The forecast is stubborn.

Iran-linked PLC activity is real. The harder part is proof: numbers, attribution, novelty.

Noise is not qualification.

We’re revising the Akira hospital disruption forecast down to 2%. The risk is real, but the question is narrower than it looks.

“Secure by default” sounds great until it meets BYOD, VDI, federated SSO, and the help desk exception list from hell.

Device-bound sessions help.

Waiting for every SaaS vendor to flip the default is not a strategy.

Iran-linked cyber activity is not the part defenders should hand-wave.

The part to distrust is the scoreboard.

Every nuisance claim wants to dress up as “critical infrastructure impact.” The evidence bar still matters.

Everyone loves a “trusted app” until it turns into a long-lived permission slip with better branding.

The platform can stay technically unbroken and you still get cleaned out. That gap is the problem.

Everyone saw the PLC headline and immediately built their whole Iran take around exposed controllers. Cool. The nastier question is what happens when the next move comes through identity, admin planes, or some target class nobody staffed for.

Everyone’s hunting “AI attacks.” Meanwhile the ugly money is still in trusted pages, stolen sessions, and users politely pasting the command for them.