Countering Terrorist Operations in the Age of Hybrid Warfare
The battlefield has changed. It is no longer defined solely by physical borders or kinetic energy. Today, the most volatile frontlines exist in the “Grey Zone” a space where the boundaries between war and peace, civilian and combatant, and physical and digital are intentionally blurred.
I am honored to announce that I have been invited by the NATO Centre of Excellence Defence Against Terrorism (COE-DAT) to serve as a lecturer and advisor for the upcoming “Terrorist Use of Cyberspace” course. As we look toward the challenges of 2026, it is clear that the exploitation of the Surface and Hidden Web has evolved from a recruitment tool into a sophisticated engine for Cyber-Enabled Hybrid Warfare.
In this post, I want to explore the strategic context of this shift and provide a preview of the working group tabletop exercises I will be leading in Ankara.
Strategic Defiance: Mastering the 2026 Cyber-Terrorism Landscape at NATO COE-DAT
The digital domain is no longer a “theatre” of war; it is the stage itself. As I prepare to join the NATO Centre of Excellence Defence Against Terrorism (COE-DAT) in Ankara this May, the mission is clearer than ever: to bridge the gap between technical cyber-exploitation and strategic national defense.
Modern terrorism has moved far beyond simple radicalization. We are now witnessing the birth of Cyber-Enabled Hybrid Warfare, where autonomous agents, the dark web, and physical kinetic operations are synchronized with terrifying precision.
In my role as a lecturer and advisor for the “Terrorist Use of Cyberspace” course, I will be leading three distinct sessions designed to take participants from the “depths” of the web to the “heights” of strategic decision-making.
Session 1: Exploitation of the Surface and Hidden Web
From Visibility to the Void
Our first session dives into the mechanics of the “Shadow Infrastructure.” While most of the public focus remains on social media propaganda (the Surface Web), the true operational danger lies in the Hidden Web.
For terrorist organizations, the Darknet is not just a place to hide—it is a functional supply chain. During this session, we will explore:
- The Procurement Cycle: How encrypted marketplaces are used for the illicit acquisition of “Cyber-Crime-as-a-Service” (CCaaS). Why buy a zero-day when you can rent a botnet?
- Anonymity as a Weapon: The evolution of decentralized communication protocols that bypass traditional signals intelligence (SIGINT).
- The “Grey” Surface: How terrorists use the Surface Web—not just for messaging, but for Open-Source Intelligence (OSINT) to map the families, habits, and technical vulnerabilities of high-value NATO targets.
The goal here is to move participants past the “scary stories” of the Dark Web and into a tactical understanding of how to monitor, intercept, and disrupt these digital lifelines.
Session 2: Cyber-Enabled Hybrid Warfare in Terrorist Operations
The Convergence of Bits and Blood
If the first session is about the tools, the second is about the strategy. Hybrid Warfare is the art of using non-linear methods to achieve a political or military goal. For a terrorist group, this means using a digital attack to create a physical outcome.
In 2026, we are seeing the rise of Agentic AI in this space. We are no longer defending against a human at a keyboard; we are defending against autonomous agents that can scan a regional power grid’s “Hidden Web” command-and-control nodes and wait for the perfect physical moment to strike.
Key themes we will cover:
- The Multiplier Effect: How a well-timed ransomware attack on a hospital or transportation hub can turn a minor physical protest into a national security crisis.
- Social Engineering 2.0: Using Deepfakes and AI-generated personas to infiltrate the supply chains of critical infrastructure vendors.
- Strategic Disruption: Why the objective is often not “destruction,” but the total erosion of public trust in government institutions.
We will analyze how NATO’s core tasks—deterrence, defense, and crisis management—must adapt when the “enemy” is a decentralized algorithm operating across fifty different jurisdictions simultaneously.
Session 3: The Tabletop Exercise (TTX)
Real-Life Case Studies & The High-Stakes Tabletop
The final session is where theory meets reality. I will be leading a Working Group Tabletop Exercise based on actual case studies from my years in the field and the forecasted threats of 2026.
This is not a “click-through” simulation. Participants—ranging from senior military officers to intelligence analysts—will be placed in the “Hot Seat.”
The Scenario: “The Sovereign Breach”
We will simulate a multi-vector attack on a NATO partner nation.
- Phase 1 (Discovery): A critical infrastructure vendor is breached via a Surface Web OSINT vulnerability.
- Phase 2 (Infiltration): The attackers move laterally into the Hidden Web nodes of the nation’s energy sector.
- Phase 3 (The Ask): A hybrid demand is made—not for money, but for a strategic political concession—timed with a physical “Grey Zone” operation.
The Challenge: Participants must navigate the “15-Minute Rule” (as seen in my Ozkaya Board Briefing Framework). How do you brief a political leader or a military commander when the risk is evolving every second? What is the Metric that matters? What is the Decision they need to make now?
The Broader Strategic Context: Why Ankara? Why Now?
The NATO COE-DAT in Ankara is uniquely positioned as the global hub for counter-terrorism expertise. As we integrate Multi-Domain Operations (MDO) into our training, we must recognize that “Cyber” is not a separate silo—it is the connective tissue of every other domain.
Implications for NATO Members and Partners:
- Resilience over Prevention: We must build systems that can “fight through” an attack.
- Intelligence-Based Relevance: We need to move from “reacting to incidents” to “predicting intent” based on Hidden Web activity.
- Coordinated Response: The role of cyber resilience is not just technical; it is a diplomatic and military necessity.
The Responsibility of Leadership
As a CISO and a NATO advisor, I see the same patterns of failure in the boardroom and the situation room: Complexity is the enemy of security. When we talk about the “Terrorist Use of Cyberspace,” we are really talking about the exploitation of our own technical debt and our own slow decision-making processes. My goal for this course is to provide NATO’s leaders with the mental and technical frameworks to be faster, sharper, and more resilient than the adversaries we face.
I am looking forward to the intense collaboration in Ankara. To the participants: bring your hardest questions. To my followers: I will be sharing “post-action” insights (within the bounds of security) to help you strengthen your own digital perimeters.
The digital frontline is moving. Are you ready?
About Dr. Erdal Ozkaya: Dr. Erdal Ozkaya is the CISO of Morgan State University, a NATO Cybersecurity Advisor, and the author of 26 books on cybersecurity and leadership. A 17-time Microsoft MVP and Top 1% Google Local Guide, Erdal has briefed boards and military leaders in over 50 countries.
For more information on my work or to invite me for a session, visit erdalozkaya.com