From Drones to Data: Private Contractors and Cyber Mercenaries

The commercialisation of conflict is no longer a subtext – it is the text. Since the 1990s, private military and security companies (PMSCs) have evolved from manpower providers to system integrators and data brokers, expanding alongside a decade of rising global military expenditure that reached a record $2.718 trillion in 2024. But this is not only about drones, boots and battlefield hardware. Increasingly, the privatisation of conflict extends to the digital sphere, where software, surveillance and cyber intrusion are becoming tradable assets. As with drones, the key question is no longer who fires the shot, but who owns the system that makes it possible.

The commercial logic is clear and unsettling: protracted, lukewarm conflicts create time and space for iteration and scale, making them attractive laboratories for investment and innovation when oversight is thin.

Cyber Mercenaries: The Invisible Layer of Ukraine’s Battlespace

Conflict is no longer waged solely with boots, bullets or drones. It is now engineered in code, outsourced through contracts, and monetised by private actors offering digital force as a service. Ukraine has become the most advanced laboratory for this shift. Private Sector Offensive Actors (PSOAs) or cyber mercenaries are commercial entities that develop and sell intrusion tools, spyware and offensive cyber capabilities to governments and clients, who then select targets and operate the tools independently.

‘Cyber mercenary’ concept itself remains contested. In the Ukrainian context, this ambiguity is not incidental, it is strategic. Some actors operate as state-aligned proxies, others are ideologically motivated or simply commercially driven. Yet most operate outside formal military command chains, making lines of responsibility blurry. Many of these operations take place under, or with the tacit approval of, state contracts or sponsorship, while others act with greater autonomy, a spectrum that complicates efforts to assign accountability.

Ukraine’s digital battlespace has been particularly shaped by Distributed Denial of Service (DDoS) attacks, phishing campaigns, malware deployment and information operations, many attributed to Russian-aligned groups like Killnet, NoName057(16), and Sandworm, which operate in coordination with, but often outside, formal state infrastructures. On the defensive front, Ukraine’s IT Army, a volunteer cyber force, has also conducted attacks on Russian digital infrastructure, raising questions about legal status, accountability, and escalation thresholds.

These dynamics mirror what has already been observed in the kinetic sphere. The commercialisation of cyber intrusion follows the same logic: those who control platforms and datasets shape the terms of access, as well as the boundaries of accountability.

Ukraine: The Laboratory of the Industry of Conflict

Other tech and security contractors are also boosting this venture-backed autonomy within the Ukrainian battlespace. Former Google CEO Eric Schmidt has been quietly financing White Stork, an AI-drone venture conceived to operate in GPS-denied, electronic warfare (EW)-saturated environments, a design brief written by Ukraine’s electronic-warfare reality. Among these advancements is the normalisation of kamikaze drones as core components of modern warfare.

This surge is far bigger than any single investor or demonstration. Building on Ukraine’s role as both a geostrategic flashpoint and marketplace, a wider wave of actors – particularly veteran-founded start-ups and other investors across Europe – has converged at speed, driving an investment surge of 500% to $5.2 billion in 2024, with more than 80 start-ups now active.

Funders are explicit: Ukraine is the world’s biggest defence live lab.

It is also treated as a battlefield certification regime: Skyeton’s Raybird, a UK–Ukraine joint venture that aims to produce drones for Western forces has logged 350,000 flight hours. Other examples such as Darkstar bootcamps, pair founders with Ukrainian units to compress the cycle from prototype to purchase order, and Auterion will supply 33,000 AI ‘strike kits’ to Ukraine under a Pentagon contract. Most of these programmes remain tied to state funding or procurement channels, even as start-ups gain unusual freedom to test and iterate on the battlefield. This mix of public sponsorship and commercial agility is what allows Ukraine to function as both a strategic theatre and a venture laboratory.

Ukraine’s drone industry has expanded from a handful of firms to over 500 mostly private manufacturers, yet export is constrained as wartime needs take priority, revealing how state and market co-evolve under fire.

One thing is clear: States move at the pace of committees and start-ups pivot at the pace of spreadsheets. The longer a conflict endures, the richer the datasets and the stronger the commercial case for advanced iterative autonomy and EW. Ukraine’s live lab is therefore not a by-product but becoming a structural feature of the modern market for conflict.

This same live-lab logic is reshaping the contractors themselves. PMSCs are no longer just guards and trainers, they are also becoming systems integrators that bundle drones, electronic warfare and data services into fully functional products and services that are ready for immediate use by the client, moving faster, backed by far more capital, than today's oversights framework.

PMSCs 2.0: Data Ownership, Accountability and Leverage

Behind the hardware sits the decisive asset: DATA. Ukraine now treats wartime telemetry as strategic capital, considered the most valuable digital battlefield trove that shapes their negotiations with Western allies.

Across multiple theatres, PMSCs are vertically integrating capabilities once reserved for states: from UAV fleets and EW support to ISR collection and analytics.

But technology stacks inside PMSCs are modernising as well. Companies now embed sensors, AI-enabled video analytics, and drones into routine operations, pushing contractors into roles that sit between defence tech vendors and state security agencies. Legal scholars and UN note this ‘digital-age PMSC’ increasingly performs tasks from crowd and border control to intelligence gathering and strike enablement – blurring the line between service provider and capability owner.

Vectus Global, Erik Prince’s latest venture, exemplifies how modern private military companies are evolving from workforce providers into platformed conflict brokers. No longer focused solely on tactical and physical security, firms like Vectus are a good example of adaptation to the market demands. It currently bundles drones, ISR capabilities, and logistics into adaptable services designed for both wartime deployment and post-conflict influence.

In Ukraine, Prince reportedly sought to partner with domestic drone manufacturers, aiming to offer vertically integrated solutions that go beyond security. This includes owning and operating surveillance drones, controlling telemetry pipelines and embedding into financial governance functions such as tax collection and resource extraction oversight.

Vectus does not simply adapt to the market; it is reshaping it. Coupling drone technology with public finance functions, it pursues a way to insert private actors in the heart of both battlefield operations and state-building processes.

Legal Framework and Accountability on Cyber Mercenaryism: Quo Vadis?

The Vectus model is a clear example of the two defining features of PMSCs 2.0: asset ownership and functional ambiguity.

This all raises questions of accountability connected to the vagueness within the normative space, which allows cross-border flows of combat telemetry to sit within the export-control and data-protection regulatory framework. This is reflected, for example, on the EU’s Dual-Use Regulation (2021/821) and controls stemming from the Wassenaar Arrangement and related U.S. Bureau of Industry and Security rules on cybersecurity items/intrusion software.

This matters because in conflicts like Ukraine, contractor-owned platforms and data pipes can lock in private actors as key enablers of operations, blurring command responsibility and escalation management.

Regulation is nonetheless lagging the business model.

It is important to note, that there is no single, universally agreed definition of PMSCs, but the term is widely used in international policy to describe firms that provide, on a commercial basis, military and security services to states, corporations, or international organisations. Private Military Companies (PMCs) differ from Private Security Companies (PSCs), however, in practice, the boundary is porous: many firms shift along a spectrum between ‘military’ and ‘security’ functions depending on contracts and regulation, while some of them offer ‘full-service holistic security’ packages.

To be clear, many PMSCs operate lawfully under state contract, but even officially sanctioned engagements have ended in serious abuses with accountability diluted over time. The current international normative framework continues to lack robustness.

The Montreux Document codifies good practice for states that hire, host or home-base PMSCs, while ICoCA provides an industry accountability framework. However, both were built around physical security and do not squarely address offensive cyber, telemetry brokering, model-training on battlefield data, or the AI-assisted targeting that PMSCs now operationalise. European governments have also opened a dedicated track, the Pall Mall Process, to deal with the commercial trade in intrusion capabilities, stressing how governance is playing catch-up with the market.

These structural shifts are not anomalies. On the contrary, they represent repeatable patterns. Ukraine shows five distinct dynamics that are quickly becoming standard across modern theatres of conflict.

Five Dynamics Worth Underlining (and Acting On)

1. Endurance as opportunity

Conflicts that escalate into total war nor collapse into peace become lucrative laboratories. Ukraine has catalysed a 500% surge in venture capital and a massive growth, over 500 firms, in the drone sector. Export bottlenecks and co-production schemes reveal how wartime economies adapt rapidly under pressure, reinforcing the appeal of prolonged, low-resolution conflict.

2. Technology firms at the forefront

Venture-backed platforms, from European AI defence start-ups to ventures like White Stork, are now core to the battlespace. Furthermore, AI-enabled decision tools and software-defined effects are competing for procurement at scale.

3. From intermediaries to unaccountable enablers

As PMSCs transition from workforce providers to full-spectrum capability owners, bundling drones, AI, ISR, and cyber, their role in conflict increasingly blurs the lines between contractor and combatant. This evolution outpaces existing oversight frameworks, exposing a persistent accountability vacuum.

4. Cyber mercenaries as parallel force multipliers

PSOAs or cyber mercenaries have emerged as a parallel force layer. Operating outside formal chains of command, they provide intrusion tools, surveillance platforms, and disinformation capabilities that mirror kinetic outsourcing. Their ambiguity is strategic and their accountability minimal. As in the kinetic realm, control over platforms and data becomes a source of leverage, not liability.

5. Self-reinforcing loops

The longer a conflict lasts, the greater the demand for innovation. The greater the innovation, the more investable and commercially viable the conflict becomes. This feedback loop not only sustains war, it also begins to shape its logic.

Conclusion: The Commercial Capture of Conflict

Taken together, the five dynamics reveal a single uncomfortable reality: conflict is becoming commercially captured. Tech firms are underwriting autonomy, PMSCs are bundling force with data, and battlefield telemetry is morphing into a tradable asset. In this environment, endurance becomes a business model: the longer a war simmers, the more valuable it becomes for testing, investing and scaling.

Ukraine does not just illustrate how warfare evolves; it illustrates how war is being reframed as an investable asset class. Private actors now own capabilities once reserved for states, while ambiguity and escalation become monetisable features, not bugs.

The core challenge is not innovation, but governance. If PMSCs are to play a role in future settlements, especially in Ukraine, they must be tied to clear legal mandates, transparent oversight and accountable chains of command.

Strategy, not the spreadsheet, must decide how wars are fought and ended. Otherwise, endurance will be engineered, not incidental.

© RUSI, 2025.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.