This is the 4th installment of our What's Iran gonna do next series of forecasts:

• (2026-03-17) Forecast 1 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
• (2026-03-26) Forecast 2 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
• (2026-04-08) Forecast 3 - Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact?

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

TL;DR

Question

Will Iran-linked cyber operators conduct at least one novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations by 2026-05-20?

Strategic Forecast

Iran-linked operators are already conducting disruptive activity in the window, especially against exposed U.S. OT. That keeps the risk above even. The main hinge factor is not intent, but whether a case clears the stricter novelty and quantified-impact bar before the deadline. Watch for victim or government disclosures that add hard numbers, or for evidence of a new access path, toolchain, or target class.

Executive Take

If you defend a U.S. or Israeli organization, especially in OT-heavy sectors or with high-value Microsoft/IdP admin planes, assume elevated risk now. The highest-payoff actions are reducing internet-exposed OT, tightening privileged identity and endpoint-management controls, and preparing to validate or dismiss breach claims quickly. The forecast is not a call for panic; it is a call for targeted hardening where Iran-linked operators already have a workable path.

Forecast Card

• Question: Will Iran-linked cyber operators (state units and aligned proxy/hacktivist ecosystem) conduct at least one novel, materially disruptive or data-compromising cyberattack against U.S. or Israeli organizations during the current resolution window ending 2026-05-20, attributable with high confidence by credible authorities?

• Resolution Criteria: Yes if between 2026-03-25 and 2026-05-20 there is at least one credibly confirmed Iran-linked incident against a U.S. or Israeli organization with: (a) attribution via victim disclosure, U.S./Israeli government statement, UK NCSC statement, or consensus top-tier vendor reporting with evidence; (b) material impact meeting at least one threshold: >=500 endpoints impacted or >=5% of endpoints, whichever is smaller, rendered unusable/encrypted/wiped, or >=50 servers affected; or critical service outage >=8 hours (>=24 hours if internal-only); or OT/ICS degradation affecting >=10,000 customers/users or any safety-critical shutdown attributable to cyber; or confirmed exfiltration of >=10 GB sensitive data, >=100,000 records, or regulated sensitive data at scale; and (c) at least one novel dimension: new initial access class, new impact mechanism, new target class, or new toolchain. No if activity is limited to DDoS/defacement, recycled leaks, weakly evidenced claims, or below-threshold incidents. As of 2026-04-22, direct exploitation of exposed PLCs/HMIs/SCADA with project-file interaction or display/data manipulation of the type described in AA26-097A is not novel by itself.

• Horizon: 2026-05-20T23:59:00-04:00

• Probability (Now): 52% | Log-odds: 0.0800

• Confidence in Inputs: Medium

• Base Rate: 35% from elevated-tension 8-week windows in which public evidence of significant Iran-linked incidents is less common than nuisance-level or under-quantified activity (CSIS context)

Top Drivers, Scenarios, Signals and Detection Opportunities