There’s something quietly therapeutic about watching Harrison Ford stumble through grief, bad decisions, and genuine human connection on Shrinking. It’s a show about people doing the hard work of not running from their problems, and in 2026 that feels both aspirational and instructional. Because looking at the news this week, I’m watching a lot of institutions that have been running from (or ignoring) their problems for a long time. The bill is coming due, and they are expecting us to float them some money.

The Middle East Was Always a Cyber War. We Just Made It Louder.

Here’s what I think most of us in security already sensed was coming, even if we didn’t know the specific shape of it: the slow-burn cyber conflict with Iran was always going to get louder when the kinetic fighting started. And it did.

On February 28, U.S. and Israeli forces launched coordinated strikes on Iranian targets. In the days that followed, drone strikes physically hit AWS data centers in the UAE, with a third facility in Bahrain damaged by debris from a nearby strike. The IRGC claimed responsibility, saying the attacks were aimed at identifying the role of those centers in supporting enemy military and intelligence activities. Euronews As of this writing, several Amazon services remain unavailable or disrupted for customers in the UAE and Bahrain. Euronews

I don’t think any of us had “cloud data centers as kinetic military targets” at the top of our 2026 bingo cards. But in hindsight, it shouldn’t be shocking. Data centers power AI capabilities, they support military logistics, and they’re physical buildings. They can burn.

The bigger question this raises for most of us isn’t “what happened in the Middle East” - it’s “what did I assume about cloud resilience that this just proved wrong?” Most business continuity plans were designed around power outages, natural disasters, maybe a ransomware incident. I don’t think many of them were stress-tested against the scenario where a meaningful chunk of a region’s cloud infrastructure goes dark because of military action. If a single weekend of conflict can physically destroy cloud infrastructure, trigger hundreds of cyberattacks, and sever an entire country from the internet, the assumptions underneath your organization’s data retention policies and business continuity plans deserve a hard look. ComplexDiscovery I would say I am shocked that the aggressors didn’t account for this, but I would be lying. Consequences and the impact to the US’s reputation, the global economy, energy prices, exacerbated humanitarian plights & loss of life, or world order seem to be complete afterthoughts to the current decision makers.

What about the cyber side?

Here’s what the picture looks like right now, with the caveat that things are still moving fast and anyone who sounds totally certain is probably oversimplifying.

CrowdStrike has not observed large-scale state-sponsored cyber campaigns yet, but is seeing a surge in claimed activity from both pro-West and Iran-aligned hacktivist groups, including assertions of denial-of-service operations, defacements, and alleged interference across targets in the Middle East, the U.S., and parts of Asia. Security Weekly A lot of that activity is loud and claim-driven. Take it with a bucket of salt. Iran has historically had mixed results with disruptive cyberattacks and frequently exaggerates their effects for psychological impact. Nextgov.com

That said, the degradation of Iranian internet connectivity to 1-4% has likely hindered state-aligned actors in the short term, but may also push tactical autonomy to cells operating outside of Iran. Cisco Talos That’s the thing I keep thinking about: when the central command structure gets disrupted, you get less coordination but potentially more unpredictability from independent operators. The first few weeks of a conflict like this tend to be loud and noisy. The moves that actually hurt usually come later.

What can defenders actually do?

• Check your cloud geography. Pull the list of workloads you have pinned to Middle East regions and understand which ones could be migrated versus which ones are stuck due to data sovereignty rules. Don’t just know the answer in theory -- actually test the migration for something non-critical.

• Watch for what comes after the noise. The current DDoS and defacement wave is largely opportunistic. The more concerning pattern to watch for is credential harvesting, identity infrastructure targeting, or any probing of operational technology environments.

• MFA everywhere that matters. Iran-linked actors have a long history of leading with credential theft - password spraying, targeted phishing, supply chain access. If you haven’t enforced phishing-resistant MFA on remote access and privileged accounts, that’s the highest-return move available right now.

• Check on your people in affected regions. If you have employees, contractors, or managed service providers in the UAE, Bahrain, or Jordan, verify they can actually function. Your incident response plan may assume key people can reach their workplaces. That assumption deserves a check.

Learn more: Sophos Cyber Advisory on U.S.-Israel-Iran Escalation | ZeroDayClock (live exploit timeline tracker) | Cisco Talos advisory on developing situation in the Middle East.

Things I’m Keeping an Eye On

• The White House dropped a new Cyber Strategy last Friday, and offense is front and center. The seven-page document places offensive cyber operations at the center of U.S. policy, with a push to deregulate industry and use AI to accelerate defense - a significant shift from past approaches. National Today I find myself genuinely uncertain how to read the deregulatory piece alongside the “go on offense” piece. Those two things can coexist, but they require real discipline to not let one undermine the other. Dark Reading

• APT36 is now vibe-coding their malware, and it’s both less scary and more interesting than it sounds. Bitdefender’s research on the Pakistan-based group Transparent Tribe shows them using AI to churn out disposable malware in niche languages like Nim and Zig. The code quality is often embarrassing -- one sample shipped with a placeholder where the C2 URL should have been, meaning it could never actually steal anything. But the point isn’t sophistication. The strategy is to overwhelm defenders through volume rather than bypass security through technical brilliance - a kind of distributed denial of detection. bitdefender As someone who’s been experimenting with vibe-coding myself to prototype ideas, I find this one personally thought-provoking. Bitdefender

• Talos has a good read on agentic AI and the threat models that come with it. The piece walks through what it looks like when AI agents get deployed offensively -- and the scenario that stuck with me is a fully autonomous agent given a specific objective that uses local inference and only contacts the backend when the task is done, minimizing the network traffic defenders would normally use to detect it. Talos Intelligence We’re early here, but it’s worth starting to think about. Talos Intel

• ZeroDayClock is worth a bookmark. It’s a live dashboard tracking how fast the window between a vulnerability being published and it being actively exploited is shrinking. The data has caveats they’re upfront about, but the direction of the trend is not reassuring. Worth keeping an eye on as a gut-check for your patching timelines. zerodayclock.com

What I’m Learning This Week

Finishing up FOR578, and I’ll just say: Robert Lee and Rebekah Brown built something that genuinely surprised me. I thought I knew CTI. Turns out I knew about CTI the way someone knows about surgery because they’ve watched a lot of medical dramas. The nuance in what it actually means to produce finished intelligence - with real confidence levels and analytic rigor -- is something I’m already reworking into how I approach everything. More on this soon.

Closing

Shrinking works because the characters eventually stop pretending the hard thing isn’t the hard thing. They sit with what’s actually in front of them. Looking at this week - missiles hitting cloud infrastructure, a conflict whose shape was visible for a long time, AI tools getting used offensively before we’ve figured out how to defend against them -- I think that’s the right posture for all of us right now. Not panic. Just honesty about what we’re looking at.

Stay vigilant, folks.