Jordan’s National Cybersecurity Centre (NCSC) reported handling 6,758 cybersecurity incidents in 2024, a 175% increase over the 2023 total, alongside 6,922 cybersecurity alerts (more than double the 2,609 issued in 2023). The NCSC achieved a 97% detection rate against known threat indicators, though the severity profile of incidents was dominated by medium-severity events (88%), with serious incidents accounting for 2% and critical incidents for 0% of the total.
Key Facts
- WhatJordan NCSC reported 6,758 cyber incidents in 2024, up 175% from 2023.
- WhoJordanian government agencies and public sector infrastructure.
- Data Exposed7,846 vulnerabilities found across government websites and servers.
- OutcomeNational Cybersecurity Strategy 2024-2028 launched; no data protection law yet.
What Was Exposed
- 7,846 vulnerabilities discovered in government websites and servers during 2024, representing active attack surface available to threat actors targeting Jordan’s public sector digital infrastructure
- Government systems affected by espionage campaigns, data theft operations, and malware deployments across the 6,758 incidents handled by the NCSC during the year
- Potentially sensitive government data in the 2% of incidents classified as serious severity, which at 6,758 total incidents represents approximately 135 events warranting elevated concern
- The operating picture of Jordan’s government cybersecurity posture, as revealed by the concentration of vulnerabilities across websites and servers that are publicly accessible
- Incidents categorized under espionage and intelligence collection - implying that state-sponsored threat actors successfully achieved access to Jordanian government information systems during the reporting period
The 175% incident surge between 2023 and 2024 is a striking statistic that warrants careful interpretation. Year-on-year incident count increases in national CERT reports can reflect three distinct dynamics: a genuine increase in the volume of attacks, an improvement in detection and classification capabilities that surfaces incidents previously undetected or unreported, or a combination of both. The simultaneous doubling of cybersecurity alerts (from 2,609 to 6,922) suggests significant growth in NCSC monitoring capacity, which would increase detection rates even at constant attack volumes.
However, the broader regional and global context - which saw heightened cyberthreat activity against Middle Eastern targets throughout 2024, driven partly by the geopolitical pressures associated with the Gaza conflict and its regional spillover - supports a genuine increase in attack volume as a contributing factor.
The 97% detection rate claimed by the NCSC requires contextual understanding.
A detection rate metric in this context typically measures the proportion of incidents matching known threat indicators that were identified and classified as incidents, rather than representing the proportion of all attacks (including unknown-unknown threats) that were detected. A 97% detection rate against known indicators is a strong operational performance, but it does not address the category of sophisticated attacks using novel techniques, zero-day exploits, or living-off-the-land tradecraft that specifically avoid signature-based detection.
The 0% critical incident rate is particularly interesting: it may reflect genuine absence of critical-severity events, or it may reflect a classification methodology in which the NCSC’s incident severity taxonomy assigns fewer events to the critical category than international comparators would.
The 7,846 vulnerabilities found in government websites and servers is the most operationally concerning figure in the NCSC’s annual report. This number implies a systematic vulnerability scanning program across Jordanian government digital infrastructure - a positive indicator of proactive security assessment
- but also a government attack surface that is both extensive and insufficiently patched. Vulnerability counts of this magnitude across government web infrastructure are characteristic of organizations where application security and patch management have not kept pace with the rate at which new systems and services are deployed.
Each unpatched vulnerability represents a potential entry point for the espionage campaigns, data theft operations, and malware deployments that feature prominently in the NCSC’s incident taxonomy.
The NCSC’s identification of espionage and intelligence collection among the attack categories it handled in 2024 is significant. Espionage campaigns against Jordan typically originate from state-sponsored threat actors with interests in Jordanian government policy, military affairs, intelligence sharing arrangements, or Jordan’s role as a hub for regional diplomacy on Palestinian affairs.
Iran-nexus groups (including those associated with the IRGC), groups linked to Palestinian militant organizations, and groups with possible connections to regional powers have all been documented conducting operations against Jordanian targets in prior years. Jordan’s position as a country with official diplomatic relationships with Israel, an active role in regional mediation, and close security cooperation with both Western powers and Gulf states makes it a high-value intelligence target for multiple adversarial actors simultaneously.
JOCERT’s handling of 3% of incidents independently and release of 75 technical advisories during 2024 indicates a developing operational capacity at the sectoral incident response level. JOCERT serves as the national CERT for the broader Jordanian constituency, handling incidents from entities outside the government sector that are not within the NCSC’s direct mandate.
The 75 technical advisories released during the year represent a significant contribution to the national security community’s situational awareness, translating threat intelligence into actionable guidance for organizations across the Jordanian economy. The quality and timeliness of these advisories, relative to the evolving threat landscape, determines their practical defensive value.
The National Cybersecurity Strategy 2024-2028, launched in conjunction with the NCSC’s annual report, represents Jordan’s most comprehensive policy commitment to cybersecurity to date. The strategy identifies five pillars: cybersecurity governance, critical infrastructure protection, incident response and resilience, human capital development, and international cooperation.
The governance pillar is particularly relevant to the data protection legislative gap: the strategy acknowledges the need for a comprehensive legal and regulatory framework and identifies the development of personal data protection legislation as a policy objective. Whether this objective produces enacted legislation within the 2024-2028 strategy horizon will determine whether Jordan’s cybersecurity posture development outpaces or merely tracks the growth in the threat it faces.
Regulatory Analysis
The NCSC’s 2024 annual statistics provide both a performance baseline and a policy challenge for Jordan’s regulatory framework. The Cybercrime Law No. 17/2023 gives the NCSC and JOCERT their primary operational mandate - the 2023 law formally recognizes their roles in national cyber incident response and provides the legal basis for their engagement with incidents affecting government systems and critical infrastructure.
However, the 2023 law’s criminal focus - on prosecution of offenders - does not translate directly into the regulatory framework needed to improve security standards across the broader economy, including the government agencies whose 7,846 vulnerabilities represent the most immediately addressable attack surface.
Jordan’s existing legislative framework does not include a government security baseline comparable to the U.S. Federal Information Security Management Act (FISMA) or the EU’s NIS2 Directive. FISMA mandates minimum security standards for all U.S. federal agency IT systems, requires annual independent security assessments, and establishes a continuous monitoring program that the National Institute of Standards and Technology (NIST) supports with detailed security control frameworks.
NIS2 requires member states to impose minimum security measures and incident reporting obligations on entities in critical sectors, with independent oversight and enforcement.
Jordan’s government has no equivalent mandatory baseline - agencies improve their security in response to NCSC guidance and incident experience rather than regulatory compulsion, creating uneven security investment across the government estate that is reflected in the 7,846 vulnerability count.
The Cybercrime Law No. 17/2023’s expanded prosecutorial powers create a mechanism for addressing incidents with criminal dimensions, but the 97% detection rate and 175% incident surge suggest that detection and response capacity is outpacing prosecution capacity.
The Jordan Cybercrime Unit, which operates under the Public Security Directorate, is responsible for cybercrime investigation and prosecution, but the technical complexity of espionage campaigns, ransomware operations, and initial access broker activity (as demonstrated by the r1z case) requires specialist capabilities that are still being developed.
The NCSC’s 2024 report implicitly acknowledges this gap by noting the international cooperation dimension of its incident response work - indicating that some incidents require engagement with foreign law enforcement or intelligence partners to achieve attribution and prosecution outcomes.
The National Cybersecurity Strategy 2024-2028’s identification of personal data protection legislation as a policy objective creates a legislative roadmap commitment that should be held to account by civil society, the business community, and international partners. Jordan’s candidacy for OECD membership - which has been a stated government aspiration - has data protection adequacy requirements associated with it, as OECD members are expected to provide data protection frameworks that meet the organization’s privacy guidelines.
This external accession pressure, combined with Jordan’s trade relationships with the EU (which requires adequacy determinations for cross-border data transfers), creates practical incentives for legislative progress that purely domestic policy dynamics might not generate.
What Should Have Been Done
The NCSC’s 2024 statistics provide a clear operational roadmap for priority investment. The 7,846 vulnerabilities in government websites and servers represent a concrete, addressable risk that should be the NCSC’s primary remediation target for 2025 and beyond. The 2% serious incident rate, applied to 6,758 total incidents, represents approximately 135 events that warranted elevated response
- an operational load that tests the NCSC’s capacity and the incident response integration between the NCSC, JOCERT, and individual agency security teams.
The vulnerability remediation challenge requires a structured vulnerability management program across all Jordanian government agencies, coordinated by the NCSC. Each government ministry and agency should be required to maintain a prioritized vulnerability remediation register, tracked against defined timelines based on vulnerability severity.
Critical vulnerabilities should be remediated within 15 days of discovery; high-severity vulnerabilities within 30 days; and medium-severity vulnerabilities within 90 days.
The NCSC should publish quarterly aggregate statistics on government vulnerability remediation progress, creating public accountability for the pace at which identified weaknesses are addressed. The current 7,846-vulnerability baseline - while alarming in absolute terms - represents a known, quantifiable risk that systematic remediation can reduce over time, provided adequate resources and management accountability are applied.
Jordan’s government security program should be formalized in a Government Security Baseline standard, analogous to NIST SP 800-53 or the UK’s Cyber Essentials Plus, that defines the minimum security controls required of all government agencies.
This baseline should include mandatory multi-factor authentication for all government employee accounts, endpoint detection and response deployment on all government endpoints, network monitoring with minimum alert coverage requirements, patch management obligations with compliance reporting, and annual penetration testing for all internet-facing government systems. The NCSC should have the authority to conduct compliance assessments against this baseline and to require agencies that fail assessments to implement remediation plans within defined timeframes.
The doubling of alerts and the 175% incident surge indicate that detection capacity is growing faster than response capacity. The NCSC should invest in automated incident triage and response playbooks that reduce the analyst time required to handle medium-severity incidents - which at 88% of the total represent the bulk of the operational load
- freeing senior analyst capacity for the serious and critical incidents that require expert judgment. Security orchestration, automation, and response (SOAR) platforms can automate the most common response actions for known incident types, including isolation of compromised endpoints, blocking of identified malicious IP addresses, and notification of affected agencies. This automation would allow the NCSC’s analyst capacity to scale to meet growing incident volumes without a proportional increase in headcount.
Jordan’s NCSC has demonstrated measurable progress in national cybersecurity incident detection and response, but the 7,846 vulnerabilities in government infrastructure and the 175% incident surge are indicators of a threat environment that is growing faster than the defenses being built to contain it - a gap that only a comprehensive mandatory security baseline for government agencies, backed by the accountability mechanisms a personal data protection law would introduce, can systematically close.