How Geopolitical
Tension Can Spotlight
Latent Cyber Risks

As tensions escalate in the Middle East, many organizations are asking: What does this mean for our cyber risk?

Geopolitical conflict can act like a spotlight on existing cybersecurity gaps. In quieter times, a minor misconfiguration might go unnoticed in the background noise of the internet. But in times of heightened tension, those same gaps can become the primary filter attackers use to decide whom to target next.

Simple, exposed technologies can create outsized risk, potentially moving the organizations that host them to the front of a cyber attacker’s queue.

As Coalition continues to monitor the evolving threat environment, we’re sharing our observations on the actual reconnaissance patterns that threat actors are using to target organizations around the world.

Key insights

• Quantifiable risk: Coalition observed a one-day, 392,000-event surge in cyber attacker activity on February 18, 2026, signaling a heightened risk environment.

• Geographic attack pressure: US honeypots were attacked over 2.5 times more than Canadian honeypots and roughly 5 times more than Australian honeypots during the week of February 16-22, 2026.

• Targeted technologies: Remote Desktop Protocol (RDP) and virtual private networks (VPNs) were favored targets of Iranian-origin scans.

Below, we examine recent data from our global security scanning and honeypot infrastructure. You can also read our recent post on how infostealers may have opened the door to the recent cyber attack on the medical technology giant Stryker Corporation.

What our threat intelligence reveals

As the United States and allied forces deployed additional carrier groups and fighter aircrafts to the Middle East in early 2026, Coalition recorded distinct changes in cyber scanning behavior originating from Iranian IP addresses.

Broad market guidance emphasizes an elevated likelihood of malicious cyber activity tied to nation-state objectives, including the potential targeting of financial institutions, water and energy providers, and other critical infrastructure. There’s also the risk of global spillover, where organizations with no physical footprint in the Middle East can still be impacted via shared cloud services, SaaS platforms, and international supply chains.

Simple, exposed technologies can create outsized risk, potentially moving the organizations that host them to the front of a cyber attacker’s queue.

While we acknowledge and remain aligned with this guidance, our live telemetry allows us to layer in granularity and prioritization. Based on our observations of  which geographies are under disproportionate scanning pressure and the technologies that are actively being probed, we can translate our findings into targeted, data‑driven recommendations for our policyholders and weigh them appropriately in our underwriting and alerting models.

Daily outbound scans from Iranian IP space, observed by Coalition honeypots, between February 1 and March 3, 2026.

A surge in outbound scanning

On February 18, we observed a clear spike in outbound scanning when our honeypots recorded roughly 392,000 events from Iranian IP space in a single day. 

This pattern closely resembles previous reconnaissance waves, such as the initial BlueKeep (CVE-2019-0708) scanning surge. It indicates a massive data-gathering phase where cyber attackers identify as many internet-facing assets as possible to create a target list for future exploitation.

Aggregate outbound Iranian-origin scans by target country between February 1 and March 3, 2026.

Comparing scans by target country

Early in the observation window, Canada and the US saw similar volumes of Iranian‑origin scans. Given the two countries’ vastly different digital footprints, this warranted deeper investigation.

Iranian-origin scan volume by week between February 1 and March 3, 2026.

Examining Iranian-origin scanning on a weekly basis showed a more concentrated version of the data. The spike in the week of February 16-22, 2026, coincided with the military build-up of a second carrier group and fighter jets being staged in the Middle East.

During that week, the distribution of scans by country was much more skewed.

Iranian-origin scan volume by country during the week of February 16-22, 2026.

During the peak week of February 16-22, 2026, US honeypots experienced substantially more Iranian-origin scans than other countries. US honeypots were under more than 2.5 times the attack pressure of Canadian honeypots and roughly 5 times that of Australian honeypots.

For organizations with infrastructure concentrated in these regions, this doesn’t just change the volume of noise they see; it changes the probability that a latent misconfiguration becomes the focal point of a real cyber attack campaign.

Targeted technologies

Coalition’s honeypots do more than just count the “pings.” They capture the specific payloads and intent behind the scanning traffic. When analyzing the technologies under reconnaissance from Iranian IP space, a clear tactical hierarchy emerged.

Technologies under reconnaissance from Iranian IP space during the week of February 16-22, 2026.

Our data suggests three clear trends:

1. Mass discovery (TCP_SYN): The overwhelming majority of the cyber scanning activity was dedicated to basic port discovery. By sending SYN packets, cyber attackers are "knocking on doors" across the entire internet to see which ones are open. This is the widest part of the funnel, identifying any system that is reachable from the public web.

2. Access exploitation (RDP_SCANNER): Remote Desktop Protocol (RDP) was the clear second-place scan priority and the primary focus for potential intrusion. After identifying an open port, threat actors immediately pivoted to RDP scanning to find workstations or servers that could be accessed directly. 

3. Application probing (HTTP_SCANNER): Web services were in a distant third place. While web vulnerabilities are common, the data suggests that supposed Iranian threat actors in this campaign prioritized scanning direct system access over the more complex process of scanning for exploitable web applications.

For cyber defenders, this reinforces a familiar reality: Simple, exposed technologies create outsized risk during periods of geopolitical tension. Organizations with publicly accessible RDP, poorly configured VPNs, or legacy remote access solutions are far more likely to move to the front of a cyber attacker’s attack queue.

Practical steps to take right now

As conflict continues to unfold, organizations should prioritize the following:

1. Harden remote access and internet‑facing systems

• Enforce mandatory multi‑factor authentication (MFA) for remote access, email, admin accounts, and cloud services.

• Eliminate exposed RDP wherever possible. Where it must exist, restrict it behind VPNs or zero‑trust access and monitor it closely.

• Prioritize patching and configuration reviews for VPNs, web applications, and email gateways.

• If possible, transition away from SSL VPNs and toward a zero-trust network architecture (ZTNA), which enforces the principle of least privilege at the network level. Users and devices get access only to the applications they’re authorized for, nothing more. That means that even if an attacker steals or brute-forces a credential or bypasses MFA, the impact of that compromise can be sharply constrained because the attack surface is reduced. 

2. Elevate monitoring and threat awareness

• Increase monitoring of logs and alerts on internet‑facing systems, including spikes in failed logins, unusual geolocations, and anomalous traffic.

• Provide targeted awareness to employees about phishing, vishing, and social engineering attempts that may leverage the conflict as a lure.

• Use cyber risk management platforms, like Coalition Control®, to highlight which specific assets to fix first based on live data.

3. Test incident response and business continuity plans

• Run tabletop exercises focused on destructive malware, distributed denial-of-service (DDoS), and operational disruption, including impacts on key vendors and supply-chain partners.

• Confirm 24/7 contact details for IT, security, legal, communications, critical vendors, and cyber insurance providers. Keep offline copies of those details and asset inventories.

4. Map and stress‑test dependencies

• Review third‑party and supply-chain exposures, particularly vendors with operations or key infrastructure dependencies in the Middle East.

• Validate contractual security requirements and incident notification obligations with critical suppliers.

Simple, exposed technologies create outsized risk during periods of geopolitical tension.

Looking ahead

The conflict in the Middle East is a stark reminder that geopolitics and cyber risk are deeply intertwined. Nation‑state adversaries will continue to use cyber operations to advance strategic goals, and the impact will not be limited to organizations with a physical presence in the region.

Coalition was built on the premise that managing cyber risk requires a fundamentally different model than insurance alone. By combining data and risk insights, security, and insurance, we help organizations see how their exposure is changing in near real-time and act quickly to help policyholders harden what matters most, especially as global cyber risk becomes more volatile.

As the conflict evolves, we’ll continue to monitor our data, update our risk models, and share practical guidance with brokers and policyholders so they can stay resilient in a world where conflict increasingly plays out across networks, as well as borders.

LIGHTING-FAST SPEED. LASER PRECISION.

Automated Threat Detection & Response 

See how Wirespeed MDR can stop threats in seconds >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2026. All rights reserved. Coalition, Coalition Control and the Coalition logo are trademarks of Coalition, Inc.