![[FORECAST] The next secret-stealing campaign may start with a tool you trusted](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-10.png)
forecasts
[FORECAST] The next secret-stealing campaign may start with a tool you trusted
AI coding tools are becoming trusted middlemen. That gives defenders a new attack path to understand before it gets ugly.
forecasts
![[FORECAST] The Threat Was Real. The Public Proof Probably Falls Short (Final: 2026-05-21)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-7.png)
forecasts
[FORECAST] The Threat Was Real. The Public Proof Probably Falls Short (Final: 2026-05-21)
The forecast likely resolves No, but the useful lesson is where Iran-linked operators still depend on access defenders can pressure.
![[FORECAST] Iran-Linked Cyber Risk Is Real. The Evidence Bar Is Harder (Updated: 2026-05-14)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/zz.png)
forecasts
[FORECAST] Iran-Linked Cyber Risk Is Real. The Evidence Bar Is Harder (Updated: 2026-05-14)
The forecast is 29%, but the operational risk is still worth preparing for this week.
![[FORECAST] Will Akira trigger a week-long hospital disruption by end of 2026? (Updated 2026-05-11)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-3.png)
forecasts
[FORECAST] Will Akira trigger a week-long hospital disruption by end of 2026? (Updated 2026-05-11)
We’re revising the Akira hospital disruption forecast down to 2%. The risk is real, but the question is narrower than it looks.
![[FORECAST] Device-Bound Sessions Are Coming. Defaults Are the Hard Part.](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-2.png)
forecasts
[FORECAST] Device-Bound Sessions Are Coming. Defaults Are the Hard Part.
“Secure by default” sounds great until it meets BYOD, VDI, federated SSO, and the help desk exception list from hell. Device-bound sessions help. Waiting for every SaaS vendor to flip the default is not a strategy.
![[FORECAST ] Iran’s Cyber Window Is Still Open—But the Qualification Clock Is Now the Hardest Adversary (Updated 2026-05-05!)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z.png)
forecasts
[FORECAST ] Iran’s Cyber Window Is Still Open—But the Qualification Clock Is Now the Hardest Adversary (Updated 2026-05-05!)
Iran cyber isn’t quiet. The problem is the scoreboard. Every recycled leak and nuisance outage wants to become “critical infrastructure impact” before the evidence has its pants on.
![[FORECAST] Iran’s Cyber Window Stays Open—But the Novelty Bar Is Tougher Now (Updated: 2026-04-23)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-9.png)
forecasts
[FORECAST] Iran’s Cyber Window Stays Open—But the Novelty Bar Is Tougher Now (Updated: 2026-04-23)
The industry loves a neat PLC story because it keeps the threat in a box you can point at. The less fun version is when the same campaign walks through identity or an admin plane your org still treats like plumbing.
![[FORECAST] Two New App-Layer Campaigns by Year-End? Watch the Attribution Line](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-6.png)
forecasts
[FORECAST] Two New App-Layer Campaigns by Year-End? Watch the Attribution Line
Teams keep hardening the front door while the “trusted integration” gets waved through reception with a box truck. No core-platform exploit required. Just approval fatigue with API access.
![[FORECAST] Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact? UPDATED 2026-04-08!](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-3.png)
forecasts
[FORECAST] Beyond PLCs: Are Iran-Linked Operators More Likely to Chase New Targets, New Tooling, or New Impact? UPDATED 2026-04-08!
Everyone saw the PLC headline and immediately built their whole Iran take around exposed controllers. Cool. The nastier question is what happens when the next move comes through identity, admin planes, or some target class nobody staffed for.
ai
The Next 3–6 Months: Where Threat Actors Will Move Faster Than Defenders
Everyone’s hunting “AI attacks.” Meanwhile the ugly money is still in trusted pages, stolen sessions, and users politely pasting the command for them.
![[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-6.png)
forecasts
[FORECASTS] From Password Sprays to Tenant Sabotage: The 8-Week Iran Cyber Risk for U.S. and Israeli Orgs - UPDATED: 2026-03-26
Iran cyber risk is not about whether they’ll be active. They will. The real question is whether the next 8 weeks produce a publicly attributed, materially disruptive hit with a new twist beyond the usual password-spray sludge. Tenant sabotage is the part to watch. 👀🔥
![[FORECAST] Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2026-03-24](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/03/z-4.png)
forecasts
[FORECAST] Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2026-03-24
RedNovember is the kind of crew that turns “it was only an N-day” into a post-incident coping mechanism. We’re at 25% odds they get publicly tied to a true 0-day in 2026. With edge exploitation surging, that’s not exactly comforting. 👀🔥