[FORECAST] Iran-Linked Cyber Risk Is Real. The Evidence Bar Is Harder (Updated: 2026-05-14)

This is the 6th installment of our What's Iran gonna do next series of forecasts:

• (2026-03-17) Forecast 1 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
• (2026-03-26) Forecast 2 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
• (2026-04-08) Forecast 3 - Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact?
• (2026-04-23) Forecast 4 - Iran’s Cyber Window Stays Open—But the Novelty Bar Is Tougher Now
• (2026-05-05) Forecast 5 - Iran’s Cyber Window Is Still Open—But the Qualification Clock Is Now the Hardest Adversary (Updated 2026-05-05!)

Forecast in one line

Our current call is 29% that Iran-linked cyber operators clear the full novel + material + attributed threshold against a U.S. or Israeli organization by May 20, 2026.

That does not mean the threat is quiet.

It means the public evidence bar is strict.

For this forecast to resolve “yes,” we need more than Iran-linked activity, more than disruption, and more than a noisy claim. We need one qualifying incident with three things at once:

• credible attribution
• material impact
• a genuinely new dimension

That is a hard bar to clear in the final week.

And that is the point.

The call..