Ahmed El Saadi, Vice President, Middle East Africa, Turkey, Romania, and CIS, Splunk, discusses the role of large language models (LLMs) in supporting regional cybersecurity teams in this exclusive op-ed.
Large language models (LLMs) are quickly becoming a defining factor in cybersecurity. For security teams, they offer faster ways to detect and investigate threats; for attackers, they lower the bar to launch phishing, fraud, and malware at scale.
In the Middle East, this dual impact is magnified by heavy government investment in artificial intelligence and digital transformation. The UAE has set its sights on becoming one of the world’s top 10 AI-ready nations by 2031, while Saudi Arabia and other regional economies are prioritising AI adoption across critical sectors. Security software is projected to remain the largest technology spending area in MENA, expected to reach nearly $1.5 billion by 2025 — a reflection of both rapid digital growth and the pressing need to secure it. [AO1]
The Skinny — Middle East Snapshot
- LLMs as a double-edged sword: LLMs can be used to streamline detection, triage, and investigation workflows for security operations centres, but also enable attackers to replicate known threats more efficiently and quickly.
- Governance is essential: PwC’s 2025 Digital Trust Insights [AO2] report found that 73% of Middle East organisations view cybersecurity as a strategic growth driver, underscoring the need to balance innovation with risk management.
- Preparing for autonomy: The UAE ranks 13th globally in government AI readiness [AO3] , positioning the region to both benefit from and defend against the next generation of autonomous, AI-driven cyber threats.
The Current Relationship Between LLMs and Threat Actors
LLMs can democratise access to cyber-attack knowledge, enabling individuals with limited technical skills to generate functional code or craft convincing phishing content in Arabic and English.
In recent years, the Middle East and Africa have seen a marked rise in phishing and online fraud targeting high-value sectors such as banking, energy, and government services. Regional threat intelligence reports have noted an increase in phishing websites impersonating postal services, utilities, and major brands, often designed to harvest sensitive credentials or deliver malware. Increasingly, these campaigns incorporate AI-generated text and imagery, making them more persuasive and harder for traditional security filters to detect.
Using LLMs Correctly
While LLMs offer significant operational benefits, misuse or lack of oversight can introduce new vulnerabilities.
Public-sector ambitions illustrate the opportunity. The UAE’s AI Strategy 2031 aims to integrate AI across critical domains, from energy to healthcare, with an anticipated AED 335 billion [AO4] contribution to the national economy by 2031. To harness this potential safely, organizations should:
- Identify repetitive, high-volume, text-heavy tasks where LLMs deliver measurable value.
- Define “human-in-the-loop” checkpoints to verify outputs before they inform security decisions.
- Regularly audit and retrain models to ensure relevance against evolving regional threats.
The Underlying Potential for Cyber Defenders
Once analyst teams determine when and how to use AI effectively, there is a real chance to optimise productivity using LLMs. Just like LLMs can help mitigate burnout for content creation or research, they can also help analysts streamline and triage security alerts and event review.
Due to their ability to comprehend human language, cyber analysts can fine-tune LLMs to help with increasingly specific cyber-domain-related tasks. Models can also help speed up post-cyber incident issues, such as summarising the details of an attack and the SOC’s corresponding response.
In a Splunk threat hunting exercise, multiple open-weight LLMs were evaluated on their ability to classify the intent of 2,000 PowerShell scripts – 1,000 benign and 1,000 malicious. The results produced a promising combination of high accuracy, with very few false negatives. Classification time ranged from 0.75 seconds to 3 seconds per script, representing a 99% reduction compared to the 5–12 minutes typically required by a human analyst.
In a Middle East context, this capability could dramatically improve SOC efficiency, particularly in sectors like banking, oil & gas, and government services, where incident response windows are often measured in minutes.
What the LLM Future Holds for Both Defender and Attacker
The next wave of LLM adoption will see greater use of agentic AI — systems capable of making and executing decisions independently. For defenders, this could automate large portions of SOC workflows; for attackers, it could mean more adaptive and persistent cyber campaigns.
The UAE has announced plans to integrate an AI advisory system into its federal cabinet in 2026 [AO5] , signalling the speed with which AI is being embedded in governance. Across the GCC, AI is projected to contribute up to USD 260 billion to GDP [AO6] , further entwining these technologies with national infrastructure.
This deep integration makes it essential for governments and enterprises to:
- Invest in AI literacy and skills for SOC teams.
- Establish robust governance for AI deployment.
- Expand cross-border intelligence sharing to counter emerging threats.
Bottom line:
The Middle East’s AI-driven transformation brings unparalleled opportunities for cyber defence – but also new attack surfaces for adversaries. LLMs will be central to both. The advantage will go to those who combine advanced tooling with human expertise, cultural and linguistic awareness, and a readiness to adapt as technology and threats evolve.
[AO2]https://www.pwc.com/m1/en/publications/global-digital-trust-insights-middle-east-findings-2025.html
[AO3]https://oxfordinsights.com/ai-readiness/ai-readiness-index/?#download-reports
[AO4]https://news.uppersetup.com/insights/artificial-intelligence-in-the-uae/
[AO6]https://www.khaleejtimes.com/business/ai-expected-to-contribute-260b-to-the-gcc-economy
Image Credit: Splunk
