Ten years ago, “digital resilience” wasn’t a phrase you’d hear in conversations about digital security- especially within civil society. At the time, the field was still maturing. “Online safety” and “digital safety” were the dominant paradigms, reflecting the foundational nature of the work: helping activists, journalists, and nonprofits stay safe online as they navigated threats from hostile actors, oppressive governments, and commercial surveillance.
Back then, safety meant encryption guides, password tips, threat modeling workshops, VPN recommendations, and the likes. It was a necessary era- but a simpler one. The threat actors were fewer, the attacks less frequent, and the adversaries less resourced.
That era is over.
Today’s threat landscape is wildly different. The cost of launching sophisticated digital attacks has plummeted, while the capabilities of those attacks have grown exponentially. From commodity spyware to automated malware kits (costing as little as $15), civil society organizations now face adversaries that are faster, stealthier, more persistent, and more scalable than ever before.
This shift marked the rise of a new imperative: Digital Resilience.
Where digital safety was about avoiding threats, digital resilience is about surviving them. It’s the capacity of an organization not just to defend against attacks- but to withstand them, recover from them, and continue operating despite them.
So, How Are We Doing?
To answer that, we need to revisit what research has shown to be the five pillars that define digital resilience: Measure, Attack, Capacity, Withstand, and Recover. These pillars offer a practical litmus test for whether organizations are truly resilient, or are still stuck in the outdated mindset of digital safety.
1. Measure
You cannot improve what you cannot measure. Digital resilience begins with the ability to assess the state of preparedness of any entity against a clear, shared standard.
And here lies one of the biggest gaps in our ecosystem: what do we measure against?
In the enterprise environments, standards like PCI DSS offer benchmarks against which card processors are evaluated and companies either pass this evaluation or not. In the internet freedom space, what we do have are frameworks, such as Internews’s SAFETAG, which is very useful for assessing organizational security posture, but at best, they are suggestive, and don’t measure resilience.
We encountered this firsthand at Resilience Technologies in 2023, during a regional assessment across sub-Saharan Africa. We were looking to benchmark resilience across dozens of organizations- and realized no tool existed to do so. That insight led us to start building what we have now called “The Resilience Model“.
Now in its third iteration, the Resilience Model is a maturity framework designed specifically for civil society. It sets measurable criteria for assessing an organization’s ability to resist, respond to, and recover from digital threats. (We discussed the latest iteration at RightsCon 2025, and a breakdown is available in our 2023 report.)
Until we have a way to measure resilience, we cannot claim to build it or understand how organizations are faring in their quest for it.
2. Attack
Understanding resilience also means understanding the nature of modern attacks.
Modern threats and attacks are defined by many attributes, and the key ones are: Automation, Stealth, Sophistication, and Persistence.
Attackers now deploy highly automated systems that can scan, exploit, and pivot at speeds impossible for manual defenders to match. This is the world we now operate in, and any resilience strategy that doesn’t account for this evolution cannot be really effective in defending organizations against the various types of attacks powered by the rapid advancement in technology.
3. Capacity
Capacity refers to an organization’s internal security capabilities plus the external expertise it relies on. In civil society, capacity is often entirely outsourced- to digital security operators, consultants, and donor-funded emergency response teams.
But as attack speeds accelerate, our traditional service models are breaking down. Most operators still rely on manual workflows for triage, detection, and response. That’s no longer sustainable.
When we built Zeroth Cloud in 2024, this was the core problem we aimed to solve. Zeroth automates the full lifecycle of incident response: prevention, detection, containment, and reporting, powered by real-time behavior and pattern analysis. The result is a 700+% increase in detection and response speed compared to traditional incident response workflows and methodologies. Zeroth can detect, contain, and alert on an incident before organizations even realize they are under attack.
Solutions like Zeroth Cloud are essential for scaling the limited technical security capacity within the internet freedom space, and for achieving organizational resilience- directly for civil society organizations, and crucially, for the security operators and incident response teams that provide services to them.
The more automated, scalable, rapid and resourced our technical security teams are in handling and dealing with threats, the closer we can get to achieving resilience as a community, and right now, we are still some way from getting there.
4. Withstand
True resilience lies in the stability of systems against stress and pressure-testing.
Stress-testing (or penetration testing) is still a very touchy topic within civil society discussions (even among security operators). Many organizations view the tactics as unnecessary, invasive, or too aggressive. But here’s the truth: if the first time your systems are tested is during an attack by a well-resourced threat actor or an adversary, the chance of survival is close to zero.
The argument against this would be, “oh, but we conduct security assessment and implement recommendations.” That is good, but not enough. Seven years ago, this would have been perfect in defending your organization against institutional threats, but not today, and the reason is simple: You have to be right all of the times in your defense strategy, a threat actor only needs to be right once. The challenge before us as security operators is making sure they don’t have that one chance, and the only way that is possible, is simulating the various ways a threat actor might attack a system and closing those gaps. In lay-man speak, that is pen-testing.
Periodic, controlled stress tests are essential to determine whether an organization can truly withstand an attack. Without them, we’re simply guessing, and that is fatal in our ecosystem.
We must normalize the use of adversarial simulations- not just for tech teams, but for entire organizations.
5. Recover
The final- and often overlooked- pillar is recovery.
When a breach happens, how quickly can the organization bounce back? Are backup systems in place? Are redundancies operational? Can they restore service without catastrophic delays?
If it takes days (or even weeks) longer than intended to restore a compromised website, server, or email system, then resilience was never in place to begin with. The speed and fluidity of recovery determines how deeply an attack affects your mission- and whether it sidelines your work entirely, and this is a very important resilience test for any organization.
Similarly to pen-testing as discussed above, recovery drills must be a necessary part of incident response workflows for organizations and security operators. It is often easy to assume that the redundant systems we have put in place will kick-in in the event of an attack, but unless they are tested, that is a potentially costly assumption to make.
So, Where Do We Stand?
The hard truth is that digital resilience is still largely aspirational for civil society in the Global South.
We are still largely operating with tools, models, and mentalities from an era that no longer exists. Our adversaries have evolved. Our attack surface has grown. But the field’s response has not kept pace.
Critically, we need to collaboratively:
- Establish standards to measure resilience;
- Map and anticipate modern attacks;
- Build and scale capacity through automation;
- Embrace stress testing to understand and withstand threats,
- And recover rapidly through institutionalized systems.
For security operators, this is an invitation to reflect deeply on the systems we build and the gaps they leave behind. These pillars offer a useful framework, not as a checklist, but as a mindset for shaping more responsive, resilient, and context-aware security interventions.
For civil society organizations, especially those operating under heightened threat conditions, I encourage you to use this framework to engage more meaningfully with your security partners. Understanding what to ask for- and what good looks like- can significantly shift the outcomes of your digital resilience strategies.
For funders, the opportunity is to align support with solutions that are not just innovative in language, but grounded in the realities of the field. A forward-looking funding approach will consider not only current risks but also the infrastructure and capacity needed to anticipate what comes next.
Together, we can start a collaborative effort and push for collective digital resilience in the Global South by being intentional about what we build, support, and sustain, because right now, that is not the case.