MSP, Channel partners, Channel, Security Management, Security Architecture, Security Operations, Attack surface management

Drone Strikes, Infrastructure Disruptions, and Cyber Surges Are Stress-Testing MSPs

Drone strikes took out AWS infrastructure in the UAE. MSPs activated disaster recovery plans they hoped they'd never need. This is the new normal MSPs are operating in.

The Middle East escalation is already showing up in places MSPs care about. Security teams are logging spikes in cyber activity. Drones are striking data center facilities, and some organizations are rerouting workloads and spinning up disaster recovery plans on the fly. This is not a drill. This is real life.

And this is also the part worth sitting with. Imagine a scenario where physical infrastructure went down, cloud dependencies got stress-tested, and customers needed answers fast. Somewhere behind each of those outages was a managed services team fielding calls they had no answers for, because their upstream provider was still figuring out whether the building was structurally sound.

The attack surface that has unraveled itself is double-sided - kinetic (physical) and cyber.  There's the cyber threat - targeted, opportunistic, and often timed to moments of global instability. And there's the infrastructure risk, the possibility that the data centers and cloud regions customers depend on are closer to a conflict zone than anyone thought to check.

Neither of those problems is going away anytime soon. Conflicts like this have historically driven surges in attacks across IT, financial, and government sectors worldwide. The targets are never predictable, nor is the timing.

So the real question for MSPs right now isn't whether this affects them. It's whether they have a plan for when it does - because that moment is coming, and customers will remember who was ready. And this encompasses customer retention, SLA exposure and trust in the market.

MSPs and MSSPs sit right in the blast path when things go wrong

When attacks scale, managed services providers sit directly in the path. They hold privileged access across multiple customer environments, operate shared tooling, and maintain credentials that span accounts. That reach is the value proposition. It's also the exposure.

John Nellen, CEO of Todyl, framed it simply to ChannelE2E: "Providers are often sitting right in the middle of it as trusted advisors who hold privileged access across dozens or even hundreds of client environments, running and maintaining security programs on the customer's behalf, including organizations tied to critical infrastructure and broader supply chains."

A single compromise in that model doesn't stay contained. It moves. That is what turns one incident into something significant.

Andy Bensinger, CTO of CyberFox, explains what makes the current threat environment different from a typical ransomware cycle: "A successful breach doesn't just impact the provider, it can have significant downstream effects across their entire client base. What's especially concerning right now is that these attacks don't appear to be financially motivated ransomware events, but rather destructive campaigns aimed at permanently deleting data and disrupting operations."

Destructive campaigns don't end with a ransom negotiation. They end with customer data gone, systems offline, and a provider trying to explain what happened. That's a different business conversation than a recovery invoice.

Detection gaps become business gaps

The timing can never be predicted for geopolitically motivated attacks. Neither do they announce themselves. They come up as patterns like credential probing, unusual lateral movement, access from locations that don't fit - and spread across identity, network, and cloud. When teams have fragmented visibility, patterns emerge too late and impact becomes clear only when the damage is already done.

Kory Daniels, Chief Security and Trust Officer at LevelBlue, describes what adequate readiness actually requires: "The reality is defending their own infrastructure while maintaining visibility and response readiness across dozens or even hundreds of client environments. That means ensuring monitoring is tuned to detect infrastructure and behaviors associated with Iranian threat actors and confirming escalation and response processes can move quickly."

Speed of response matters here as well in a direct business sense. The longer a compromise goes undetected across a multi-tenant environment, the wider the blast radius - and the harder the customer conversation becomes afterward.

Alex Rose, Global Head of Government Partnerships and Director of CTU Threat Research at Sophos, adds a layer that catches many teams off guard: "Those noisy actions - DDoS attacks, website defacements - can distract teams and sometimes hide more serious activity underneath."

High-volume, visible attacks consume analyst attention. What's moving quietly underneath is often the actual threat. Providers whose detection isn't correlated across systems are working with a partial picture during exactly the period when a complete one matters most.

Your DR plan has not been tested for this!

AWS data center disruption in the UAE exposed something providers need to take seriously: resilience that works on paper doesn't always work under pressure. Regional disruption - whether from kinetic attacks, power loss, or compounding failures - creates conditions most environments weren't designed for.

Pascal Geenens, VP of Cyber Threat Intelligence at Radware, explains the core problem: "When physical infrastructure is destroyed, failovers within the same region can be rendered useless." His team's 2026 Global Threat Analysis Report tracked a 168% surge in DDoS attacks and a 120% increase in application-layer attacks over the past year, largely driven by regional conflicts. For providers managing SLAs tied to uptime, that volume has direct contract implications.

Jonathan Knepher, VP of Site Reliability Engineering at Forcepoint, says  that many providers are still operating with an architectural gap they haven’t fully addressed: "Even N+1 resiliency at the physical datacenter block is insufficient to maintain availability." If a provider's cloud infrastructure, backup systems, and disaster recovery site all share regional dependencies - same power grid, same subsea cables - failover isn't a recovery option. It's another single point of failure.

For MSPs, the question is real. If customer workloads can’t move during a regional outage, what happens to SLAs, contracts, and the conversations with customers that follow?

Disaster recovery as a business capability, not a document

Most MSPs have disaster recovery documentation. Fewer have tested whether it actually works under realistic conditions. That gap shows up fast when something breaks.

Brian Harmison, CEO of Corsica Technologies, is direct about what the current environment demands: "Resilience planning can't be theoretical. MSPs should be stress-testing cloud architectures for multi-region failover, making sure DR runbooks are actually practiced, and ensuring security monitoring is tuned to catch anomalies early. This isn't about reacting to any particular conflict. It's about building the kind of operational foundation that holds up no matter what causes the disruption."

The same Jonathan Knepher puts it simply, "Disaster recovery plans are only valid if they have been tested. Abstract plans aren't enough."

The business difference is measurable. Providers who have rehearsed recovery steps know who owns what, how long each step takes, and where the friction points are. Providers who haven't found out during an incident do it in front of customers, under pressure, with the clock running.

Customer communication is the only thing you can control when things go wrong

When disruptions hit, and even in general, customers don't want general assurances. They want to know what's affected, what's protected, and what happens next. It all comes down to how a provider handles such conversations - during and after an event -  this is what actually separates retained customers from lost ones.

David Byrnes, VP of Global Channels at Kiteworks, connects this to a broader positioning opportunity: "The MSPs that bring geopolitical risk, AI-driven risk, and data governance together under one unified approach will be the ones their clients trust when the next disruption hits."

But this kind of trust is not built during an incident. The foundation starts with conversations that happen before anything goes wrong - explaining the resilience model, clarifying what recovery looks like, and setting realistic expectations for how communication will work or not when operations change or are affected.

Where MSPs should focus now

John Nellen's framing is worth sitting with: "Don't wait for a visible event to act. Quiet periods do not mean a safer environment. In many cases, they mean the opposite."

The priorities aren’t new. The cost of delaying them is.

MSPs need to tighten detection across the full environment, as isolated alerts won’t surface coordinated campaign activity. Providers need correlated and unified visibility across identity, endpoint, and cloud - and escalation paths that hold up when alert volume spikes.

Geenens highlights that modern DDoS attacks can last under 60 seconds, faster than a manual response can engage. Automated detection and mitigation are the baseline, not an upgrade. So MSPs need to audit and harden access across customer environments.

Iranian-linked campaigns and aligned hacktivist groups have consistently exploited credential theft, VPN vulnerabilities, and privileged account abuse as entry points. Benny Lakunishok, CEO of Zero Networks, recommends enforcing MFA across all systems, segmenting environments by user identity and role, and defaulting administrative ports to deny. The goal is to limit blast radius – making sure that a compromised account in one part of an environment doesn't become a pathway through all of it.

If you’re not secure, neither are your customers.

Mike Kosak, Director of Threat Intelligence at LastPass, says that first and foremost, MSPs need to protect themselves and their customers against the known primary tactics, techniques, and procedures (TTPs) used by hacktivists or threat actors. TTPs include wiper attacks (as demonstrated with the recent Stryker incident), DDoS operations, and website defacements.

Given this, Kosak recommends a few actions: “First, education campaigns to inform employees and customers of the heightened threat environment and the increased risk of phishing attempts, along with the guidance to notify Security when there is any suspicion of malicious activity. Second, checking for potential exposed credentials. These will frequently be posted on, and purchased or taken from, dark web forums and/or Telegram channels where infostealer bots will post their data. And third, checking all software and operating systems are updated with the most recent versions to avoid vulnerability exploitation.

Potential exploitation of zero-days must be considered as well, though by definition, proactive patching in these instances is impossible. As such, MSPs should focus on detection signatures for anomalous behaviors within their and their customers’ environments. This allows for a broader net to be cast when defending against attacks, Kosak emphasizes.

To summarize, MSPs should:

Validate cloud failover, don't assume it. Cross-region resilience needs to be tested under realistic conditions, not verified on paper. Map workload dependencies, identify where manual intervention is still required, and close those gaps. The 3-2-1 backup rule - three copies, two modalities, one off-site and offline - remains the practical standard. What matters now is whether those copies are actually tested and recoverable.

Treat disaster recovery as an operational practice. Frequent drills, documented ownership, and measured recovery times are what make DR a real capability rather than a compliance artifact. Bensinger makes a specific point that providers often skip: testing restores to confirm actual recovery point and recovery time objectives. If those tests haven't run recently, that's the gap to close first. For high-impact customer environments, air-gapped backups are worth evaluating seriously.

Run combined disruption scenarios. Exercises that only model cyberattacks miss what the current environment is actually presenting. Simulating coordinated cyber activity alongside infrastructure disruption - simultaneously, not sequentially - is where providers find out where processes break and where ownership is unclear. Those findings are far less costly to address in a drill than in an active incident.

Build the customer communication model before it's needed. Providers that handle disruptions well aren't improvising. They've already defined what they'll communicate, how quickly, and through what channel. Alex Rose puts the underlying principle clearly: "Strong fundamentals and steady, disciplined execution are what keep customers resilient when the pressure is high." That applies to communication as much as it does to technical response.

Trust, access, and scale are what the managed services model is built on. When geopolitical events trigger both cyberattacks and infrastructure disruption at the same time, those same factors determine how much risk a provider is carrying and how ready they are when customers need them most. For most MSPs, the deeper issue is planning. MSPs typically build continuity planning around security incidents, which assumes the underlying infrastructure stays stable. That assumption is harder to defend now. When a conflict zone takes out a data center or disrupts a major transit network, the fallout isn't just a security event. It's an availability problem, a contractual problem, and a customer confidence problem hitting all at once.

Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds