By Samuel Odekunle, Managing Partner

The cybersecurity landscape of March 2026 has been irrevocably shaped by kinetic conflict. On 28 February, the United States and Israel launched coordinated strikes against Iran—Operation Epic Fury and Operation Roaring Lion—and cyberspace became the parallel theatre of war. What has unfolded since represents the most intensive period of state-linked cyber warfare since the Russia-Ukraine conflict, with operations spanning critical infrastructure, financial systems, communications networks, and the cognitive domain itself.

For organisations operating in this environment, the implications extend far beyond geopolitics. The targeting patterns are broad and opportunistic. Sectors with no direct connection to the conflict are being hit simply because they present opportunity. The rules of engagement have shifted, and every security leader needs to understand what that means for their organisation.

The Four-Hour Cyber War

Before a single missile struck Iranian soil, cyber operations had already begun. General Dan Caine, Chairman of the Joint Chiefs of Staff, confirmed that US Cyber Command was among the “first movers” in Operation Epic Fury. Coordinated space and cyber operations disrupted Iranian communications and sensor networks, leaving the adversary “without the ability to see, coordinate, or respond effectively.”

The sophistication of the pre-kinetic cyber campaign was extraordinary. Israeli intelligence had spent years building what sources describe as a comprehensive intelligence architecture focused on Tehran. Real-time feeds from compromised traffic cameras provided pattern-of-life analysis. Mobile phone networks had been “deeply penetrated,” allowing targeting intelligence that pinpointed where senior officials’ protection details parked their vehicles. When the moment came, a cyber operation disrupted mobile communications near the Supreme Leader’s compound, preventing warnings from reaching his security team.

Perhaps most striking was the compromise of BadeSaba, a popular Iranian prayer app with over five million downloads. Users received push notifications reading “Help has arrived” and messages urging military personnel to defect. The app had been targeted not merely for psychological warfare, but for its intelligence value—the application requests location access for accurate prayer times, making its user data extraordinarily valuable for targeting.

Within four hours of strikes beginning, Iran imposed a near-total internet blackout. Connectivity dropped to between one and four percent, remaining degraded for over sixty hours. This was a combination of physical strikes on data centres and what Israeli sources described as “the largest cyberattack in history.”

Asymmetry in Cyberspace

The opening days revealed a stark disparity in cyber capabilities. Iran lacks symmetric conventional response options against the United States and Israel—which is precisely why the regime has historically relied on cyber operations and proxy actors as instruments of response.

The internet blackout, while limiting information flow out of Iran, also severely constrained Iranian state actors’ ability to coordinate sophisticated cyberattacks. Unit 42 at Palo Alto Networks initially assessed that threat activity from nation-state groups within Iran would be mitigated in the near term due to limited connectivity and degraded command structures.

That assessment proved optimistic. By early March, security researchers were tracking over sixty active threat groups aligned with this conflict—fifty-three operating on the pro-Iranian side. Activity accelerated sharply, and contrary to initial assessments that Iranian cyber capabilities had been degraded by kinetic strikes, adversary operations intensified rather than diminished.

The explanation lies in geography. Pro-Iranian groups operate from Southeast Asia, Pakistan, Iraq, and elsewhere in the Middle East. The Cyber Islamic Resistance claimed responsibility for over six hundred distinct attacks in the first two weeks, operating across more than one hundred Telegram channels. NoName057(16), a pro-Russian hacktivist group that previously targeted Ukraine, has teamed up with Iranian hacktivists to target Israeli defence and municipal organisations.

Stryker: The Canary in the Coal Mine

On 11 March, American medical technology company Stryker confirmed a cyberattack had disrupted its global network. Employees across the company’s offices found the logo of Handala, an Iran-linked hacking group, displayed on their login pages. The attack targeted Stryker’s Microsoft environment, and Handala claimed to have exploited Microsoft Intune to remotely wipe more than 200,000 devices across seventy-nine countries.

The group stated the operation was retaliation for a missile strike on a school in Minab, Iran. Stryker filed an 8-K with the SEC on 23 March confirming the incident was contained, but the implications are profound. This was not espionage. This was destructive retaliation against civilian infrastructure—a medical device company—executed through compromised enterprise management systems.

CISA has since flagged rising threats to endpoint management systems, urging organisations to recognise that the tools designed to defend networks are often their weakest link. Edge devices, routers, firewalls, VPN gateways—critical yet frequently neglected—have become prime targets.

The targeting patterns in this conflict are instructive for every organisation. Sectors facing elevated exposure include energy and utilities, financial services (particularly institutions with Middle Eastern operations), aerospace and defence, healthcare, cloud and telecommunications infrastructure, and critical national infrastructure broadly—including water utilities, where pro-Iranian groups have claimed access to operational control systems.

The Institutional Response

On 23 March, the State Department formally launched the Bureau of Emerging Threats, a unit designed to combat cyberattacks, AI weaponisation, space threats, and other advanced challenges from adversaries including Iran, China, Russia, and North Korea. The bureau comprises five divisions: the Office of Cybersecurity, the Office of Critical Infrastructure Security, the Office of Disruptive Technology, the Office of Space Security, and the Office of Threat Assessment.

The timing is significant. This represents a shift toward anticipatory rather than reactive diplomacy—recognition that emerging technologies are now central to the modern arms race. The bureau reports to the Under Secretary for Arms Control and International Security, signalling that bits, bytes, and orbital assets are now viewed as equivalent to conventional weapons in strategic importance.

However, the domestic cyber defence posture presents challenges. CISA has lost staffers focused on regional outreach, infrastructure security, and strategic planning. The Critical Infrastructure Partnership Advisory Council has been shuttered. Funding for the Multi-State Information Sharing and Analysis Center has been eliminated. Schools, hospitals, and state governments report a stark difference in the availability of CISA services.

The irony is acute: at the precise moment when state-aligned cyber threats are escalating, the mechanisms needed to support critical infrastructure partners have been hollowed out. The essential question for 2026 is whether institutional capacity can be rebuilt faster than threat actors can exploit the gaps.

Agentic AI: The Threat Multiplier Arrives

While the Iran conflict dominates headlines, a parallel transformation is reshaping the threat landscape at a structural level. Agentic AI—autonomous systems capable of planning, deciding, and executing multi-step actions toward specific goals—has moved from research prototype to operational deployment on both sides of the adversarial divide.

Unlike generative AI, which requires human prompting, agentic AI can orchestrate autonomous attack chains. It automates reconnaissance, phishing generation, credential testing, and infrastructure rotation without direct human control. This dramatically lowers the cost of experimentation and increases the speed of exploitation.

Barracuda Networks documented an agentic-style AI attack targeting FortiGate firewalls in February, where autonomous agents gained access and conducted reconnaissance on victim networks. Flashpoint’s 2026 Global Threat Intelligence Report identifies agentic AI operationalisation as one of four converging forces reshaping the global threat landscape, alongside identity as the primary exploit vector, compression of the exploitation window, and the continued blurring between cybercrime and nation-state operations.

For defenders, agentic AI represents both threat and opportunity. EY’s Cybersecurity Roadmap Study found that 96% of senior security leaders view AI-enabled attacks as a significant threat, with 48% estimating that AI-powered attacks accounted for incidents their organisation experienced in the past year. Yet 97% also agree their competitive advantage will be directly tied to the maturity of their agentic AI cybersecurity defences.

The number of security leaders expecting agentic AI to largely run key functions is set to double within two years: APT detection rising from 30% to 62%, real-time fraud detection from 32% to 58%, and identity and access management from 23% to 51%. The AI arms race has moved from prediction to operational reality.

The Ransomware Ecosystem Adapts

Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks. This declining profitability is driving tactical evolution that organisations should prepare for in 2026.

First, ransomware-as-a-service operations are bundling DDoS capabilities to increase pressure on victims. The newly formed Chaos ransomware group exemplifies this trend, providing DDoS capabilities to all affiliates. When encryption alone doesn’t yield payment, sustained service disruption becomes an additional lever.

Second, insider recruitment is accelerating. There has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders. If workforce reductions at major companies persist, this trend will intensify. The most public example came when a ransomware group attempted to recruit a BBC reporter, but this represents only the visible tip of a much larger phenomenon.

Third, the ransomware ecosystem is globalising. Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it. This doesn’t indicate a decline in Russian-based operations—it reflects how dramatically the global ecosystem has expanded.

March’s most active groups include DragonForce and World_Leaks, each responsible for multiple daily compromises, followed by Akira and Qilin. The primary targets remain Professional Services and Manufacturing sectors, with the United States experiencing the majority of reported compromises.

Critical Vulnerabilities: March 2026

The exploitation window continues to compress, with mass exploitation of zero-day vulnerabilities occurring in as little as twenty-four hours after disclosure. Key vulnerabilities demanding immediate attention this month include:

BeyondTrust Remote Support (CVE-2026-1731): A pre-authentication remote code execution flaw actively exploited in ransomware campaigns. The speed at which this vulnerability moved from disclosure to active exploitation—less than two weeks—demonstrates that patch windows are continuing to shrink. Organisations running self-hosted BeyondTrust deployments that didn’t act within days should treat this as a potential compromise scenario.

VMware Aria Operations (CVE-2026-22719): A command injection vulnerability rated CVSS 8.1, allowing unauthenticated attackers to execute arbitrary commands. CISA added this to the Known Exploited Vulnerabilities catalog and set a federal remediation deadline of 24 March.

Cisco Secure Firewall Management Center (CVE-2026-20131): A critical remote code execution flaw being actively exploited by the Interlock ransomware group since January. Amazon confirmed active exploitation on 18 March. This flaw allows unauthenticated attackers to execute arbitrary Java code with root privileges.

Microsoft SharePoint (CVE-2026-20963): A deserialization vulnerability allowing authorised attackers to execute code over a network. CISA set a remediation deadline of 21 March.

The Tycoon 2FA takedown in early March—a coordinated disruption involving Proofpoint, Microsoft, Europol, and international law enforcement that seized 330 control panel domains—represents positive momentum. However, adversary-in-the-middle phishing-as-a-service platforms remain prolific, and organisations should not assume the ecosystem has been permanently degraded.

Strategic Imperatives for Q2 2026

The convergence of kinetic conflict, agentic AI operationalisation, and persistent ransomware activity creates a threat environment that demands immediate executive attention:

Assume targeting is opportunistic, not strategic. Organisations with no direct connection to the Iran conflict are being hit simply because they present opportunity. Sector, geography, and political alignment matter less than vulnerability. If you’re accessible, you’re a target.

Audit endpoint management and edge infrastructure immediately. The Stryker incident demonstrates that enterprise management systems are now prime targets. Intune, SCCM, VPN concentrators, firewalls—these tools carry elevated privileges and wide network access. A single vulnerability hands attackers a skeleton key.

Compress patch cycles to days, not weeks. The exploitation window for critical vulnerabilities has collapsed to under two weeks in many cases. If your vulnerability management programme operates on monthly cycles, you are already behind adversary timelines.

Prepare for agentic threats. Traditional security tools were built to detect anomalies in human behaviour. An agent that executes perfectly ten thousand times in sequence looks normal to these systems—but that agent might be executing an attacker’s will. Behaviour-based detection and strong identity controls remain effective, but must be applied consistently.

Treat supply chain risk as operational risk. The more robust technical perimeters become, the more attractive human targets and third-party relationships become. Your security posture is ultimately defined by the weakest link in your supply chain.

Looking Ahead

March 2026 will be remembered as the month cyber warfare became inseparable from kinetic conflict at scale. The Iran campaign demonstrated capabilities that should concern every organisation: real-time intelligence from compromised civilian infrastructure, weaponised consumer applications, and destructive attacks against healthcare companies executed as retaliation for military strikes.

The State Department’s Bureau of Emerging Threats signals institutional recognition that emerging technologies are now weapons of statecraft. Whether that recognition translates to operational capability fast enough to counter accelerating threats remains an open question.

For security leaders, the imperative is clear: the threat environment has changed. Geopolitical conflict now directly affects organisations that considered themselves outside the blast radius. The defenders who thrive in 2026 will be those who recognise that assumption and act accordingly.

The parallel wars—kinetic and digital—are now one.

Samuel Odekunle is Managing Partner at MustardTree Partners, specialising in cybersecurity strategy, identity and access management, and digital transformation.

State of Security is published monthly. Subscribe for the latest analysis on the evolving threat landscape.