This is the 3rd installment of our What's Iran gonna do next series of forecasts:

• (2026-03-17) Forecast 1 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
• (2026-03-26) Forecast 2 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26

TL;DR

Question

Will Iran-linked cyber operators (state units and aligned proxy/hacktivist ecosystem) conduct ≥1 novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations in the next 8 weeks, attributable with high confidence by credible authorities?

Executive Forecast

56% means a qualifying Iran-linked incident by May 20 is somewhat more likely than not, but only narrowly. The strongest new evidence is the April U.S. government advisory confirming real Iran-affiliated OT disruption. The main brake is resolution friction: that PLC path is no longer novel by itself, and public impact numbers remain sparse. The key watch items are hard quantities and any reporting of a new toolchain, lower-frequency target class, or downstream control-plane compromise.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Forecast Card

• Question: Will Iran-linked cyber operators (state units and aligned proxy/hacktivist ecosystem) conduct ≥1 novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations in the current resolution window?

• Resolution Criteria: Yes if, between 2026-03-25 00:00 and 2026-05-20 23:59 America/New_York, there is ≥1 incident against a U.S. or Israeli organization meeting all of the following:

  (1) Attribution quality

  • Public, credible Iran-nexus confirmation by any of: victim disclosure; U.S. or Israeli government statement/advisory; UK NCSC statement; or consensus top-tier vendor reporting with evidence.
  • Hacktivist/social claims alone do not count.

  (2) Material impact — incident meets ≥1 of:

  • IT disruption: ≥ 500 endpoints impacted OR ≥ 5% of endpoints in the org (whichever is smaller) rendered unusable/encrypted/wiped OR ≥ 50 servers affected; OR
  • Service outage: critical business/public service outage of ≥ 8 hours; for internal-only systems, ≥ 24 hours; OR
  • OT/ICS service effect: confirmed degradation/interrupt of a physical process impacting ≥ 10,000 customers/users OR any safety-critical operational shutdown attributable to cyber; OR
  • Data compromise: confirmed exfiltration of ≥ 10 GB of sensitive org data OR ≥ 100,000 individuals’ records OR any regulated sensitive class at scale, confirmed by victim/regulator/forensics.

  (3) Novelty — incident includes ≥1 new dimension beyond the documented baseline as of 2026-04-08:

  • New initial access class: e.g., helpdesk-targeted deepfake/voice vishing for MFA reset, mobile app-delivered spyware at scale, or a widely used SaaS/MSP compromise affecting downstream victims; OR
  • New impact mechanism: a disruptive/destructive method beyond already documented patterns; OR
  • New target class: material impact in a target category that is not recurrently highlighted in the baseline below; OR
  • New toolchain: a newly documented wiper/backdoor/mobile implant family or clearly novel variant acknowledged as new by authorities/vendors.

  Post-AA26-097A novelty clarifiers

  • Would count, for example:
    • a newly documented OT implant/toolchain used against engineering workstations or PLC logic;
    • a threshold-crossing Iran-linked campaign against municipal 911/public safety dispatch, emergency alerting, or Israel-adjacent diaspora institutions outside Israel;
    • a SaaS/MSP/IdP/UEM supply-chain or control-plane compromise causing downstream outage or exfiltration that meets thresholds.
  • Would not count, by itself:
    • direct exploitation of internet-exposed PLCs/HMIs/SCADA with project-file interaction or HMI/SCADA display/data manipulation of the type documented in AA26-097A;
    • reuse of already documented Iran tradecraft such as password spraying, MFA fatigue, valid-account abuse in M365/Azure/Okta, MFA device-registration persistence, Citrix/external remote services access, unless paired with another clearly new dimension.

  Baseline for “lower-frequency target class”

  • For this forecast, the comparison set is the recurrently highlighted Iran target mix in major public advisories/timelines cited here from Jan 2024–Apr 2026, especially AA24-290A, AA26-097A, and the CSIS significant incidents timeline: water/wastewater, energy, municipalities/government services, healthcare/public health, IT/engineering, and exposed PLC/ICS environments.
  • A target class counts as lower-frequency only if it is absent or isolated rather than recurrent across that baseline.

  No if no such incident occurs, or if incidents are limited to DDoS/defacement, recycled leaks, below-threshold disruptions, or lack high-confidence public attribution.

• Horizon: Current window ends 2026-05-20 23:59 America/New_York (~6 weeks remaining from 2026-04-08)

• Probability (Now): 56% | Log-odds: 0.24

• Confidence in Inputs: Medium

• Base Rate: 35% from reference class: elevated-tension 8-week windows where some significant incidents are publicly evidenced, but most activity remains nuisance-level, under-attributed, or under-quantified (CSIS timeline)

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Top Drivers, Scenarios, Signals and Detection Opportunities