When the Middle East Exploded, Were GSOCs Ready?

The conflict involving Iran, the United States and Israel didn't just escalate quickly. For most enterprise Global Security Operations Centers, it escalated without warning. Or at least, that's how it felt. According to Stefano Ritondale, co-founder and Chief Intelligence Officer of Artorias, the warning signs were there as early as January, and the organizations best positioned to act on them were the ones with the right combination of AI-driven intelligence tools and deep regional human expertise.

Ritondale joined SecurityDNA host and Editorial Director Steve Lasky to unpack the failures, the lessons and what the current geopolitical environment demands of GSOCs going forward.

The January Red Flags Nobody Flagged

Ritondale points to a specific moment, the weekend of January 10th, when Iran made two decisions on the same day that his team's AI system, Nemesis, flagged immediately: a full internet blackout and the deployment of IRGC ground forces into Iranian cities to suppress protests. Normally, those measures are rolled out sequentially. Doing them simultaneously signaled panic at the highest levels of the Islamic Republic.

"You can look at it as almost a month-plus of leeway and warning that something significant was gonna happen in the region," Ritondale said. Most GSOCs, he argues, were too focused on the 50-yard target, the immediate, the obvious, to see it coming.

Perception Bias and the Midnight Hammer Problem

The deeper intelligence failure, Ritondale says, was one of assumption. Most analysts and enterprise security teams operating in the region defaulted to what he calls the "Midnight Hammer" model, the historical pattern of Iran conducting calibrated, contained retaliatory strikes (like the Al-Assad Air Base bombing following the Suleimani assassination) that made noise but didn't fundamentally change the regional equation.

When regime change became a declared U.S. objective and the Supreme Leader was killed on day one, that historical playbook was out the window. Few GSOCs had built contingency plans around the worst-case scenario. "All bets are off," Ritondale said.

From Alerting to Action

Ritondale's critique of the broader GSOC intelligence model extends beyond this specific conflict. Most enterprise security teams, he argues, are still in the business of alerting, telling clients their house is on fire, without providing the operational guidance needed to actually respond.

Artorias's approach with Nemesis goes further: each alert is paired with a tailored analysis explaining why the event matters to that specific client and, where decision thresholds are triggered, a set of prioritized courses of action drawn directly from the client's own security plans. "A low-level GSOC analyst could just read the system," Ritondale said. "Step one, step two, step three. And then you just make a decision and execute."

He also highlighted a problem most intelligence consumers overlook: circular reporting. When a single event generates alerts from 5–10 different sources simultaneously, a GSOC can receive a cascade of redundant notifications that appear to be distinct events. Artorias's system is built to deduplicate and consolidate, providing a single authoritative alert with real-time updates as the picture clarifies.

OSINT, AI, and the Human You Can't Replace

The explosion of OSINT over the past two decades, driven by internet access and social media, has fundamentally changed the intelligence landscape for private-sector organizations. But volume is the enemy of clarity. Ritondale argues that large language models are now essential tools for collecting and synthesizing the scale of information required to operate in today's threat environment but only when they're guided by domain experts who understand the source landscape.

"I know where the cartels talk on messaging groups," Ritondale said, describing his own area of specialization. "I know where they post information. I know where to collect." That on-the-ground expertise, applied to tuning and contextualizing LLM outputs, is what separates actionable intelligence from noise. Engineers can't provide that. More compute can't provide that.

The New Normal

The Middle East conflict, Ritondale says, isn't an aberration, it's a preview. Russia-Ukraine, China-Taiwan, cartel violence in Mexico, instability across sub-Saharan Africa: the simultaneous geopolitical pressures bearing down on global enterprises are only going to multiply.

His closing message to GSOCs is direct: plan for black swan events, not just the most probable outcomes. Cross-departmental integration matters, operations, logistics, PR and legal all have stakes in a crisis response. Keep your SOPs current. And don't be afraid to raise red flags to leadership when the indicators warrant it.

"Don't fall within this premise of, because something always happened like this, this is how it's always going to be," Ritondale said. "Analyze black swan events, build plans and make sure you're integrated in the planning process with every department your business touches."

Stefano Ritondale is co-founder and Chief Intelligence Officer of Artorias. Learn more at [artorias.com]. For more SecurityDNA episodes, visit SecurityInfoWatch's YouTube channel.