s what we call a “Bureaucratic DDoS.”

Think of it as a weapon of exhaustion. Adversaries are using generative AI to create a “Cognitive Flood” millions of synthetic reports, deepfake videos, and bot managed panic. The goal isn’t to destroy our data; it’s to force us to waste our limited resources verifying it. It’s a “deceleration weapon” designed to clog the gears of intelligence agencies with perfectly formatted junk.

Chasing Ghosts in the Gray Zone

This isn’t just a digital problem; it has physical consequences. We are seeing the rise of “Physical DDoS” attacks.

Imagine a crisis scenario: An AI bot farm floods emergency channels with reports of a massive fire or an armed conflict in a specific neighborhood. The reports look genuine. Photos generated by AI start circulating. Police and first responders rush to the scene, sirens wailing. But when they arrive, the streets are empty.

While our security forces are busy chasing these digital ghosts, the real threat actors are operating unchecked elsewhere. This is the Gray Zone where digital deception translates into real world blindness.

The Cost of Verification

In this noise, the “Weak Signals” the subtle, quiet indicators of a real terrorist plot or a foreign intelligence operations are completely drowned out.

There is a concept called “Open Source Intoxication.” It means we are getting drunk on bad data. Every hour an analyst spends analyzing a high quality deepfake is an hour stolen from investigating a real threat. The “Verification Tax” we are paying is becoming too high to sustain.

Fighting Fire with Fire

So, how do we fix this? We have to admit that the human eye is no longer enough. We can’t “eyeball” our way out of this.

We need a “Zero Trust” approach to open source data. Unless a piece of information from the web (OSINT) can be cross referenced with human assets (HUMINT) or technical signals, it should be treated as noise.

More importantly, we need to adopt an “AI vs. AI” doctrine. If the attack comes at machine speed, the defense cannot move at human speed. We need our own algorithms to filter the noise, spot the synthetic patterns, and clear the haystack, so human analysts can get back to doing what they do best: finding the real needle.

The Greatest Danger is Hacked Perceptions

For years, I have monitored cyber threats for governments and international institutions. From securing diplomatic missions across 12 countries for the German Federal Foreign Office (Auswärtiges Amt) to tracking the digital footprints of terror financing for the Ministry of Interior in Türkiye, I have always encountered the same reality: The greatest danger I witnessed was not hacked devices, leaked databases, or cracked passwords. The greatest danger was hacked perceptions.

Today, when we say “Cyber Security,” we still picture hooded hackers and scrolling green code. But as a cyber intelligence professional who has operated in the field, I can tell you this: To collapse a state or an institution, you no longer need to attack their servers. You only need to target their reputation and the trust that holds their society together. From border security to election manipulation, I have operated wherever data is weaponized. And with this experience, I can tell you: Digital Disinformation is the nuclear weapon of the 21st century.

We Are in an Invisible War

Understanding Digital Disinformation

Wars used to be fought along physical borders. Now, they are fought on the screen of your smartphone, inside that “innocent” tweet you read with your morning coffee. I have personally analyzed how bot networks are coordinated during election periods, how terror organizations manipulate algorithms to spread propaganda, and how “Deepfake” content is designed to disrupt financial markets.

1. Who Pushes the Button? (The Geopolitics of Likes)

The biggest misconception is that disinformation is chaotic. It is not. It is a calculated investment with a specific ROI (Return on Investment). The “button” is almost always pushed by states and state-sponsored groups. But the motivation isn’t just to cause trouble; it is strictly transactional. In my experience, I have seen that foreign powers invest heavily in influencing elections based on their future interests.

The Actors and Ethical Complexity :

Two or three major companies, primarily based in Israel and India, operate at the center of this industry, focusing on election interference and disinformation prevention. I can attest that the products performing the best in this field are often of Israeli origin. Importantly, the necessity of producing counter-information to prevent disinformation inherently gives these software capabilities the potential for intentional or unintentional disinformation. This demonstrates the complex dual-use ethical framework of the industry.

2. The Death of the “Egg Account” (The Incubation Era)

If you are still trying to spot a bot by looking at its creation date or lack of a profile picture, you are fighting a modern war with a stone axe. Those days are over. Today, millions of accounts are created daily across the globe, but they don’t tweet immediately. They are put into “Incubation”. These sleeper accounts are kept dormant for months or years. When the time comes, they are sold to the highest bidder. Because they have a history, they bypass traditional security filters. The only reliable detection method left is analyzing the Synthetic Text Ratio. We are no longer looking for a “fake photo”; we are looking for the linguistic fingerprint of an LLM (Large Language Model) in their posts.

Field Evidence: Instant Data Correlation:

To quantify the access speed of these tools, we conducted a test: We created a new social media account using a freshly acquired, unlisted phone number (a ‘zero’ line from the state) and defined political views/interests. We searched this number in an undisclosed disinformation tool on the same day. The result was instantaneous: the tool successfully returned the profile. This demonstrates an incredible data ingestion speed, suggesting zero-latency correlation or direct data access, proving that high-value information is immediately accessible.

Operational Depth: Data Enrichment and Sociological Targeting :

Open-market social media analysis tools are useless in elections for this reason. Effective disinformation requires data enrichment. These software capabilities must be fed by external data sources, such as previously compromised Turkish Republic personal information databases. By adding layers like the user’s phone number, address, age, and gender, highly potent disinformation applications can be created. This process allows for the acquisition of the target audience’s sociological profile; for example, if the area of residence is economically depressed, disinformation focused on financial matters is the most effective tactic.

3. The Timeline of a Lie: Simultaneous Saturation

How does a lie wash over a nation in minutes? The process I have observed in the field is a masterclass in coordination. It is not a ripple; it is a tsunami. The attack happens simultaneously across three layers:

• The Swarm: Thousands of small, incubated accounts initiate the spark.
• The Merchants: “Blue Check” verified accounts, which have been bought and repurposed, validate the lie to trick the algorithms.
• The Amplifiers: If necessary, mainstream media channels are engaged through paid advertisements or compromised journalists.

The key here is location diversity. The attack is launched from different geographical locations at the exact same second to trick the platform’s “organic trend” algorithms.

The Mechanism of Validation :

• Seeding: The lie is planted in “news sites” that appear reliable but are actually front operations.
• The Echo Chamber: Bot networks and “useful idiots” (an intelligence term for those who unwittingly spread propaganda) are activated.
• Legitimation: The topic becomes a Trend Topic (TT), and mainstream media validates the lie with headlines like “Claims circulating on social media…”

4. The Future: We Need “Police AI”

The sheer volume of AI-generated disinformation has surpassed human capacity to moderate. We cannot fight machines with humans anymore. The future of digital security relies on “Police AIs.” We need advanced AI systems designed solely to audit the outputs of other LLMs. These systems must verify information with 100% accuracy against trusted data ledgers.

Establishing AI Provenance :

Given the proliferation of AI models in the market, it is paramount to establish the origin of any AI-generated content (text, image, etc.). For this to be operational, every AI model must be mandated to possess a unique, invisible metadata ‘fingerprint’ or identifier. While some large AI providers are already implementing such systems, all new AI models entering the public market must be obligated to report this unique identifier to public institutions and regulatory bodies. This standardization is necessary to ensure analysis and attribution can be performed swiftly and accurately by intelligence organizations.

In 2025 and beyond, the only thing that can stop a rogue AI manipulating a population is a stronger, ethically coded AI policing the digital borders.

INTELLIGENCE REPORT

TECHNICAL ANATOMY OF MODERN DISINFORMATION

Infrastructure, Data Enrichment, and Attribution Protocols (2025)

Classification: PUBLIC (Redacted for General Release) Author: Ozan Akyol | Digital Intelligence Sector: Cyber Warfare & Strategic Intelligence Date: November 2025

EXECUTIVE SUMMARY

Unlike traditional cyberattacks that prioritize stealth and anonymity, modern disinformation operations prioritize “Localization” and “Persistence.” This report outlines the technical architecture of state-sponsored and private-sector influence campaigns observed in the field.

1. INFRASTRUCTURE & NETWORK ARCHITECTURE

The primary objective of the network layer is not to hide the traffic, but to make it appear indistinguishable from organic local activity.

• 4G/5G SIM Farms (The Localization Layer): Botnets no longer rely solely on datacenter IPs, which are easily flagged. Instead, operators utilize industrial-scale 4G/5G SIM Farms.
  • Operational Logic: The goal is to ensure traffic originates from a legitimate mobile carrier (e.g., a specific cell tower in Berlin or Istanbul). This bypasses “Datacenter IP” filters and mimics genuine user behavior.
• Weaponized IoT Devices: Compromised IoT devices (smart cameras, home routers) are utilized to achieve “Geo-Distribution.” By routing traffic through residential devices, the operation signals to platform algorithms that a topic is being discussed organically across the entire country, rather than a single server farm.
• Bulletproof Hosting Strategy: For the “Seeding” phase (hosting fake news sites), operators prefer Bulletproof Hosting providers located in jurisdictions with high resistance to international takedown requests, specifically USA, China, and Myanmar. The priority here is physical control and resilience against legal intervention.

2. C2 ARCHITECTURE & SOFTWARE STACK

The Command and Control (C2) infrastructure is designed for Portability and Speed, not aesthetics.

• Tech Stack: 80% of observed operations utilize a Python-based architecture. Django is the standard for User Interface (UI) development.
  • Why Python? It allows for rapid prototyping (Hot-fixes), extensive library support for data manipulation, and easy Dockerization. If a server is burned, the entire C2 infrastructure can be migrated to a new jurisdiction in minutes.
• Minimalist Design: These tools do not have polished UIs. They feature raw dashboards focused on inputting targets and monitoring volume/sentiment.

3. DATA ENRICHMENT & TARGETING (The Kill Chain)

The most lethal aspect of modern disinformation is the fusion of social media data with leaked state databases.

• Database Management: Operators use SQL-based structures (PostgreSQL/MySQL) to handle massive datasets. Python libraries (Pandas/SQLAlchemy) are employed to ingest “Dump Data” (leaked ID numbers, addresses, GSM numbers) and convert them into operational targeting lists.
• The Confidence Algorithm: Systems use a “Confidence Score” to match a social media profile with a real-world identity:
  • Match (Name + Surname + Phone): 70% Confidence
  • Match (Name + Surname + Phone + Address): 90% Confidence
  • Tactical Application: This score dictates the attack vector. High-confidence targets in economically depressed areas are targeted with financial disinformation; others may be targeted with political or social polarization content.

4. DETECTION & FORENSICS

Identifying these networks requires moving beyond simple content analysis to behavioral and visual forensics.

• Temporal Analysis: We analyze the timestamps of activity.
  • Indicator: Does the account tweet every day at exactly 13:30? Is there a human-like randomization (jitter) in the intervals, or is it perfectly linear?
• Visual Forensics (GAN Detection): Profile pictures are scanned for artifacts typical of ThisPersonDoesNotExist (GAN-generated) faces, such as asymmetric pupils, background distortion, or ear irregularities.
• Network Visualization (Maltego): While public institutions often use proprietary reporting tools, Maltego remains the industry standard for deep analysis. It is used to map the relationship clusters—visualizing who follows whom, who retweets whom, and funding sources.

Figure 1.1: Visualization of a coordinated botnet cluster targeting specific keywords. Node relationships indicate simultaneous Retweet/Quote actions, revealing the inorganic structure of the network. (Generated via Maltego).

5. ATTRIBUTION (Following the Trail)

In the cyber domain, IP addresses can lie, but money cannot.

• “Follow The Money”: Disinformation is expensive. It requires servers, thousands of SIM cards, software development, and ads.
• Attribution Methodology: Technical artifacts (e.g., comments in Russian/Chinese code) are often False Flags left intentionally to mislead. The most reliable attribution method is Cui Bono (Who Benefits?). Following the financial trail of server payments and spend similar to terror financing investigations often leads to the true perpetrator.

End of Report Access restricted to Operational and Strategic tier members.

Milipol Paris 2025 presented a markedly different atmosphere compared to previous years. The exhibition area was significantly smaller, and the overall pace of the event reflected this downsizing. Walking through the halls at a steady speed, it became clear that the entire fair could be completed in roughly 2.5 to 3 hours, leaving many visitors with the impression that this year’s edition offered considerably less material, fewer innovations, and a more muted energy.

A Noticeable Downsizing: Compact Layout, Limited Movement

The most immediate observation was the reduced physical scale of the event. Booths were positioned more closely than in past years, and the density of exhibitors despite the large names felt objectively lower. This compressed setup resulted in a faster circulation flow, but it also contributed to a sense that Milipol 2025 lacked the depth, diversity, and exploratory appeal that previously defined the fair.

Country-Based Clustering: An Arrangement That Created Distance Instead of Engagement

One of the structural choices that shaped the atmosphere this year was the decision to cluster companies strictly by country. While the intention was likely to create national showcases, in practice it led to a somewhat fragmented and less inviting environment. Instead of fostering cross-sectional interaction among companies, the country pavilions unintentionally created psychological boundaries between groups.

Many exhibitors noted that this arrangement gave the fair a rigid, compartmentalized feel reducing spontaneous engagement and limiting the natural flow of visitors across sectors.

A Clear Sign of Cost-Cutting: The Decline of Traditional Giveaways

In earlier years, Milipol was known for its abundance of branded military caps, tactical accessories, patches, and various promotional items. This year, however, the overwhelming majority of booths offered nothing beyond a simple pen.
This shift is not trivial; it reflects a broader trend across the industry:

• Firms are reducing marketing expenditures,
• Trade show ROI is being questioned more openly,
• Promotional spending is no longer seen as essential for visibility.

The minimalistic approach to giveaways mirrors the general tone of the event: lean budgets, cautious strategies, and a wait-and-see posture across the sector.

Innovation Gap: Few (If Any) New Products on Display

Perhaps the most striking aspect of Milipol 2025 was the absence of genuine novelty. Across both hardware and software domains, companies showcased products that were largely familiar iterations or re-presentations of existing solutions rather than newly launched concepts.

Notably:

• No groundbreaking surveillance systems,
• No next-generation counter-drone innovations,
• No major OSINT/SOCINT software advancements,
• No significant new tactical hardware platforms.

The fair felt more like a continuation of previous editions rather than a forward-looking showcase. Many exhibitors appeared to be present only to “maintain visibility,” not to demonstrate new technology.

Conversation with Exhibitors: “We’re Here Out of Obligation, Not Expectation”

During discussions with three to four companies, a recurring theme emerged: minimal expectations.
Multiple representatives openly admitted:

• “We’re not expecting much from this year’s Milipol.”
• “We came out of obligation rather than opportunity.”
• “Budgets are tight; this is more about presence than results.”

This sentiment was surprisingly consistent and highlights an important shift in the security and defence exhibition ecosystem. The industry appears to be navigating a transitional phase marked by budget constraints, uncertain market directions, and a reduction in high-impact product launches.

Overall Impression: A Transitional Year for the Security Industry

Milipol Paris 2025 can best be described as a quiet, transitional year. While the fair still gathered key players from across the defence, intelligence, and security sectors, the overall energy was restrained. With smaller booths, limited product innovation, cost-cutting signals, and lower expectations among exhibitors, the event reflected broader conditions in the European security landscape marked by strategic caution and reduced investment appetite.

Whether this signals a temporary slowdown or a longer-term recalibration remains to be seen. What is certain, however, is that Milipol Paris 2025 provided a clear snapshot of an industry taking measured steps rather than bold leaps.

A newly published academic study reveals that nearly half of all communication satellites in geostationary orbit transmit civilian and military data without any encryption. This finding highlights a critical weakness not only in communication technologies but also in the context of modern cyber-intelligence operations. With the rapid evolution of SDR (Software Defined Radio) technologies, these unencrypted signals can now be intercepted and decoded with low-cost receiver hardware.

Technical Findings and Observations

The analysis was conducted by collecting signals across the C-band and Ku-band frequency ranges used by 39 geostationary satellites. Researchers developed entropy-based classification algorithms to identify carriers transmitting unencrypted data. Carriers with lower spectral density typically contained VoIP sessions, SIP signaling, DNS traffic, and text-based command packets.

For data processing, open-source satellite telemetry solutions such as the OpenSatelliteProject were used. After demodulating QPSK and 8PSK signals at the physical layer, MPEG-TS streams or raw IP packets were extracted for higher-layer protocol analysis. The investigation successfully recovered the following categories of content:

• Mobile carrier traffic: SMS message text, SIP session details (INVITE, 200 OK, BYE), IMSI/IMEI associations.
• In-flight internet protocols: DHCP, DNS, HTTP GET/POST requests, captive portal logs.
• Corporate internal network data: VLAN-tagged broadcast packets, WINS queries, LDAP and SMB traffic.
• Military/police communication: Plaintext coordinates and operational messages transmitted through internal IP-trunked radio systems.
• SCADA and energy control systems: DNP3, Modbus-TCP and SNMP traffic exposing status variables and command-response sequences.

Much of this data contains sensitive personal, corporate, and state-level information, making it highly exploitable.

Structural Causes Behind the Vulnerability

The question of why such critical data is transmitted without encryption is rooted in legacy design assumptions and system architecture choices. Most satellite service providers delegate encryption to customers at the application layer. In other cases, constraints such as limited processing capabilities and latency concerns have resulted in the omission of real-time link-layer encryption.

Even when encryption is technically supported, it is often disabled due to configuration mistakes, cost-driven decisions, or operational convenience. Older terminals—such as early-2000s VSAT modems—frequently lack cryptographic support altogether, or the feature was never deployed. This leads to large-scale broadcast transmission of plaintext signals across the footprint.

Intelligence and Security Impact

This is not merely a data security flaw; it creates a strategic surveillance advantage. State-sponsored threat actors can passively monitor these signals in real time, gaining insights such as:

• Passive tracking of operational military movements
• Mapping weaknesses in critical infrastructure (e.g., SCADA failure and load data)
• Observing financial institution communication patterns
• Correlating mobile network user behavior
• Analyzing pre-VPN corporate traffic to identify attack vectors

Such information is valuable not only for technical exploitation but also for diplomatic, political, military, and economic intelligence.

Cyber-Intelligence Perspective

The assumption that “no one is listening” to satellite downlinks is no longer valid. Sky-borne data traffic is vulnerable to actors ranging from low-profile intruders to advanced persistent threats (APTs). Encryption is no longer optional—it is the minimum security baseline. In modern threat environments, securing both the network and the broadcast frequency layer is essential. For critical infrastructure, defense systems, and financial services, satellite communication should be treated like an open Wi-Fi network: if it is unencrypted, it is being monitored.

Institutional security strategies must assume that satellite-transmitted data is insecure by default and adopt a multi-layer encryption model from the physical layer upward.

Conclusion

This vulnerability in satellite communication is not simply a technical problem; it is the result of a neglected security culture. In the coming years, more governments and private organizations will inevitably have to prioritize this issue—updating existing systems, securing transmission layers, and adopting a “security-by-default” approach in new communication infrastructures.

Over the past two years, Europe’s energy infrastructure has become a primary target for hybrid cyber operations. Attack patterns indicate a shift from classic ransomware to multi-stage reconnaissance campaigns involving OT (Operational Technology) systems, grid-balancing mechanisms, and cross-border power interconnectors.

These intrusions reveal a trend where threat actors—primarily state-sponsored—seek not immediate disruption but long-term operational visibility inside critical infrastructure networks.

Technical Findings

Cross-Vector Reconnaissance

Recent incident forensics show scouting activity across three layers:

• IT networks: Credential harvesting, Active Directory reconnaissance, VPN traffic mapping.
• OT networks: Probing of IEC-104, Modbus, DNP3 protocols to identify control loops and breaker systems.
• Grid coordination nodes: Attempted access to ENTSO-E-linked balancing/dispatch systems for potential desynchronization scenarios.

The presence of low-frequency beaconing in industrial DMZ zones indicates persistent access attempts designed to stay below SIEM detection thresholds.

Attack Techniques Identified

• Living-off-the-Land (LotL): Using native tools on Windows/Unix systems to avoid detection.
• Time-shifted lateral movement: Attackers spread access over weeks to blend into operational noise.
• Malicious firmware implants: Targeting substation RTUs and PLC devices for covert modification.
• Passive mapping of energy flow: Using network metadata to infer grid load, switching cycles, and failover behavior.

These activities align with TTPs seen in advanced groups focusing on long-term geopolitically motivated disruption, not only financial gain.

Intelligence Assessment

Strategic Intent

The observed behavior suggests the objective is not immediate sabotage but:

• Establishing situational awareness inside Europe’s energy clusters.
• Identifying choke points for potential coordinated disruption.
• Preparing contingency access for use during geopolitical escalation.

This mirrors hybrid warfare doctrine seen in Eastern European theaters, where cyber, information, and physical operations are integrated.

Geographic Focus

SOC reporting from the past six months indicates probing activity concentrated in:

• Central Europe: Austria, Czech Republic, Slovakia (cross-border grid nodes).
• Baltic States: High-value due to NATO infrastructure and Russia proximity.
• Southern Europe: Interconnectors tied to LNG distribution and North African imports.

These patterns match the interest of adversarial intelligence services in Europe’s energy resilience.

Technical Risk Domains

Grid Interconnectors

Interconnector control systems offer the potential for:

• Regional blackouts
• Load imbalance
• Cross-country cascading effects

Legacy OT Infrastructure

Aging PLC/RTU devices with no native authentication or encryption create:

• Easy lateral movement
• Firmware-level persistence
• Undetected command manipulation

Lack of Unified EU Monitoring

European nations operate independent SOCs, causing:

• Fragmented monitoring
• Slow cross-border response
• Reduced situational awareness

Recommended Mitigation Measures

OT–IT Segmentation Reassessment

Modern adversaries treat segmentation as an obstacle, not a barrier.
Recommended:

• Deep packet inspection for OT protocols
• Strict unidirectional gateways (data diodes)
• Removal of legacy VPN pathways

Continuous Threat Hunting

Focus areas:

• Beaconing anomalies
• Grid-balancing manipulation attempts
• Firmware integrity verification
• Low-rate scanning patterns

Intelligence Fusion

EU energy grids need integrated cross-country intelligence sharing combining:

• OSINT (grid mapping, public procurement data)
• SIGINT (communications anomalies)
• Cyber telemetry
• Physical sabotage indicators

Scenario Planning & Red Teaming

Run exercises simulating:

• Coordinated OT takeover
• Interconnector desynchronization
• Hybrid physical-cyber asset disruption

These simulations create resilience against real-world crisis scenarios.

Conclusion

Europe’s energy infrastructure is entering a period where cybersecurity is no longer an IT issue but a national security pillar.
The threat landscape shows adversaries are not merely seeking access—they are building long-term operational intelligence positions inside energy networks.

Protecting Europe’s grid now requires a unified intelligence posture, modernized OT security models, and proactive threat hunting that spans borders, sectors, and data domains.