CrowdStrike’s AI-Native Defence for Evolving Threats

Today’s threat landscape is defined by speed, deception and AI-driven precision, with identity now the key battleground.

In this interview, CrowdStrike Field CTO for Europe Zeki Turedi explains how an AI-native platform, deep visibility across the AI lifecycle and identity-first controls can blunt fast-moving, socially engineered intrusions.

Zeki outlines the rise of agentic defence, the emergence of AI Detection and Response (AIDR) and why collaboration between public bodies, enterprises and vendors is essential to stay ahead of groups such as SCATTERED SPIDER.

He also sets out how consolidating tooling and automation can shorten dwell time and turn detection into disruption.

What made SCATTERED SPIDER’s tactics unique among eCrime groups?

SCATTERED SPIDER became known for its aggressive, identity-focused tradecraft that set them apart from other eCrime groups. 

After a relatively quiet period, the group re-emerged in 2025, with campaigns targeting aviation, insurance and retail. 

Their hallmark technique is to voice phish – or vish – help desk employees via social engineering, where they impersonate employees, provide accurate identity details and convince support staff to reset passwords or MFA. 

Within minutes, the adversary is typically able to register their own devices for authentication, access Microsoft 365 and other SaaS applications, cover their tracks by deleting alerts and move laterally across corporate networks.

What makes them unique is both the speed and precision of these operations. Help desks are often targeted to gain access to accounts belonging to IT and security staff, as they typically have permissions to documentation on network architecture, security tooling and incident response procedures. 

The group has also gone after C-suite executives' accounts, likely due to their access to sensitive data, communications and other resources that may support data theft and extortion. 

Once inside, they pivot quickly, use identity compromise to exfiltrate large volumes of data, escalate privileges and in some cases move from account takeover to ransomware deployment in as little as 24 hours.

Their ability to combine social engineering, hands-on-keyboard tactics and identity abuse allows them to bypass heavily monitored endpoints and disrupt critical sectors more effectively than most eCrime peers.

Which industries suffered most from their attacks and why?

In 2025, SCATTERED SPIDER focused on industries where disruption has immediate, high-impact consequences. 

The aviation industry is attractive to the group because of its reliance on continuous operations, interconnected systems and the sensitive information involved. 

Insurers are valuable targets due to the sensitivity of the data they hold and their critical role in financial services. 

Retailers, meanwhile, are often exposed due to large workforces, distributed IT environments and the potential for maximum pressure through downtime. 

By combining social engineering with rapid privilege escalation, SCATTERED SPIDER was able to exploit identity and process weaknesses in these sectors and turn them into leverage for extortion and ransomware.

How did public-private collaboration shape this law enforcement response?

When law enforcement and private industry share critical threat intelligence and act decisively, cyber operations that inflict real damage on global businesses can be disrupted, such as in the case of the arrests of two members of SCATTERED SPIDER.

What shifts do you anticipate in ransomware operations after these arrests?

The arrests represent a significant blow and will likely degrade SCATTERED SPIDER’s operations in the near term.

More importantly, they send a message: cybercriminals who aggressively extort and disrupt are not beyond reach. 

What immediate actions should businesses take to defend against similar threats?

Defending against adversaries like SCATTERED SPIDER starts with identity. Companies should enforce phishing-resistant MFA and lock down help desk processes so attackers cannot use them to reset credentials or enrol new devices.

Just as important is detection and monitoring.

Organisations need to understand their key technology stacks, whether a virtual cluster running critical applications or a SaaS CRM holding sensitive information and make sure they are logging and monitoring for authentication anomalies, administrative changes and unusual behaviour to critical systems. 

Comprehensive logging and solutions that provide cross-domain analytics such as a next-gen SIEM solution are key, alongside close scrutiny of suspicious application usage, search terms and data access patterns that often reveal malicious activity.

Infrastructure security adds another layer of resilience. 

Segmenting networks, securing VMware environments, applying least-privilege access across cloud systems and disabling outdated authentication methods all limit how far an adversary can move once inside. 

Businesses should also ensure readiness with isolated backups, rehearsed incident response playbooks and help desk and IT staff trained to recognise social engineering attempts.

By strengthening identity, improving visibility and preparing to act quickly, organisations can close the gaps adversaries exploit and stop breaches before they escalate.