Siting Risk in the Incursion Zone
A Blackgrove Global Risk analytical essay for REITs, developers, data-center operators, and lenders. Posture: null-first and tiered. The location risk is a function of aerial incursion and airspace-security gaps, not of any object's origin. The exotic-origin question is held below the line. Most incursions are prosaic, which is exactly why the siting exposure is real.
TL;DR
Fixed physical assets now carry a location risk from aerial incursion that most siting, valuation, and underwriting models do not price. The risk has two forms: proximity to incursion-prone installations, which imports airspace-security and operational-disruption exposure, and being a high-value fixed target in one's own right, which is no longer hypothetical.
The proof-of-concept loss event is on the record. In early March 2026, drone strikes damaged Amazon Web Services data centers in Bahrain and the UAE, the first documented deliberate targeting of commercial data centers in a military operation, and the disruption cascaded into banks and payment platforms that depended on them. Fixed digital infrastructure took a physical aerial hit and propagated the loss downstream.
The exposure bleeds straight into insurability, valuation, and lending. War and hostile-act exclusions can leave an incursion-driven loss uncovered, security has become a material line item running as high as five percent of construction cost, and the location risk belongs in the underwriting and the capital stack rather than as an afterthought.
Key Findings
Fixed assets carry a new, largely unpriced location risk. Aerial incursion has moved from a military-base concern to a critical-infrastructure and commercial-asset concern, and the exposure attaches to the site: a fixed asset cannot relocate away from an incursion pattern or an interdiction gap.
The loss event is documented. The March 2026 drone strikes on AWS data centers in Bahrain and the UAE were the first documented deliberate targeting of commercial data centers in a military operation, and they disrupted downstream banking and payment services. Fixed digital infrastructure is now on the frontline of aerial risk.
Two forms of siting risk apply. Assets sited near incursion-prone installations inherit airspace-security and temporary-flight-restriction exposure, and assets that are themselves concentrated high-value targets, hyperscale data centers above all, face direct incursion and strike risk. The megacampus model concentrates enormous value into single fixed sites.
The insurability bleed is the sharp edge. War and hostile-act exclusions can leave an incursion-driven loss uncovered, mirroring the silent-exposure problem across property and business-interruption books, and security capital has become material, running as high as five percent of construction cost and increasingly baked into insurance pricing.
The interdiction gap favors the intruder and cannot be sited around. US law restricts bringing down drones over domestic sites absent an immediate threat, and airspace restrictions exist over defined federal facilities but not over most private assets. A commercial operator can watch an incursion it cannot lawfully counter, and no siting choice changes that legal envelope.
Details
The thesis: risk that attaches to the ground
We assess that fixed physical assets carry a location risk from aerial incursion that most siting, valuation, and lending models do not currently price, and that the defining feature of the risk is its attachment to the site. A portfolio can rebalance out of a stressed sector; a fixed asset cannot fly away from an incursion pattern, an interdiction gap, or a hostile-act exclusion in its policy. The risk has two forms, and a serious siting analysis has to price both. The first is proximity: an asset located near an incursion-prone installation inherits the airspace-security exposure of its neighbor, including the temporary-flight-restriction and operational-disruption events that incursions trigger. The second is intrinsic: an asset that is itself a concentrated, high-value, fixed target carries direct incursion and, as the record now shows, strike risk. Both forms are location-specific, both are largely unpriced, and both are the province of the developer, the operator, the lender, and the insurer rather than of a security consultant alone.
The proof-of-concept: a fixed asset took the hit
The event that moves this from projection to documented exposure occurred in early March 2026, when drone strikes damaged Amazon Web Services data centers in Bahrain and the UAE. It was the first documented deliberate targeting of commercial data centers in a military operation, and the loss did not stop at the operator. The disruption cascaded into banks, payment platforms, and other services that depended on the affected compute, which is the compounding property that makes concentrated digital infrastructure distinctive: a single physical hit on one fixed site degrades every entity that relies on it. The strike was a wartime targeting event rather than an unattributed incursion, but for a siting analysis the distinction is secondary. It established that a fixed commercial asset can take a physical aerial hit and propagate the loss downstream, and it did so against the same class of low-cost aerial system responsible for the unattributed incursions over US installations.
The demand response confirms how the market is reading it. Data-center security appetite has moved sharply toward hardened, counter-drone-capable protection, and industry participants describe a mindset shift from operational efficiency to risk management and defense. Security has become a material cost line, running as high as five percent of construction cost on some estimates. When a category of asset re-rates its security spend by that magnitude in response to an aerial threat, the location risk has been priced by the market even where it has not yet been priced by the models.
Two forms of siting risk
The proximity form is the more familiar and the more widely distributed. Airspace restrictions exist over defined federal facilities, and the FAA and Department of Energy have restricted drone flights over specified DOE sites, with similar restrictions over military bases and certain Department of the Interior facilities including large dams. An asset sited near one of these installations sits inside the incursion pattern that draws to them, and inherits the disruption when an incursion triggers a response, a temporary flight restriction, or a security mobilization in the surrounding area. The documented incursions over Langley and the surrounding Hampton Roads area, which included the airspace over the world's largest naval port, illustrate how an incursion at an installation propagates disruption across the adjacent civilian and commercial footprint. A developer siting a logistics hub, a data center, or a residential project near such an installation is acquiring a share of that exposure with the land.
The intrinsic form is newer and it concentrates in hyperscale infrastructure. The megacampus model, single sites drawing multiple gigawatts and billions in capital, concentrates enormous economic and strategic value into fixed locations that appear from the outside as nondescript warehouses and depend on local power, water, and data transmission that are themselves exposed. That concentration is the vulnerability. A drone operator seeking to impose cost or disruption finds in a hyperscale campus a large, fixed, high-value, hard-to-relocate target whose degradation harms not only the operator but every downstream dependent. The AWS strikes demonstrated the intrinsic form directly, and the security literature is explicit that the counter-UAS problem for such sites has to be addressed at the planning and siting stage rather than retrofitted, because the perimeter that matters extends well beyond the fence line into the stand-off locations from which a drone operates.
The insurability bleed
The location risk connects to insurability through the same mechanism that governs silent exposure across property and business-interruption books. War and hostile-act exclusions can leave an incursion-driven loss uncovered, and industry participants have been blunt that an active-war loss on a data center is typically excluded. This is the silent-exposure problem localized to a fixed asset: the peril was never contemplated in the wording, and whether a given incursion loss attaches or is excluded turns on the policy language and on the attribution of the actor, not on the origin of the object. An unattributed incursion sits in the hardest place for coverage, because attribution to a state actor may trigger a war exclusion while non-attribution may leave the loss in a contested gap. For a fixed asset, this is not an abstraction; it is the difference between a covered loss and an uncovered one on a multibillion-dollar site.
The consequence for the capital stack is direct. Security capital at the levels the market is now paying is a material component of project cost and of ongoing operating expense, and it belongs in the pro forma. The insurability question belongs in the underwriting: a lender or an insurer evaluating a fixed asset in an incursion-exposed location has to price both the security capex and the coverage gap, and to distinguish an asset with a planned, layered counter-UAS posture from one that assumed the threat away. An asset that took the exposure seriously at the siting and design stage is a materially different credit from one that did not.
The interdiction gap cannot be sited around
The feature that makes the location risk durable is that the legal-interdiction envelope favors the intruder and no siting choice changes it. US law restricts bringing down drones over domestic sites absent an immediate threat, and the counter-drone tools that can defeat an incursion, principally radio-frequency jamming, also disrupt the surrounding communications and navigation environment, which constrains their use over populated and commercial areas. Airspace restrictions cover defined federal facilities, but a private commercial asset generally does not enjoy them. The practical result is that a commercial operator can detect an incursion, can report it, and in most circumstances cannot lawfully stop it. A developer cannot site away from this, because it is a feature of the legal environment rather than of any location. The only levers available are detection, hardening, obscuration, extended perimeters, and the coverage and continuity planning that assume an incursion the site cannot counter.
Null-first: the location risk is origin-independent
The discipline throughout is that this exposure holds on the prosaic reading and does not require the exotic hypothesis. The overwhelming majority of incursions over infrastructure are conventional drones, whether adversary probes, criminal tools, hobbyists, or misidentified traffic, and the AWS strikes were a wartime targeting event. The location risk is a function of the incursion, the target concentration, the interdiction gap, and the coverage wording, none of which depend on any object being exotic. A developer, an operator, or a lender pricing this exposure is pricing airspace-security and continuity risk against a fixed asset, and the analysis is complete within the conventional reading. The exotic question is held below the line, and the siting decision does not need it.
Recommendations
For developers and REITs (immediate). Incorporate incursion-adjacency and target-concentration into the siting analysis and the pro forma. Price proximity to incursion-prone installations as an inherited airspace-security and disruption exposure, and price hyperscale concentration as an intrinsic target risk, with layered counter-UAS designed in at the siting and design stage rather than retrofitted.
For data-center and critical-asset operators (immediate). Build detection and hardening from the planning stage, and design the perimeter to extend beyond the fence into the stand-off zones an operator uses. Plan operations and communications around an incursion the site can detect and report but not lawfully counter.
For lenders and insurers (immediate). Price both the security capital and the coverage gap into the underwriting of fixed assets in incursion-exposed locations, and distinguish assets with a planned, layered counter-UAS posture from those that assumed the threat away. Treat the war and hostile-act exclusion as a live determinant of whether an incursion loss attaches. Benchmark to reassess: expanded counter-UAS authorities for critical-infrastructure operators, or clarified coverage treatment of unattributed incursion, would materially change the risk and the pricing.
For all (monitoring triggers). Watch the interdiction-authority record and the insurance-wording record. A change in either, expanded interdiction rights or a settled affirm-or-exclude standard for incursion losses, is the development most likely to shift the siting calculus.
Caveats
Tiering. The AWS data-center strikes, the FAA and DOE airspace restrictions, the incursion record, and the security-cost figures are DOCUMENTED or DOCUMENTED-AS-REPORTED with locators. The exotic-origin question is held below the line and is not asserted here.
The AWS event was a wartime strike, not an unattributed incursion. It is used to establish that fixed commercial assets can take an aerial hit and propagate loss downstream, not to conflate targeted strikes with unattributed incursions. Both bear on siting risk; they are distinct events.
The exposure is origin-independent. This analysis prices airspace-security and continuity risk against fixed assets on the conventional reading and takes no position on the nature of any unresolved incursion.
Not investment or insurance advice. Siting, underwriting, and coverage decisions are the reader's own, taken with their own counsel.
