forecasts

[FORECAST ] Iran’s Cyber Window Is Still Open—But the Qualification Clock Is Now the Hardest Adversary (Updated 2026-05-05!)

Iran cyber isn’t quiet. The problem is the scoreboard. Every recycled leak and nuisance outage wants to become “critical infrastructure impact” before the evidence has its pants on.

Wes

Wes

6 min read
Share
[FORECAST ] Iran’s Cyber Window Is Still Open—But the Qualification Clock Is Now the Hardest Adversary (Updated 2026-05-05!)
When the campaign claim is loud, but the impact evidence is still buffering.

This is the 5th installment of our What's Iran gonna do next series of forecasts:

TL;DR

  • Current forecast: 43% that a qualifying Iran-linked incident is publicly evidenced by 2026-05-20.

  • Read that as: low-40s, not a precise point estimate. The threat is real, but the evidence bar is still unmet.

  • Why not higher: the best current public candidate still lacks hard numbers on outage duration, customer impact, or affected asset counts.

  • Why not lower: CISA already confirmed Iran-affiliated, in-window PLC disruption across multiple U.S. sectors, including operational disruption and financial loss.

  • Main thing to watch: a victim, regulator, or agency adding quantified impact or naming a clearly new access path or toolchain.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Forecast Card

  • Question: Will Iran-linked cyber operators (state units and aligned proxy/hacktivist ecosystem) conduct at least one novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations during the current resolution window ending 2026-05-20, attributable with high confidence by credible authorities?

  • Resolution Criteria: Yes if a credibly confirmed Iran-linked incident against a U.S. or Israeli organization by 2026-05-20 clears all three gates: high-confidence attribution, material impact above threshold, and at least one novel dimension. No if activity is only DDoS/defacement, recycled leaks, weakly evidenced claims, or below-threshold impact. Full threshold language is in the audit JSON.

  • Horizon: 2026-05-20T23:59:00-04:00

  • Probability (Now): 43% | Log-odds: -0.2819

  • Confidence in Inputs: Medium

  • Base Rate: 30% from a roughly one-in-three analog reference class, not an exact same-gate historical rate.

Base-Rate Construction

Window Evidence reviewed Strict “Yes” under today’s gate? Why included
2023-11-22 to 2024-01-17 AA23-335A No — analog only Strongest historical analog: at least 75 devices compromised, disruptive ladder-logic replacement, operator lockout, and HMI disruption. But the public record reviewed here does not specify >=10,000 affected users/customers, safety-critical shutdown, or another clean match to today’s OT materiality threshold.
2024-10-16 to 2024-12-10 AA24-290A No Clear Iran-linked access and persistence activity, but no public threshold-clearing disruptive or large-scale exfiltration event in-window.
2025-06-30 to 2025-08-24 2025 CISA fact sheet No Elevated warning window; CISA explicitly said it had not seen indications of a coordinated campaign in the U.S.

  • Reference-class note: exact same-gate historical positives are too sparse in public reporting to anchor a stable numeric base rate.

  • How I use it: I treat this as an analog floor of roughly one-in-three, then update from there.

  • Why the posterior is above the base rate: the current window is stronger than most analogs because CISA has already confirmed in-window, Iran-affiliated, multi-sector U.S. disruption with operational impact and financial loss.

Top Drivers, Scenarios, Signals and Detection Opportunities

Read more