Published May 12, 2026
Read Time Mins
South-east Asia’s telecom operators are at the centre of two simultaneous shifts. Cyberattacks targeting the region have doubled. Ransomware, state-sponsored intrusions, IoT-based exploits, and mobile financial fraud are growing in volume, sophistication and commercial impact. At the same time, regulators across every major market in the region are extending cybersecurity obligations directly to telecoms operators as designated critical infrastructure providers.
This is not a peripheral risk. It is the defining operational and commercial challenge of the next decade for operators in South-east Asia.
This creates a clear case for AI-powered, network-edge cybersecurity. And specifically for behavioural intelligence as the capability that makes it work. By organising around BlackDice’s three strategic pillars, Confidence while connected, Security of experience, and Security of economics, operators can transform their security posture, build new commercial propositions. This can help position themselves as the trusted digital partners their markets now require.
South-east Asia is at a digital inflection point. Across Singapore, Malaysia, Indonesia, Thailand, the Philippines and Vietnam, mobile-first populations, rapidly expanding 5G coverage, and government-backed digital economy programmes are driving one of the world’s fastest transitions to connected commerce, banking, healthcare and public services. Enterprise digital transformation spending across the region is projected to reach 10 per cent of revenues annually through 2030. And telecoms operators are central to that story.
But this expansion carries a counterpart that is harder to celebrate. As digital services multiply, as IoT devices proliferate across homes and industrial settings, and as mobile financial services extend into previously unbanked populations, the attack surface grows with them. Cyberattacks targeting the region have doubled in recent years. In the first half of 2024 alone, Asia-Pacific recorded more than 57,000 ransomware attacks. Indonesia averaged 3,300 cyberattacks per week. State-sponsored threat actors, including China-linked Salt Typhoon, have been detected systematically targeting telecom infrastructure across more than 80 countries, with South-east Asian operators among their primary targets.
For telecom operators, this creates a dilemma that is both operational and strategic. Their networks carry the transactions, communications and data of millions of subscribers. They are simultaneously the infrastructure through which attacks propagate and the institution subscribers expect to protect them. The question is no longer whether operators should engage with cybersecurity. It is how quickly they can build the right capability, and what that capability needs to look like to be genuinely effective at network scale.
Understanding the specific nature of the threat environment across the region is essential to understanding why conventional security approaches are failing. And why network-edge behavioural intelligence is the right response. The threats operators face are not generic. They are shaped by the region’s digital maturity, regulatory environment, and the specific economic incentives that make South-east Asian operators attractive targets.
Ransomware volume rose 67 per cent globally in the first two quarters of 2025. Asia-Pacific operators are among the most heavily targeted sectors. The defining characteristic of modern ransomware campaigns in this region is dwell time. Threat actors frequently move laterally through networks for weeks or months before triggering encryption, establishing persistent access and exfiltrating data before the attack becomes visible. Signature-based detection systems cannot identify this behaviour in time. By the point of detection, the damage is already extensive.
Telecom networks are not incidentally targeted. They are primary objectives. Operators carry authentication traffic, financial transactions, government communications and critical infrastructure data. Salt Typhoon’s sustained campaign against telecom providers demonstrates that state-sponsored threat actors understand the intelligence and disruption value of controlling or monitoring operator infrastructure. For operators in South-east Asia, this means the threat is persistent, sophisticated, and in many cases already present within their network perimeter before any detection event occurs.
South-east Asia’s rapid expansion of mobile financial services creates a specific and significant fraud vector. As banking and payment services extend to populations previously outside the formal financial system, threat actors follow. SIM-swap fraud, account takeover, and session-level attacks on mobile banking transactions disproportionately target this population. Partly because they are new to digital services and partly because the security controls protecting them are often minimal. The network is the only intervention point capable of protecting users who have no other layer of defence available to them.
IoT-based malware attacks have globally exceeded 100 million. In South-east Asia, rapid adoption of smart home devices, industrial sensors and connected medical equipment has expanded the attack surface dramatically. Most of these devices are invisible to existing security tooling. They carry no agents, appear on no endpoint management register, and generate no logs that conventional security systems can read. Yet they share the same network segments as corporate systems and subscriber devices, and they create the entry points through which more damaging attacks are launched.
Telecom operators have a structural security advantage that no other organisation can replicate. They see every packet before it reaches a subscriber device. Can detect anomalies before a user is aware a threat exists. And enforce protective policy at the edge with no dependency on end-user action. This is not an incremental advantage. It is a capability that, properly harnessed, transforms the operator into the most important node in any subscriber’s security architecture.
The dominant model of cybersecurity, built around endpoint agents, signature-based detection, and reactive incident response, was not designed for the operating environment that South-east Asian telecom operators now manage. The misfit is structural, not a matter of configuration or budget.
What operators need is a security architecture that matches their environment: deployed within operator infrastructure, operating on network traffic rather than device agents, detecting patterns rather than signatures, and enforcing policy at the edge with no latency impact. This is what AI-powered, network-edge behavioural intelligence delivers.
The most fundamental commitment an operator can make to its subscribers is that connecting to the network is safe. Not conditionally safe, not safe if the subscriber has installed the right app or updated their device. Unconditionally, structurally safe. That guarantee is only possible when protection operates at the network layer, invisible to the subscriber and independent of their behaviour or device type.
BlackDice operates at the edge of operator infrastructure, on customer premises equipment, within network gateways, and across the access layer, building a continuous, dynamic model of normal behaviour for every device on the network. Using deep packet inspection, DNS interception, and device fingerprinting, the platform identifies every connected device including unmanaged IoT, and monitors its behavioural signature in real time.
When a device deviates from its established pattern, a smart speaker initiating outbound DNS queries to unrecognised domains, a router beginning to scan adjacent network segments, or a mobile device exhibiting session patterns consistent with an account takeover attempt, BlackDice IQ™ correlates that signal across network and device data, assigns a risk score, and triggers a response. This happens before the threat completes, and before the subscriber is aware anything is wrong.
For operators in South-east Asia, this capability maps directly to the region’s dominant threat profile. Mobile financial fraud depends on the network remaining unaware of anomalous session behaviour. Network-edge behavioural detection closes that gap. IoT-based attacks, prevalent across the region’s rapidly expanding smart home and industrial sectors, depend on unmanaged devices being invisible to security tooling. Device fingerprinting and behavioural monitoring makes them visible and protectable.
“Across South-east Asia, 98 per cent of companies are SMEs. Most cannot afford dedicated cybersecurity infrastructure. For this population, the operator network is the only security layer that will ever protect them. Building that capability is not simply a commercial opportunity. It is a regional public good.”
The commercial case follows from the structural one. Operators that can guarantee subscriber safety, using tools like BlackDice Angel™ to give users real-time visibility of their protected network, create a differentiator no connectivity-only competitor can match. In markets where subscriber acquisition is expensive and loyalty is fragile, confidence while connected is both a product feature and a measurable retention driver.
The second pillar addresses a challenge operators across South-east Asia are experiencing directly: the growing expectation that connectivity is not just fast, but uninterrupted, reliable and threat-free. Digital-first consumers and enterprises do not distinguish between a network outage and a security incident. If the service is disrupted, the operator is accountable.
BlackDice’s enforcement model is built around a principle that is non-negotiable in operator environments: security must add zero latency to network traffic. The platform’s detection and enforcement pipeline, detect, correlate, decide, enforce, operates in real time, with all processing occurring within operator infrastructure. There is no traffic redirection to external systems, no cloud processing dependency that introduces latency, and no reliance on subscriber devices that varies by type or operating system version.
South-east Asia’s 5G buildout is enabling a new generation of SMB connectivity services: private networks, edge compute, industrial IoT integration, and multi-cloud access. These services carry commercial data at a scale and sensitivity that makes embedded security a prerequisite, not an option. Operators who can demonstrate real-time security capability, with the reporting and visibility that enterprise procurement processes require, are well positioned to win the SMB segment that will define the next decade of telecom revenue.
BlackDice Retina™, the operator-facing visibility and control interface, provides the network-level intelligence that makes this commercial case concrete. It surfaces threat activity, policy enforcement events, and behavioural anomalies across the entire subscriber base in real time, giving operators the operational data to act on threats before they become incidents and the reporting capability to demonstrate security posture to enterprise clients and regulators alike.
South-east Asian governments are moving quickly on cybersecurity regulation with direct implications for operators. Singapore’s Cybersecurity Act amendments took effect in October 2025, expanding regulatory scope across critical information infrastructure. Vietnam’s Personal Data Protection Law took effect in January 2026. Thailand’s Cybersecurity Act imposes data hosting obligations on designated critical infrastructure operators including telecoms. Malaysia’s PDPA amendments, active from January 2025, introduced cross-border data transfer obligations that directly affect operator architecture decisions. Indonesia’s data protection framework requires explicit data handling notifications to the ministry for cross-border transfers.
Operators who have embedded network-level security are not simply managing risk. They are ahead of regulatory requirements, which in fast-moving legislative environments is a significant commercial and reputational advantage.
Enterprise clients and government procurement teams increasingly require operators to demonstrate active, measurable security capability, not just contractual commitments. BlackDice Retina™ provides the reporting layer that makes this demonstration possible: real-time threat visibility, policy enforcement logs, and risk scoring across the subscriber estate. This turns security posture into a commercial asset, auditable and demonstrable at any point in a procurement process.
The third pillar reframes cybersecurity from a cost centre to a revenue opportunity. This matters especially in South-east Asia, where operators face structural pressure from declining voice ARPU, intense competition in core connectivity services, and rising 5G infrastructure investment costs. The operators that grow through this period will be those that find new revenue layers within their existing infrastructure, and security is the most structurally compelling of those layers.
Security-as-a-service is one of the most commercially attractive adjacent revenue streams available to telecom operators. It addresses a subscriber need that is universal, persistent, and growing. Requires no hardware device to manufacture or distribute. It operates silently in the background, requiring no subscriber behaviour change. And it is delivered from infrastructure the operator already controls and has already paid for.
BlackDice’s platform gives operators the capability to structure this into commercial tiers: a baseline security layer embedded in every subscription, premium managed security services for SMB accounts, and family protection products for consumer segments. Each tier drives ARPU without requiring the operator to touch subscriber devices, manage endpoint software, or build a security operations centre from scratch.
Mobile financial fraud is a direct economic threat to subscribers and an indirect but significant threat to operators. When a subscriber loses money to a SIM-swap attack or mobile banking fraud carried across an operator’s network, the operator is increasingly implicated in the outcome, by regulators, by liability frameworks, and by subscribers themselves. Regulators across South-east Asia are watching the UK’s model of shared liability for authorised push payment fraud with close attention. Operators that can demonstrate their networks actively detect and prevent fraud are positioned to shape that regulatory conversation from a position of strength rather than responding to it from a position of vulnerability.
For operators themselves, the economics of a significant security incident are severe. Beyond the direct cost of response, investigation and remediation, an incident that damages subscriber trust generates churn that is difficult and expensive to reverse. Proactive, network-level threat detection that prevents incidents from occurring is simultaneously a security investment, a subscriber retention investment, and a brand investment. Its value is measured in churn rates and net promoter scores, not only in security metrics.
“The operators that will define South-east Asia’s digital decade are not those that deliver the fastest connectivity. They are those that deliver the most trusted digital network environments, and then build the commercial models to monetise that trust at every point in the subscriber relationship.”
AI has become a contested term in cybersecurity, claimed by vendors whose products are better described as statistical classifiers, and applied to capabilities that remain fundamentally reactive. BlackDice’s use of AI is specific and architecturally grounded. It refers to the continuously learning behavioural models that power BlackDice IQ™, which build dynamic baselines for every device and service on the network and detect deviation from those baselines in real time.
The advantage of this approach over signature-based detection is not incremental. It is categorical. Signatures require prior knowledge of a threat. Behavioural models require only knowledge of what normal looks like, and they update that knowledge continuously. A new ransomware variant, a novel IoT exploit, or a sophisticated account takeover campaign that has never been documented before will still produce behavioural anomalies that the system detects, scores, and acts on.
This matters acutely in South-east Asia, where the threat actor landscape includes well-resourced state-sponsored groups that actively test novel techniques in the region before deploying them globally. Relying on signatures in this environment means operating permanently one step behind the threat. Behavioural intelligence closes that gap.
Most security systems look for known threats. BlackDice looks for suspicious combinations. A remote access application operating simultaneously with a mobile banking session is individually unremarkable. Together, they signal something worth stopping. That is behavioural intelligence: risk assessed by what is happening in context, not just by what has been seen before. It is the only detection model that keeps pace with a threat actor who has never been seen before.
The case for AI-powered, network-edge cybersecurity in South-east Asia is clear. The regulatory environment is moving. The threat landscape is accelerating. The commercial opportunity is real and structurally accessible. What follows is a practical framework for operators at different stages of readiness, from initial assessment through to full commercial deployment, to deliver trusted digital networks.
Before investing in new capability, understand the shape of your current gap. Map your active device population against your security tooling coverage. Identify how many devices on your network are currently unmonitored, particularly unmanaged IoT and BYOD endpoints. Assess whether your current detection capability relies on signatures or on behavioural patterns. Measure your current mean time to detect. Most operators who conduct this audit honestly find the gap is significantly larger than their existing tooling suggests.
Cybersecurity legislation is now active across every major South-east Asian market. Singapore’s Cybersecurity Act amendments, Vietnam’s PDPL, Malaysia’s PDPA amendments, Thailand’s Cybersecurity Act, and Indonesia’s data protection framework all carry direct obligations for telecoms operators as critical infrastructure providers. The operators who engage proactively, building capability before enforcement attention arrives, will shape the regulatory conversation. Those who wait will respond to it on a regulator’s timetable rather than their own.
The security frameworks designed for enterprise IT environments do not scale to the operating conditions of a telecom network. Any architecture you build must operate within your infrastructure rather than sitting outside it. It must cover the full device population including unmanaged IoT without an agent dependency, enforce policy at the network edge with no latency impact on subscriber experience, and maintain full data sovereignty within your operating environment. Assess every proposed solution against these requirements before committing to it.
Security-as-a-service is not yet a standard feature in South-east Asian telecom packages, but it will be. The operators that define the category first in each market will have a meaningful head start in subscriber acquisition, enterprise contract positioning, and regulatory credibility. Structure your security proposition in tiers: a baseline layer available to all subscribers, a premium managed layer for consumers and SMEs willing to pay for enhanced protection, and an enterprise-grade managed security offering for business accounts. Each tier can be built on the same underlying network capability.
Signature-based detection is a necessary but insufficient component of a modern security architecture. Given the threat actor profile in South-east Asia, particularly the presence of state-sponsored groups that regularly introduce novel techniques, any detection approach that depends solely on prior knowledge of a threat will be consistently behind. Build your primary detection layer around behavioural models that identify anomalies in real time, and treat signature-based detection as a secondary layer for known, well-documented threats.
Network security is only commercially valuable if it is visible. Internally, invest in operator-facing dashboards that give your security and network teams real-time insight into threat activity, device behaviour, and policy enforcement across your subscriber estate. Externally, give subscribers the transparency tools to see that their connection is protected. Both elements, BlackDice Retina™ for operators and BlackDice Angel™ for subscribers, are built into the platform architecture. Both are essential to converting a security capability into a commercial proposition that subscribers understand and are willing to pay for.
A mature security programme is measured by outcomes, not inputs. Track mean time to detect, mean time to contain, the proportion of your device population under active behavioural monitoring, fraud incident rates on your network compared to industry benchmarks, and subscriber churn attributed to security incidents or perceived network safety concerns. These metrics give your board and your commercial teams a clear picture of the value your security investment is generating, and they give you the data to demonstrate that value to regulators and enterprise clients.
The strategic transformation available to South-east Asia’s telecom operators is not simply a security upgrade. It is a repositioning of the operator’s role in the digital economy. The connectivity market is commoditising. Price competition is intense. ARPU growth from core connectivity services is structurally constrained. The operators that grow through this environment will be those that own the trusted digital environment, not just the pipe that delivers it.
Embedding AI-powered cybersecurity at the network edge is the mechanism by which this transformation becomes real. It gives operators a capability that no over-the-top security product can replicate, because no OTT product can see the network the way the operator can. This gives them a commercial layer that generates recurring revenue from security services. It gives them a narrative, grounded in demonstrable capability rather than marketing claims, that differentiates their offer to subscribers, enterprise clients, and regulators alike.
Three pillars, one direction of travel.
Confidence while connected: every subscriber protected, regardless of device or behaviour.
Security of experience: threats contained before they disrupt the digital services subscribers depend on.
Security of economics: new revenue unlocked, fraud losses reduced, and regulatory risk converted into competitive advantage.
Together, these pillars define what it means to be a trusted digital partner in South-east Asia’s most important decade of digital growth.
The operators across Singapore, Malaysia, Indonesia, Thailand, the Philippines, and Vietnam that act on this in 2026 are not simply responding to a threat. They are building the infrastructure of trust that their markets, their subscribers, and their regulators will depend on for the decade ahead.
BlackDice Cyber is a telecom-native cybersecurity company headquartered in Leeds, United Kingdom. Its platform delivers AI-powered behavioural intelligence and real-time threat detection directly within operator infrastructure, enabling telecommunications providers to protect subscribers, generate new revenue, and meet evolving regulatory requirements. BlackDice operates globally in partnership with leading telecoms operators.
To learn more, visit blackdice.ai
Sources: SonicWall Cyber Threat Report 2025; Cyfirma SEA Threat Landscape Report; GSMA Intelligence: The Rise of Digital Industries in ASEAN (2025); Cisco: Cybersecurity in ASEAN; PT Security: Cybersecurity Threatscape SEA; EY Telecom Sector Risk Report 2025; Hogan Lovells: Singapore Cybersecurity Act 2025; InCountry: Navigating SEA Data Protection Laws 2025; ASEAN Digital Ministers’ Meeting 2026.