Rise of AI as an offensive tool mean cyber attacks ‘no longer a question of if, but when’

If AI introduced uncertainty this year,, cybersecurity introduced inevitability. Keith Cutajar, CEO of CY4 Security, points to 2025 as the year that denial finally collapsed. The launch of his organisation’s Security Operations Centre triggered immediate and overwhelming demand. It confirmed what he describes as a “new normal”. Cyber attacks are no longer a question of if, but when.

Through live investigations and monitoring, one conclusion became unavoidable. “If an organisation claims they have not experienced a cyber effort against their setup, they are likely falling into one of three categories,” Mr Cutajar said. Either they are avoiding the truth, unaware of what is already happening, or lacking the monitoring infrastructure to detect it. In practice, the third explanation was the most common.

The financial consequences of hesitation were stark. Mr Cutajar described seeing organisations decline to spend €5,000 to €10,000 on proactive assessments, only to face breaches later that cost €50,000 to €100,000 once recovery, forensics, legal exposure, fines and reputational damage were included. “Too expensive is relative,” he said. “Remediation is always costlier than prevention.”

Looking ahead, he believes the cybersecurity landscape will be reshaped by the normalisation of AI as an offensive tool. Attackers are no longer operating at human speed. Generative AI is enabling hyper-personalised phishing and automated vulnerability discovery at scale. At the same time, organisations are reconsidering their infrastructure choices. Regulatory pressure, cost unpredictability and the desire for control are driving renewed interest in locally hosted and sovereign environments.

Yet many remain dangerously under-prepared. “Most organisations still rely on legacy perimeters while attackers are simply logging in,” Mr Cutajar warned, pointing to identity as the weakest link. Alongside this, ungoverned use of AI tools by employees has created what he calls a massive and largely invisible data leak surface.

Taken together, these perspectives tell a coherent story. Capital is moving faster than value creation. Technology is advancing faster than governance. Threats are evolving faster than organisational readiness. 

For Malta, a small but digitally dense economy, the margin for error is thin.

2025 revealed how fragile certainty has become, and how quickly advantage can turn into risk.