PRE-EMPTIVE SYSTEM

For Azerbaijan, the development of a resilient cybersecurity architecture must be considered as part of a broader strategic course – the accelerated digital transformation of the state.

In this context, the decisions taken on 11 February 2026, under the chairmanship of Ilham Aliyev, have effectively set a new institutional and technological framework for the country's entire digital agenda. The establishment of the Digital Development Council, under the leadership of First Vice-President Mehriban Aliyeva, was a strategic response to the increasing complexity of the state's challenges. The focus has shifted from the piecemeal introduction of IT solutions to the formation of a holistic digital state ecosystem, where e-government, artificial intelligence, innovation and cybersecurity are integrated into a single strategic construct.

Fewer attacks does not mean safer

Of particular importance in this system is the 'Action Plan for Accelerating Digital Development for 2026-2028'. Its implementation is aimed not only at improving the efficiency of public administration and strengthening the country's position in international rankings, but also at expanding the digital sector's contribution to GDP formation.

By assigning personal responsibility for the areas of digitalisation, innovation, artificial intelligence and cybersecurity to deputy heads of government bodies, a clear management vertical is created. The logical next step in this model is to introduce a mechanism for centralised approval of spending on digital projects. This involves transitioning from a fragmented IT budget allocation process to a unified investment strategy, where each project is evaluated for its alignment with the overarching digital architecture of the state. This approach enhances transparency and manageability of expenditure, while facilitating the coordinated development of the country's digital ecosystem.

In the context of the rapid expansion of the digital environment, cybersecurity is no longer a technical issue; it has become a key element of state sovereignty. In accordance with this logic, the adopted action plan includes the creation of specialised structures, such as monitoring, response and digital investigation centres. These structures effectively enhance the protection system to a new institutional level.

Concurrently, the transition of state information systems to the 'government cloud' is underway, with their comprehensive integration into the e-government architecture. This solution enhances the manageability of the digital infrastructure and improves its security, especially in conditions where cyber threats are becoming more complex.

The State Service for Special Communications and Information Security of Azerbaijan has published data for the first quarter of 2026 that clearly confirms this transformation. It is no longer possible to consider this a simple increase or decrease in attacks; we are now faced with a qualitative change in their nature.

A preliminary analysis of the statistics indicates a positive outlook. In the AzStateNet network, over 41 million malicious links were blocked in January-March — 70% fewer than in the same period last year. It is also worth noting that a reduction has been recorded in other indicators. The number of malicious objects detected by the centralised anti-virus system on end-user devices fell to 1 million 49 thousand (-50%), and the number of infected electronic documents discovered by the Sandbox system fell to 31,962 (a 20% decrease).

However, behind this positive dynamic lies a more complex picture. It is not so much about a decrease in the activity of attackers, but rather an increase in the effectiveness of the protection mechanisms themselves. Centralised anti-virus solutions, Sandbox systems and traffic analysis tools enable the early identification of threats, allowing us to intercept them before they escalate into large-scale incidents. In summary, the system is operating in a pre-emptive manner to a greater extent than before.

For comparison, at the end of 2025, over 449 million malicious links were blocked in the AzStateNet network, along with more than 6.2 million malicious objects on user devices and almost 97,000 documents with malicious content. These figures underscore the necessity for constant technological renewal of the protective infrastructure, rather than the volatility of threats.

DDoS attacks require particular attention, as they continue to be one of the key tools for exerting pressure on the state's digital resources. In Q1 of 2026 alone, there were over 7 million such attacks, with around 12.5 billion malicious packets blocked. The volume of prevented traffic exceeded 10.2 million Mbit.

This high level of intensity indicates that DDoS is used not only to disable individual services, but also as a tool for stress-testing the country's entire digital infrastructure. In essence, it serves as a gauge of technological and institutional capabilities.

The effectiveness of the multi-layered protection system is further confirmed by data on end users: centralised anti-virus solutions made it possible to detect and neutralise more than 1.04 million threats. This demonstrates that the established cybersecurity model covers not only the level of state systems, but also the end points – users, who are increasingly becoming the main target of attacks.

Taken together, these trends point to the main conclusion: cyber threats are not decreasing—they are evolving. This necessitates the accelerated development of the protection system to become an integral component of the country's digital sovereignty strategy.

A warning signal

In the context of notable successes in the field of cyber threat prevention, another, far more sensitive indicator is becoming increasingly apparent: the rise in vulnerabilities. In the initial three months of the year, these records were identified in 228 government information resources, marking a 44% increase compared to the same period last year. The month of March is particularly noteworthy: vulnerabilities were identified in 59 resources, and the growth rate effectively doubled.

This trend is indicative of the objective reality of rapid digitalisation. The government is expanding the range of services it provides, and the number of platforms and entry points is increasing. Each new digital solution, along with convenience, carries a potential risk. In effect, the 'attack surface' is growing, and even with a reduction in the number of incidents, the overall vulnerability of the system may increase.

The figures for 2025 only serve to confirm this trend: vulnerabilities were identified in 1,264 information resources belonging to state institutions — representing a 47.5% increase compared to the previous year. This is a signal not only of the need to build up protective mechanisms, but also to rethink the very logic of digital development.

The dynamics in the field of domain administration also reflect a shift towards a more systemic and manageable model. In the first quarter, 17 new domains (an 89% increase) and 123 subdomains (a 2.4-fold increase) were registered, but at the same time more domain names were eliminated than created. This policy indicates a targeted optimisation of the gov.az space, where the emphasis is on improving quality and security rather than on quantitative expansion.

In March, government bodies were allocated 6 new domains and 39 subdomains, which is respectively 2 and 2.1 times more than a year earlier. Concurrently, efforts to combat phishing and fraudulent resources are being strengthened. In the last three months, six websites mimicking government services were identified, and 60 phishing pages were blocked. The discovery of compromised credentials of 105 employees once again underlines that the human factor remains one of the key vulnerable elements of the system.

The main vector of attacks

It is noteworthy that email communication remains a primary means through which cyber threats are propagated. Of the nearly 4.7 million emails processed (a 9.7% increase), more than 1.4 million were blocked due to malicious content. It is important to note that the number of blocked messages has doubled compared to last year.

This dynamic indicates an increase in targeted attacks via email, including phishing, the spread of malicious attachments and attempts to compromise accounts. In 2025, the state institutions' email system received approximately 17.7 million emails, of which more than 5 million were blocked as potentially dangerous. This underscores the ongoing significance of this trend and the necessity for additional reinforcement of filtering mechanisms and enhancing user awareness.

In the context of contemporary security architecture, cyber intelligence is a pivotal component. The identification of 274 indicators of compromise, the majority (213) of which were discovered during internal investigations, indicates a shift towards a more mature protection model. In this model, threats are not only repelled but also analysed, predicted and prevented at an early stage, ensuring maximum protection for our clients.

The primary conclusion from the initial quarter is that Azerbaijan is progressively shifting from a reactive to a proactive cybersecurity model. Centralisation of protection, the introduction of intelligent analysis systems, the development of cyber intelligence and regular infrastructure testing are forming a new paradigm: proactive risk management.

At the same time, the main challenges remain as follows: the growth of vulnerabilities against the backdrop of digitalisation, the high intensity of DDoS attacks, the importance of the human factor and the increasing complexity of the threat architecture itself. In these conditions, cybersecurity is evolving beyond a technical function to become an integral component of national resilience, alongside energy, transport and financial security.

The current results should not be viewed as a final outcome. Instead, they should be regarded as an intermediate stage in the process of establishing a resilient, adaptive and deeply integrated digital state protection system.

In line with the logic of these transformations, the forthcoming institutional reforms are also of particular importance. The plan is to abandon fragmented digital solutions by 2029, replacing them with a single platform model. All state services will be concentrated on the mygov and mygov Biznes platforms. This solution is not only technologically advanced, but also economically viable. Centralisation will reduce development and maintenance costs, increase cyber resilience, introduce uniform user experience standards and simplify access to services for citizens and businesses.

The integration of multiple portals into a unified ecosystem solves the issue of 'digital islands', where users are required to interact with numerous unrelated services. The outcome of this process is not merely a digital infrastructure, but rather a cohesive, manageable and resilient digital environment.

Until recently, the primary perception of cybersecurity was as a protective measure. However, it is now increasingly recognised as a crucial component of a comprehensive strategy, encompassing resilience, competitiveness and digital sovereignty for the nation.