On February 28, the United States and Israel launched coordinated military strikes against Iran. The operation hit nuclear facilities, missile production sites, and IRGC command infrastructure. Israel's Operation "Roar of the Lion" simultaneously executed what the Jerusalem Post described as "the largest cyberattack in history," crippling Iranian internet connectivity, state media, and military communications systems.
Iran's internet dropped to 4% connectivity. Its conventional military capability has been severely degraded. Its nuclear ambitions have been set back years.
And if you're running security for an American enterprise, none of that should make you feel safer. It should terrify you.
The Asymmetric Playbook
I spent eight years in Navy EOD watching a specific pattern repeat itself: when you deny an adversary their preferred weapons, they don't surrender. They adapt. Every time coalition forces defeated one IED design, bomb makers evolved. They shifted materials, changed triggers, found new delivery methods. The adversary who can't fight you conventionally will always find an asymmetric way to make you bleed.
Iran is now on what former NATO commander Admiral James Stavridis described as "death ground", invoking Sun Tzu's term for a position where survival demands action. Iran cannot project conventional military power against the U.S. homeland. Its missile arsenal has been degraded. Its air defenses have been dismantled. But it retains one instrument of force that geography cannot contain and military strikes cannot destroy: cyber operations.
SentinelOne issued an intelligence brief on February 28 assessing "with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting." Anomali's threat intelligence team assessed that wiper attacks against U.S. critical infrastructure are "the highest-probability retaliatory action" and warned that Iran's pre-positioned implants and foreign-based operators could function independently of Iranian domestic infrastructure.
That last detail matters. Even with Iran's own internet at 4%, its cyber operators abroad can still strike.
Your Government Can't Save You
Here's the part that should reframe your risk calculations.
The Cybersecurity and Infrastructure Security Agency, the federal body responsible for defending U.S. critical infrastructure from exactly this kind of threat, is operating at roughly 38% capacity. A Department of Homeland Security funding lapse that began on February 14 has furloughed most of CISA's workforce. Of approximately 2,341 personnel, only 888 are still working. The agency lacks a Senate-confirmed director. Acting director Madhu Gottumukkala warned Congress that "a shutdown would degrade our capacity to provide timely and actionable guidance to help partners defend their networks."
This isn't a hypothetical degradation. CISA's workforce had already fallen from about 3,400 in January 2025 to below 2,400 before the funding lapse cut it further. The timing is not coincidental from Iran's perspective; it's opportunistic. Tatyana Bolton, a cybersecurity principal at Monument Advocacy, put it bluntly to Defense One: "Geography provides no protection against a cyber-enabled adversary. Iran possesses some of the most creative and dangerous cyber operators in the world."
The FBI and NSA continue threat tracking at full capacity, but the organization specifically chartered to coordinate private-sector defense is running on fumes during the highest-threat period in years.
You are functionally on your own.
What Iranian Cyber Operations Look Like
This isn't a theoretical exercise. Iran has fifteen years of operational cyber history, and SentinelOne's brief outlines four categories of anticipated response:
Precision espionage. APT34 (OilRig) and APT42 (TA453) use spearphishing and credential harvesting to penetrate U.S. military, government, and defense contractor networks. They move laterally, establish persistence, and exfiltrate intelligence. Tools include PowerShell abuse, LSASS credential dumping, and tunneling through legitimate services like ngrok and Cloudflared.
Destructive operations. Wiper malware, DDoS attacks, and boot-tampering tools designed to render systems unrecoverable. Iran has deployed wipers against Israeli targets under fake hacktivist personas to obscure attribution. These aren't ransomware operations; the goal is destruction, not payment.
Disinformation campaigns. Fabricated claims, leaked documents (real or manipulated), and coordinated social media operations designed to amplify fear and undermine confidence in U.S. institutions. Expect Telegram channels and social platforms to be weaponized.
Infrastructure probing. In late 2023, IRGC-linked hackers breached Israeli-made Unitronics PLCs in U.S. water treatment facilities across multiple states. SentinelOne identifies this as a "shift toward ICS/OT targets" for psychological impact alongside kinetic operations. Water, energy, and transportation systems are primary targets.
The attack methods are well documented. The question is whether your defenses are designed for the threat or designed for the audit.
Perimeter Security Won't Save You
Most enterprise security architectures are built around keeping attackers out. Firewalls, VPNs, network segmentation, identity management. The assumption is that if you control the boundary, you control the risk.
Iranian APT groups specifically target that assumption. The Fortinet SAML SSO bypasses I wrote about in January are a case study: two 9.8 CVSS vulnerabilities that let unauthenticated attackers walk through fully patched firewalls. The perimeter device, the literal definition of boundary defense, became the entry point. Attackers created backdoor accounts named "helpdesk" and "secadmin" and exfiltrated configurations to external IPs.
Iran's playbook follows the same pattern. They target internet-facing systems with known vulnerabilities, especially industrial control systems running outdated firmware. They use legitimate tools already present in the environment, the same PowerShell scripts and remote access software your IT team uses daily, making detection nearly impossible through traditional signature-based approaches.
As I covered in the ransomware exfiltration pivot, modern attackers increasingly bypass encryption entirely in favor of data theft using tools that blend into normal network traffic. When the attack looks like legitimate system administration, your perimeter is irrelevant.
The fundamental problem is architectural. If your security model depends on keeping adversaries outside a boundary, it fails the moment they cross it. And fifteen years of Iranian cyber operations have demonstrated, repeatedly, that they will cross it.
Data-Level Security Is the Only Defense That Survives
When a state-backed adversary breaches your perimeter (not if, when), the question becomes: what do they find?
If your sensitive data sits in plaintext behind the firewall, accessible to any account with the right credentials, then a single compromised identity gives attackers everything. Customer records, financial data, intellectual property, personally identifiable information. All of it available for exfiltration or destruction.
Data-level security, specifically tokenization, changes the calculus entirely. When sensitive fields are replaced with irreversible tokens at the point of creation, the data itself becomes worthless to an attacker. You can breach the network, compromise admin credentials, dump the entire database, and walk away with nothing usable. The tokens can't be reversed. Not by the attacker, not by a nation-state, not by anyone without access to the token vault operating in a separate security domain.
This is the approach I work on at Capital One Software with Databolt, and it's the same principle that makes field-level tokenization the right architectural response to state-sponsored threats. The protection travels with the data. It doesn't depend on the perimeter holding. It doesn't depend on CISA being fully staffed. It doesn't depend on your SOC detecting lateral movement before exfiltration completes.
When Iranian operators use legitimate tools to blend into your environment, when they move laterally through credential harvesting, when they target your ICS systems or your databases, the only thing that consistently denies them value is data that was never stored in a usable format to begin with.
What to Do Right Now
SentinelOne, Anomali, and CISA (to the extent it can still function) all converge on the same set of immediate priorities. Here's what matters this week:
-
Audit your internet-facing systems. Identify every PLC, SCADA system, VPN appliance, and remote access tool exposed to the internet. If it's running default credentials or unpatched firmware, assume it's already compromised. Iranian operators specifically hunt for these.
-
Enforce MFA everywhere. Not just email. VPN access, administrative consoles, cloud platforms, collaboration tools. APT42's primary initial access method is credential harvesting through phishing. MFA is the single highest-ROI defensive control against this.
-
Hunt for pre-positioned access. Anomali's assessment that Iranian operators have pre-positioned implants means you can't just harden going forward. You need to look for signs of existing compromise: unusual outbound connections, unfamiliar scheduled tasks, unexpected service accounts, tunneling tools like ngrok or Cloudflared that your team didn't deploy.
-
Test your wiper response. Can you recover from a complete data destruction event? Not a ransomware scenario where encryption is the threat, but a scenario where the goal is to destroy your systems entirely. Test your backup restoration from air-gapped copies. Verify that your recovery process works under time pressure.
-
Protect the data itself. This is the step most organizations skip because it requires architectural investment, not just tool deployment. Tokenize sensitive data at the field level. Encrypt data at rest and in transit with keys you control. Segment your token vault from your production environment. Make the data worthless even when the breach succeeds.
The targeting of small and mid-size businesses makes this even more urgent. Iranian operators don't only target Fortune 500 enterprises; they target supply chain partners, defense subcontractors, and regional infrastructure providers. If you're connected to a larger target, you're already in scope.
The Battlefield Has No Borders
In EOD, we had a saying: the bomb doesn't care about your rank, your experience, or your equipment. It only cares whether you solved the problem correctly before the timer ran out.
Cyber warfare operates on the same principle. Iran's operators don't care about your company's size, your industry, or your security budget. They care about whether your data is accessible when they get in. The timer started on February 28. CISA is running at 38%. Your perimeter was never designed for state-sponsored adversaries.
The only question left is whether your data is protected at the level that matters, or whether you're counting on a boundary that already has holes in it.
