This is the 4th installment of our What's Iran gonna do next series of forecasts:

• (2026-03-17) Forecast 1 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
• (2026-03-26) Forecast 2 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
• (2026-04-08) Forecast 3 - Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact?

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

TL;DR

Question

Will Iran-linked cyber operators conduct at least one novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations by 2026-05-20?

Strategic Forecast

Iran-linked operators are already conducting disruptive activity in the window, especially against exposed U.S. OT. That keeps the risk above even. The main hinge factor is not intent, but whether a case clears the stricter novelty and quantified-impact bar before the deadline. Watch for victim or government disclosures that add hard numbers, or for evidence of a new access path, toolchain, or target class.

Executive Take

If you defend a U.S. or Israeli organization, especially in OT-heavy sectors or with high-value Microsoft/IdP admin planes, assume elevated risk now. The highest-payoff actions are reducing internet-exposed OT, tightening privileged identity and endpoint-management controls, and preparing to validate or dismiss breach claims quickly. The forecast is not a call for panic; it is a call for targeted hardening where Iran-linked operators already have a workable path.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Forecast Card

• Question: Will Iran-linked cyber operators (state units and aligned proxy/hacktivist ecosystem) conduct at least one novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations during the current resolution window ending 2026-05-20, attributable with high confidence by credible authorities?

• Resolution Criteria: Yes if between 2026-03-25 and 2026-05-20 there is at least one credibly confirmed Iran-linked incident against a U.S. or Israeli organization with: (a) attribution via victim disclosure, U.S./Israeli government statement, UK NCSC statement, or consensus top-tier vendor reporting with evidence; (b) material impact meeting at least one threshold: >=500 endpoints impacted or >=5% of endpoints, whichever is smaller, rendered unusable/encrypted/wiped, or >=50 servers affected; or critical service outage >=8 hours (>=24 hours if internal-only); or OT/ICS degradation affecting >=10,000 customers/users or any safety-critical shutdown attributable to cyber; or confirmed exfiltration of >=10 GB sensitive data, >=100,000 records, or regulated sensitive data at scale; and (c) at least one novel dimension: new initial access class, new impact mechanism, new target class, or new toolchain. No if activity is limited to DDoS/defacement, recycled leaks, weakly evidenced claims, or below-threshold incidents. As of 2026-04-22, direct exploitation of exposed PLCs/HMIs/SCADA with project-file interaction or display/data manipulation of the type described in AA26-097A is not novel by itself.

• Horizon: 2026-05-20T23:59:00-04:00

• Probability (Now): 52% | Log-odds: 0.0800

• Confidence in Inputs: Medium

• Base Rate: 35% from elevated-tension 8-week windows in which public evidence of significant Iran-linked incidents is less common than nuisance-level or under-quantified activity (CSIS context)

Top Drivers, Scenarios, Signals and Detection Opportunities