Published: 11 February 2026 | Category: Cybersecurity, AI Infrastructure, Singapore Policy
EXECUTIVE SUMMARY
On 11 February 2026, Bastille Networks announced a collaboration with Oracle to deploy its radio-frequency (RF) wireless monitoring technology across Oracle’s global network of AI data centers. The partnership enables 24×7 real-time identification, detection, and monitoring of wireless activity in facilities hosting the world’s most advanced AI workloads.
For Singapore — which hosts two Oracle Cloud regions, an Oracle AI Customer Excellence Center, and a rapidly expanding constellation of hyperscale digital infrastructure — this development carries immediate regulatory, strategic, and commercial significance. As Singapore’s Cybersecurity (Amendment) Act 2024 extends regulatory oversight to Foundational Digital Infrastructure (FDI) including data centers, the Bastille-Oracle model may represent both a compliance blueprint and a competitive benchmark for all operators in the city-state.
This report analyses the technical architecture of the Bastille platform, the strategic context of Oracle’s AI infrastructure expansion, the specific implications for Singapore’s regulatory landscape, and the broader questions this raises for the ASEAN data center market.
- Introduction: The Expanding Attack Surface of AI Data Centers
The conventional cybersecurity perimeter — firewalls, endpoint detection, network intrusion prevention — was designed for a wired world. As AI data centers have evolved into facilities of extraordinary strategic and economic value, housing proprietary model weights, training datasets, and inference pipelines worth billions of dollars, the attack surface has expanded into the electromagnetic spectrum itself.
Radio frequency (RF) signals permeate every modern data center. Wi-Fi, Bluetooth, Bluetooth Low Energy (BLE), cellular (4G/5G), Zigbee, and a constellation of proprietary IoT protocols all coexist within a single facility. A technician’s smartwatch, a contractor’s personal hotspot, an improperly configured IoT environmental sensor, or a purpose-built data exfiltration device costing less than a hundred dollars can all transmit data across physical walls and bypass every logical security control in place.
This is not a theoretical threat. Demonstrated attacks have included KeySweeper devices embedded in USB wall chargers that silently intercept wireless keyboard signals; MouseJack exploits that allow remote code execution via wireless mice; Flipper Zero-based replay attacks against RFID access systems; and BLE-based side-channel attacks against cryptographic hardware. In the context of AI infrastructure — where a single exfiltrated model checkpoint could represent years of compute investment — the stakes of an unmonitored RF environment are qualitatively different from those in a conventional enterprise setting.
The Bastille Networks collaboration with Oracle represents the first publicly announced deployment of enterprise-grade wireless airspace monitoring at hyperscale AI data center scope, and it arrives at a moment of particular significance for Singapore. - The Bastille Platform: Technical Architecture and Capabilities
2.1 Software-Defined Radio as a Security Primitive
Bastille’s core technology is built on software-defined radio (SDR), a paradigm in which radio frequency processing is performed in software rather than dedicated hardware. SDR allows a single sensor array to monitor a wide frequency range — from 100 MHz to 7.125 GHz in Bastille’s implementation — covering effectively the full range of commercially deployed wireless protocols used in and around modern facilities.
The system deploys passive RF sensors throughout a facility. Critically, the sensors do not transmit, inject, or interfere with any communications — they are purely observational. This passive posture is significant for two reasons: it eliminates the risk of the monitoring system itself becoming an attack vector or disrupting sensitive operations, and it sidesteps the legal complexities of active RF interference in most jurisdictions, including Singapore.
2.2 AI-Driven Classification and Anomaly Detection
Raw RF data is processed by Bastille’s Fusion Center software, which uses machine learning to perform several layers of analysis:
Device identification and classification: Every wireless emitter within range is identified by protocol type, device fingerprint, and inferred device category (smartphone, IoT sensor, wearable, industrial controller, etc.)
Authorization validation: Each detected device is checked against a maintained inventory of devices authorized to be present in the facility, or in specific zones within it.
Behavioral anomaly detection: The system continuously monitors for transmission patterns inconsistent with the facility’s baseline — unexpected protocol activity, unusual transmission times or frequencies, or devices moving into restricted physical zones.
Geolocation: Bastille uses patented techniques to locate detected transmitters on a facility floor plan, enabling security teams to physically respond to wireless threats.
Importantly, Bastille explicitly does not examine transmission payloads. The system operates at the metadata layer — who is transmitting, at what frequency, from where, and whether that activity is consistent with policy — rather than performing content inspection. This architectural choice has legal, privacy, and operational implications that are particularly relevant to Singapore’s data protection framework under the Personal Data Protection Act (PDPA).
2.3 Integration and Deployment Model for AI Data Centers
In the Oracle deployment context, Bastille RF sensors are deployed around and throughout AI data centers. The system is designed to integrate with existing Security Operations Center (SOC) infrastructure via APIs, feeding RF-derived data into CAASM (Cyber Asset Attack Surface Management), XDR (Extended Detection and Response), and SOAR (Security Orchestration, Automation and Response) platforms.
“Bastille’s experience in protecting information for the Intelligence Community and Department of Defense has prepared us for this new AI era. As AI data centers become critical infrastructure, the risk of attacks continues to grow. By working with Bastille, Oracle adds an extra layer of protection beyond traditional perimeter security.” — Chris Risley, CEO, Bastille Networks
The threat model for AI facilities is distinct from conventional enterprise environments. As Bastille’s own technical documentation notes, AI data centers cannot simply operate in complete electromagnetic isolation — they rely on hardware and infrastructure that often contain wireless radios by design or by inadvertent inclusion. Environmental sensors, building automation systems, private 5G networks, and contractor devices all contribute to a complex, dynamic RF environment that is effectively invisible to traditional security tooling.
- Oracle’s AI Data Center Strategy and Singapore’s Position
3.1 Oracle’s Global AI Infrastructure Investment
To understand the strategic weight of the Bastille collaboration, it is necessary to situate it within Oracle’s extraordinary capital commitment to AI infrastructure. Oracle’s capital expenditures surged from approximately US$6.9 billion in fiscal year 2024 to approximately US$21.2 billion in fiscal year 2025, with projections of approximately US$35-50 billion for fiscal year 2026. The company’s Remaining Performance Obligations — contracted but unfulfilled services — grew by approximately 359% year-on-year to US$455 billion, driven by cloud compute contracts with hyperscale AI customers including OpenAI, xAI, Meta, and Nvidia.
Oracle’s differentiated position in the hyperscale AI market rests substantially on its security and sovereign cloud narrative. Unlike competitors with legacy public cloud architectures, Oracle Cloud Infrastructure (OCI) was engineered from the ground up with enterprise security requirements as a first principle — customer isolation, hardware-level security, and dedicated tenancy are architectural defaults rather than premium add-ons. The Bastille partnership extends this security-first positioning into the physical RF domain.
3.2 Oracle’s Established and Deepening Singapore Footprint
Singapore is a strategic node in Oracle’s Asia-Pacific infrastructure. Oracle currently operates two Cloud regions in Singapore, a configuration that enables genuine business continuity and disaster recovery for enterprise customers while meeting Singapore’s in-country data residency requirements — a compliance necessity for customers in regulated sectors including banking, healthcare, and government.
In March 2025, Oracle launched its AI Centre of Excellence (CoE) in Singapore — the first in Southeast Asia — positioned as a regional hub for AI innovation and workforce development. The Centre operates in partnership with Digital Realty, NCS, NTUC LearningHub, and PwC, and is designed to support Oracle’s commitment to train 10,000 professionals in Singapore with cloud and AI skills by 2027.
In January 2026, Oracle deepened its Singapore commitment further through the Enterprise Compute Initiative in collaboration with Digital Industry Singapore (DISG). Under this programme, Oracle committed up to S$250,000 per company to empower 300 Singapore-based enterprises — including those in the 11 Critical Information Infrastructure (CII) sectors — with Oracle Cloud Infrastructure, training, and certifications. For enterprises requiring private cloud infrastructure, Oracle additionally sponsored up to S$1.9 million to enable access to Oracle Private Cloud Appliance and Oracle Exadata.
KEY FIGURE S$250,000 committed per company under the Oracle-DISG Enterprise Compute Initiative, supporting 300 Singapore enterprises including those operating in all 11 Critical Information Infrastructure sectors.
An Oracle AI World Tour is scheduled for Singapore on 14 April 2026, signalling continued executive-level engagement with the Singapore market as the Bastille partnership becomes operational globally.
3.3 The Sovereign Cloud Imperative
Oracle’s sovereign cloud strategy — physically ring-fencing data within national jurisdictions and applying strict security protocols — is directly relevant to Singapore’s regulatory posture. The TikTok data security arrangement, in which Oracle serves as the trusted technology partner for one of the world’s most scrutinized data assets under US national security requirements, has positioned Oracle as a de facto validator of sovereign cloud credibility. For Singapore government agencies and regulated enterprises evaluating cloud providers, this provenance matters.
The Bastille deployment can be read as an extension of this sovereign cloud narrative: Oracle is now applying intelligence-community-grade physical RF security posture to the same data center facilities that host the data and workloads of Singapore’s financial institutions, healthcare systems, and public sector agencies.
- Singapore’s Regulatory Context: A Pivotal Moment
4.1 The Cybersecurity (Amendment) Act 2024 and Foundational Digital Infrastructure
The Bastille-Oracle announcement arrives at a decisive moment in Singapore’s regulatory evolution. The Cybersecurity (Amendment) Act 2024, passed in Parliament on 7 May 2024, fundamentally expands Singapore’s cybersecurity regulatory perimeter. Key provisions came into force on 31 October 2025, and the remaining provisions — including those directly regulating Foundational Digital Infrastructure (FDI) — are pending commencement by future notification from the Cyber Security Agency of Singapore (CSA).
The FDI provisions are of particular relevance here. Under the amended Act, companies providing ‘digital infrastructure services that are foundational to our economy or way of life — such as cloud service providers and data centres’ will be designated as FDI providers and will be required to adhere to cybersecurity codes and standards of practice, as well as to report prescribed cybersecurity incidents. This is an explicit regulatory reach into the physical and operational security of data centers in Singapore — a domain that had previously been governed primarily by the Infocomm Media Development Authority (IMDA) advisory guidelines and industry standards.
The IMDA advisory guidelines for Cloud Services and Data Centres, issued in February 2025, already set out measures to address cybersecurity risks in data centers as part of the broader inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services. These guidelines recommend, inter alia, cybersecurity risk assessment, business continuity planning, and measures specifically addressing the security of physical and environmental infrastructure.
4.2 The Digital Infrastructure Act
Singapore’s Ministry of Digital Development and Information has announced the pending introduction of a Digital Infrastructure Act (DIA), which will go beyond the cybersecurity-specific scope of the amended Cybersecurity Act to address a broader set of resilience risks faced by digital infrastructure and service providers. The DIA is modelled on comparable legislation in the European Union, Australia, and Germany, and is expected to include baseline resilience and security standards and mandatory incident reporting requirements.
Critically, the DIA’s drafters have cited the October 2023 data center outage that caused a four-hour disruption to banking services as a catalysing event — demonstrating that the concern is not only cyberattack-driven compromise but also the operational resilience of the physical layer. RF-based physical security monitoring, as deployed by Bastille, sits at precisely this intersection between cyber and physical security.
4.3 Implications for Data Centers in Singapore’s CII Framework
Singapore’s Cybersecurity Act designates Critical Information Infrastructure across eleven sectors: Energy, Water, Banking and Finance, Healthcare, Transport (Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government. Data centers that host systems constituting or supporting CII — which includes an increasingly large proportion of Singapore’s financial, healthcare, and government workloads running on cloud infrastructure — now exist within an expanding web of direct and indirect regulatory obligation.
The amended Act’s provisions on third-party-owned CIIs, which came into force in October 2025, directly address this dynamic: cloud providers and data center operators are now subject to regulatory oversight not only as infrastructure providers but as owners or operators of systems that are themselves designated as CII. The cybersecurity posture of a data center operator in Singapore is, therefore, no longer solely a commercial or reputational matter — it carries statutory obligations with the potential for civil penalties.
SINGAPORE REGULATORY TIMELINE: KEY DATA POINTS FOR DATA CENTER OPERATORS
Feb 2025 — IMDA issues Advisory Guidelines for Cloud Services and Data Centres, setting cybersecurity and business continuity standards
May 2024 — Cybersecurity (Amendment) Act 2024 passed in Parliament
Oct 2025 — Key provisions of the Amended Cybersecurity Act come into force, including third-party-owned CII regulation and STCC designation powers
2025 (pending) — Digital Infrastructure Act to be tabled in Parliament, extending regulatory reach beyond cyber to broader resilience
Pending — FDI and ESCI provisions of Amended Cybersecurity Act to commence by future notification
Feb 2026 — Bastille-Oracle collaboration announced, deploying RF monitoring across Oracle’s global AI data centers including Singapore - Why Wireless Security Is Now Mission-Critical in Singapore
5.1 The RF Threat Landscape in High-Density Environments
Singapore’s data center market is characterised by extreme density. The city-state hosts a disproportionately large share of Southeast Asia’s digital infrastructure in a compact geography with high human traffic, proximity to commercial and residential zones, and a sophisticated threat actor environment reflecting its status as a global financial centre and regional technology hub.
This density creates specific RF security challenges that are absent in, say, a rural hyperscale campus in the continental United States. In Singapore, a data center may be physically adjacent to commercial offices, retail spaces, or transportation infrastructure — all of which generate legitimate RF activity that can be used as cover for malicious transmissions. The geolocation and behavioural anomaly detection capabilities of Bastille are particularly valuable in this context: the question is not simply ‘is there a Bluetooth signal?’ but ‘is this Bluetooth signal behaving in a way consistent with its ostensible source, and is it in a location where it should not exist?’
5.2 Supply Chain Risk and the Hardware Threat
Singapore’s position as a global logistics and supply chain hub, while economically advantageous, creates a specific vulnerability in the data center context. Data center hardware — servers, GPUs, network switching equipment, power management systems — transits through multiple jurisdictions and supply chain stages before installation. The possibility of hardware implants with embedded wireless transmission capability, while characterised as a nation-state threat vector, has been documented sufficiently in open-source reporting to constitute a credible risk model for hyperscale operators.
Bastille’s capability to detect and geolocate wireless transmissions from devices that are not connected to any managed network — and that may not be visible to any endpoint detection agent — is precisely the countermeasure relevant to this threat class. An implanted transmitter that never touches the wired network remains invisible to every conventional security tool; it is visible only to a system that monitors the RF spectrum.
5.3 The Insider and Contractor Threat
Singapore’s data center sector employs a large and internationally diverse workforce, with significant numbers of contractors, maintenance personnel, and vendor engineers from multiple jurisdictions entering facilities regularly. The PDPA and related employment regulations create a complex environment for monitoring employee devices and behaviour.
Bastille’s metadata-only, non-payload-inspecting architecture is significant in this regulatory context. The system does not intercept or analyse the content of any wireless communication — it detects the presence of transmitters, their protocol characteristics, and their location and movement. This is analogous to a physical access control system that records badge swipes without reading the contents of the cardholder’s bag. This architectural boundary is likely to be relevant to the legality of deployment under Singapore’s PDPA and the Personal Communications Act, and it positions Bastille as a compliance-compatible monitoring solution in a way that a payload-intercepting system would not be. - Strategic and Commercial Implications for Singapore’s Data Center Market
6.1 A New Security Benchmark for Hyperscale Operators
The Bastille-Oracle deployment effectively establishes a new security baseline expectation for hyperscale AI data center operators globally. As Oracle’s facilities are among the most security-conscious in the industry — serving financial institutions, government agencies, defence contractors, and AI research organisations — the public announcement of RF monitoring deployment will likely be noted by competing operators and their enterprise customers.
For Singapore-based data center operators including CapitaLand, Digital Realty, Equinix, Keppel, and STT GDC, the Bastille-Oracle model creates a reference point against which enterprise customers — particularly those in regulated sectors — may begin to evaluate their providers’ security posture. In procurement processes for financial services or government cloud workloads, the question ‘do your facilities have continuous RF monitoring?’ may become a standard due diligence enquiry in the near term.
6.2 Implications for Singapore’s Aspiration as a Global AI Hub
Singapore has made explicit and consistent policy investments in positioning itself as Southeast Asia’s AI hub, through initiatives including the National AI Strategy 2.0, the Digital Industry Singapore programmes, and the Oracle AI Customer Excellence Center launch. The ability to attract and retain the most sensitive AI workloads — those involving classified research, proprietary foundation models, or regulated financial data — depends critically on Singapore’s data centers being able to credibly assert security standards that match or exceed those demanded by the most security-conscious clients.
The Bastille-Oracle deployment provides Singapore’s Oracle facilities with a defensible claim to intelligence-community-grade physical RF security — a standard that, until this announcement, has largely been the domain of purpose-built government SCIFs (Sensitive Compartmented Information Facilities) rather than commercial cloud infrastructure. This is a meaningful differentiator for Oracle’s Singapore regions in the competition for the most valuable AI workloads.
6.3 Workforce and Skills Implications
The deployment of RF-based wireless airspace monitoring systems at scale creates a new skills requirement in Singapore’s already tight cybersecurity talent market. Traditional SOC analysts are trained to interpret network logs, endpoint alerts, and threat intelligence feeds. RF-based security monitoring requires a different analytical skill set — familiarity with the RF spectrum, wireless protocol characteristics, signal analysis, and the spatial reasoning required to interpret geolocation data.
Oracle’s commitment to train 10,000 Singapore professionals in cloud and AI technologies by 2027, and the Enterprise Compute Initiative’s focus on 11 CII sectors, creates a pipeline context within which RF security skills development could be systematically addressed. The CSA, IMDA, and tertiary education institutions including NTU, NUS, and Singapore Polytechnic may find the Bastille-Oracle model a useful reference case for curriculum development in data center and physical cybersecurity.
6.4 The ASEAN Multiplier Effect
Oracle’s Singapore regions serve not only Singapore-domiciled customers but function as regional hubs for Southeast Asian enterprises and multinational organisations with ASEAN operations. As the Bastille monitoring system becomes operational in Oracle’s global network — which includes the Singapore facilities — enterprises in Indonesia, Malaysia, Thailand, Vietnam, and the Philippines that rely on Oracle’s Singapore regions for their most sensitive workloads are also, effectively, beneficiaries of the RF security posture described in this announcement.
This creates a potential demonstration effect: Singapore’s own regulatory environment, combined with Oracle’s globally consistent security standards, may serve as a benchmark for data center security regulation in other ASEAN jurisdictions currently developing their own critical information infrastructure frameworks. - Critical Assessment: What the Announcement Does and Does Not Tell Us
7.1 What Is Credible and Well-Founded
The core technical proposition of the Bastille deployment is soundly grounded. RF-based data exfiltration and surveillance threats are documented, the vulnerabilities of conventionally secured data centers to wireless attack vectors are well-established in academic and practitioner literature, and the passive SDR monitoring approach is technically mature. The NIST Cybersecurity Framework 2.0’s explicit attention to wireless technologies as part of governance, visibility, monitoring, and response requirements provides an internationally recognised compliance rationale for this class of solution.
Oracle’s security-first positioning in the cloud market is likewise substantively credible. OCI’s architectural choices — bare-metal instances, hardware-level isolation, network architecture designed to prevent cross-tenant traffic leakage — represent genuine technical differentiators rather than marketing language.
7.2 What Remains Unverified
The press release, consistent with standard commercial announcement practice, does not provide independent efficacy data, third-party audit results, or specific threat incident data that would contextualise the deployment’s necessity. It does not specify deployment scope, sensor density, integration depth with Oracle’s existing SOC infrastructure, or the timeline for full global deployment including Singapore-specific facilities.
The claim that Bastille’s experience in protecting Intelligence Community and Department of Defense environments directly prepares the company for commercial AI data center deployments is plausible but not independently verifiable. The threat models in classified government environments and commercial cloud infrastructure overlap significantly but are not identical; the former typically involves more stringent physical access controls and higher baseline security posture, while the latter involves greater operational complexity, contractor access, and regulatory diversity.
7.3 Questions for Further Scrutiny
What is the contractual and operational relationship between Oracle’s global security standards — including the Bastille deployment — and the specific obligations of Oracle’s Singapore entities under the Cybersecurity Act and anticipated FDI regulations? Does global standard deployment satisfy Singapore-specific compliance requirements, or do Singapore regulations require locally administered security controls?
How does the Bastille monitoring architecture interact with Singapore’s Personal Data Protection Act in the context of detecting and logging the presence of personal devices (smartphones, wearables) carried by employees and visitors in or near data center facilities?
What incident response protocols govern the detection of anomalous RF activity in Oracle’s Singapore facilities, and how do these articulate with Singapore’s mandatory incident reporting obligations under the Cybersecurity Act?
Will Oracle make the existence of RF monitoring visible to its Singapore customers through contractual disclosure, and how will this interact with data center customers’ own regulatory obligations and PDPA policies? - Conclusion: A Signal Worth Reading
The Bastille Networks-Oracle collaboration is, in immediate commercial terms, a vendor partnership announcement. In the longer analytical frame relevant to Singapore’s digital infrastructure policy and competitive positioning, it is something more significant: evidence that the security standard expected of AI data center operators is converging toward a definition that includes continuous, intelligence-grade monitoring of the electromagnetic environment.
For Singapore, this convergence arrives at a moment of regulatory transition and strategic ambition. The Cybersecurity (Amendment) Act’s FDI provisions, the forthcoming Digital Infrastructure Act, and IMDA’s advisory guidelines are all moving in the same direction — toward treating data centers not as passive real estate assets but as active components of national critical infrastructure subject to proactive, continuous, and auditable security obligations. The Bastille-Oracle model provides a concrete technical reference for what meeting those obligations might look like at the frontier of the industry.
Singapore’s data center operators, cloud service providers, cybersecurity practitioners, and regulators would be well-served to treat this announcement not as a competitor’s marketing exercise but as a leading indicator of where the industry’s security expectations are heading — and to ask, with appropriate urgency, whether Singapore’s facilities and regulatory frameworks are positioned to lead, follow, or fall behind that trajectory.
Sources and References
Bastille Networks, Inc. Press Release (February 11, 2026). Bastille Networks Collaborates with Oracle to Set Standard for AI Data Center Security.
Cyber Security Agency of Singapore (October 2025). Provisions in the Cybersecurity (Amendment) Act to Come Into Force on 31 October 2025.
IMDA, Singapore (February 2025). Advisory Guidelines for Cloud Services and Data Centres.
Oracle ASEAN (January 2026). Oracle and Digital Industry Singapore Advance Enterprise Compute Initiative to Accelerate AI Transformation.
Oracle ASEAN (March 2025). Oracle Launches AI Centre of Excellence to Drive Innovation Across Southeast Asia.
Hogan Lovells (December 2025). Provisions in Singapore’s Cybersecurity (Amendment) Act came into force on 31 October 2025.
Data Centre Magazine (October 2025). Oracle’s Data Centre Strategy: Cloud, AI and More Capacity.
Bastille Networks (November 2025). The Air Gap Is an Illusion: Securing AI Data Centers.
Bastille Networks (December 2025). How NIST CSF 2.0 Improves Wireless Security in Data Centers.
iCLG.com (2026). Cybersecurity Laws and Regulations Report 2026: Singapore.
OrionW LLC (2025). Digital Infrastructure Act to be Introduced in 2025.
Data Center Knowledge (February 2026). Oracle Eyes $50B for AI Infrastructure in 2026.