This is the 7th and FINAL installment of our What's Iran gonna do next series of forecasts:

• (2026-03-17) Forecast 1 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs
• (2026-03-26) Forecast 2 - From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
• (2026-04-08) Forecast 3 - Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact?
• (2026-04-23) Forecast 4 - Iran’s Cyber Window Stays Open—But the Novelty Bar Is Tougher Now
• (2026-05-05) Forecast 5 - Iran’s Cyber Window Is Still Open—But the Qualification Clock Is Now the Hardest Adversary (Updated 2026-05-05!)
• (2026-05-14) Forecast 6 - Iran-Linked Cyber Risk Is Real. The Evidence Bar Is Harder

The Threat Was Real. The Public Proof Probably Falls Short.

Forecast in one line

Our current call is 7% that Iran-linked cyber operators publicly clear this forecast’s strict threshold by 2026-05-20 23:59 America/New_York.

The most likely outcome is No — not because the threat disappeared, but because the public evidence still likely falls short.

The call

This is the annoying kind of forecast: the threat was real, the activity was real, and defenders still had work to do — but the public evidence probably does not clear the bar before midnight.

That is exactly why this one matters.

A No resolution can still leave defenders with a very real exposure problem: internet-facing OT, weak ownership, identity abuse, and remote-management paths that attackers do not need to reinvent.

The forecast asked a narrow question:

Will Iran-linked cyber operators conduct at least one novel, materially disruptive or data-compromising, credibly attributed cyberattack against U.S. or Israeli organizations before the deadline?

Our answer is now: probably not publicly proven in time.

That distinction matters.

This question required three things to be visible before midnight:

• credible attribution
• threshold-level materiality
• novelty beyond the documented baseline

As of this update, the public record still appears to miss at least one gate in every major candidate case.

A forecast can resolve No and still point to a real defender problem.

That is not a contradiction. That is the job.

Why we think this

The strongest public case is still the CISA AA26-097A U.S. PLC campaign.

That advisory matters. It points to Iranian-affiliated actors exploiting internet-facing PLCs across U.S. critical infrastructure sectors, with some victims experiencing operational disruption and financial loss.

That is not noise. That is the part defenders should care about.

But for this forecast, the case still has two problems:

• the public text does not provide enough threshold-clearing materiality detail
• similar Iran-linked PLC/HMI disruption was already documented in prior public reporting, which narrows the novelty argument

In plain English: the campaign is serious, but the public proof still does not cleanly satisfy this forecast’s scoring rules.

The strongest enterprise-side case is the Rapid7 Chaos / MuddyWater reporting.

That case has meaningful technical evidence and a plausible Iran-linked angle. It also has the kind of tradecraft defenders should not shrug off: social engineering, remote-management abuse, payload retrieval, staging, and leaked data.

But it still appears short on three things this question needs:

• consensus-grade attribution
• quantified impact
• public recognition of novelty beyond the known Iran-linked baseline

So the enterprise case raises concern.

It does not yet resolve the forecast.

The gas-station / ATG thread is useful context, but not resolution-grade evidence. The attribution remains too tentative, and the reported effects do not appear to cross the materiality threshold.