Sci-Tech Lessons and New Revelations for a Datafied Battlespace

A forensic examination of AI-enabled targeting, integrated air and missile defence, fibre-optic drone warfare, offensive cyber operations — and the structural vulnerabilities every engineer and infrastructure planner must now reckon with.

The joint US–Israeli campaign against Iran that opened on 28 February 2026, and the ongoing Iranian missile-and-drone retaliation that has followed, have transformed the conflict into the most consequential live laboratory for advanced military technology since the Falklands War redefined maritime air defence in 1982. For the science and technology community, and for engineers working across defence, telecom, digital infrastructure and industrial control systems, the developments of the past six weeks contain lessons of immediate operational relevance.

This report synthesises and, in one significant respect, corrects the earlier NSH coverage of this conflict. The most important developments since NSH’s initial Datafied Battlespace package are: a forensically important correction to the attribution of Iran’s internet blackout; hard quantitative data on missile-defence performance and interceptor depletion from the Jewish Institute for National Security of America (JINSA); the rapid emergence of fibre-optic first-person-view (FPV) drones in Iran-aligned proxy arsenals; an escalated offensive cyber campaign coordinated across more than sixty state-linked and hacktivist groups; and the accelerated development of AI-assisted interceptors and directed-energy systems in response to the mounting cost-exchange crisis in air defence.

Each of these developments exposes structural weaknesses — in smart-city surveillance, regional air-defence economics, centralised internet architectures, and industrial and financial cyber-security — that Indian planners, engineers and infrastructure operators must urgently study.

Background · Conflict Overview

1. The 2026 Phase of the Conflict

The immediate trigger for the 2026 war was a large-scale US–Israeli strike package that began on 28 February 2026, targeting Iranian leadership compounds, air-defence networks, missile and drone production infrastructure, and command-and-control nodes under US codenames including Operation Epic Fury. Open-source battle-damage assessments indicate that these strikes severely degraded Iranian long-range air defences and portions of its missile and drone infrastructure within the opening seventy-two hours, temporarily granting allied air superiority over key strategic regions.

Iran’s response has been sustained and multi-directional. Waves of ballistic missiles and Shahed-series loitering munitions have been launched not only against Israel but across the Gulf, with Bahrain, Kuwait, Qatar, Saudi Arabia and the UAE all reporting engagement of inbound threats across multiple days in mid-March. The regional integrated air and missile defence (IAMD) network — combining Israeli Arrow, David’s Sling and Iron Dome with US Patriot and Aegis assets and Gulf interceptor batteries — has intercepted the majority of these projectiles, but not all. Confirmed impacts in southern Israel and isolated hits in Gulf states demonstrate that at the scale of Iranian salvo launches, even high interception rates produce significant consequences.

The character of this conflict has been defined not by a single decisive engagement but by the sustained interaction of competing technology stacks: AI-enabled targeting and battle management against air-defence saturation tactics; offensive cyber operations against resilient communications; precision standoff weapons against layered interception. What follows is a section-by-section examination of each domain.

Digital Infrastructure · Attribution Correction

2. Iran’s Internet Blackout: A Kill Switch, Not a Cyberattack

The record must be corrected here, plainly and without equivocation.

NSH’s earlier Datafied Battlespace report framed Iran’s near-total internet connectivity collapse on 28 February 2026 — when national traffic fell to approximately one to four percent of ordinary operational levels — as a paradigmatic demonstration of coordinated offensive cyber operations executed in synchronisation with kinetic strikes. That framing was a reasonable inference from the data available at the time of publication. It is not supported by the measurement data that has accumulated since.

2.1 What the Measurement Data Now Shows

Subsequent analysis by Cloudflare Radar, NetBlocks and independent BGP monitoring organisations, conducted over the days and weeks following the initial collapse, now indicates with high confidence that the 28 February blackout was overwhelmingly government-enforced rather than the result of foreign cyberattacks on Iran’s routing infrastructure.

The forensic signature of the event is decisive. BGP-visible reachability, HTTP traffic volumes and DNS resolution across all major Iranian regions fell simultaneously, sharply and in a geographically uniform pattern beginning around 07:00 UTC on 28 February. That pattern — orderly, simultaneous, complete — does not match the cascading, region-variable, partially-recoverable signature of an external infrastructure attack. It matches, with high fidelity, the pattern of Iran’s own prior government-imposed shutdowns: the November 2019 fuel-price protest blackout and the September 2022 Mahsa Amini-era restrictions both produced comparable BGP withdrawal signatures, at lower depth, from the same state-owned backbone infrastructure.

The blackout was not done to Iran. It was done by Iran. The distinction is forensically precise and operationally important for every engineer assessing critical infrastructure risk.

As of mid-to-late March, connectivity remained at roughly one to two percent of normal levels — making this the longest and most severe state-imposed national internet shutdown on record. The record belongs to Tehran, not to Washington or Jerusalem.

TECHNICAL NOTE
The asymmetry between external attack and government-ordered shutdown is directly readable in BGP data. External attacks produce partial, region-variable withdrawal patterns as route updates propagate imperfectly through a distributed network topology. Government-ordered shutdowns, executed directly on state-owned backbone autonomous system infrastructure — Iran’s Telecommunication Infrastructure Company (TCI, AS12880) dominates national routing — produce near-instantaneous, geographically uniform withdrawal sequences. When Cloudflare Radar recorded the 07:00 UTC collapse on 28 February, the shape of the withdrawal curve was the attribution: controlled, simultaneous, complete.

2.2 What This Correction Does Not Change

The correction to the blackout’s attribution does not diminish the significance of the offensive cyber operations that undeniably accompanied the kinetic campaign. Foreign actors did compromise Iranian military networks, aviation systems, port-management infrastructure and banking platforms during the operational period. SCADA-level disruptions at power substations attributed to the Predatory Sparrow group, wiper-malware attacks on banking institutions including Sepah Bank, and the selective degradation of mobile base stations near the Pasteur Street compound described in NSH’s earlier technical reporting — these are separately documented, separately attributed, and remain accurate and analytically significant.

What changes is the attribution of national-scale internet unavailability. That responsibility returns to Tehran’s deliberate use of its own tightly centralised telecom architecture — the National Information Network design, with its limited international gateways, state-controlled backbone autonomous systems and small number of internet exchange points, was built precisely to enable this kind of kill-switch capability. It was also, as NSH’s earlier report correctly noted, an architecture that created a concentrated attack surface for foreign cyber operators. Both things are simultaneously true. The kill switch was Tehran’s. The attack surface it created is a gift to adversaries.

2.3 Design Imperatives for Indian Digital Infrastructure

For Indian engineers building out UPI, Aadhaar, the National Knowledge Network and state-level fibre backbones, the corrected Iranian case delivers a more specific and more demanding lesson than the original framing.

The risk model is not only that a foreign adversary might engineer a national blackout. It is that any highly centralised architecture with concentrated backbone ownership and limited international gateway diversity replicates the structural conditions that made Tehran’s kill switch so effective — against its own population under military pressure, and against foreign exploitation in less extreme circumstances. An architecture that can be shut down by its own government is, from a resilience engineering standpoint, an architecture that has failed its primary design requirement.

Three imperatives follow directly. First, multi-path diversity: connectivity across independent carriers with physically separate international gateway relationships is a national security requirement, not a cost optimisation decision. Second, independent measurement: regulatory and technical capacity to distinguish technical failures from deliberate policy interventions must be built before a crisis, not improvised during one. Third, satellite and LEO redundancy: Iran’s sustained GPS and Starlink jamming campaign since January 2026 demonstrates how quickly a government under military pressure can sever even external connectivity lifelines; legal enablement and technical protection of satellite-based backup connectivity for hospitals, banks and critical infrastructure is an urgent policy gap.

NSH PERSPECTIVE  |  The correction to our earlier blackout attribution sharpens rather than softens the case for infrastructure hardening. India’s digital infrastructure programmes — UPI, Aadhaar, the National Knowledge Network — deserve the same forensic scrutiny that the Iranian case has now provided at considerable cost. The engineering questions are not politically contentious; they are a specification for resilient architecture that NSH is well placed to convene.

Aerospace & Defence Technology · Air and Missile Defence

3. Missiles, Interceptors and the Eroding Shield: Hard Data from the 2025–26 Engagements

The qualitative picture of IAMD stress that NSH described in its earlier package can now be grounded in quantitative data from two sets of post-conflict analyses by the Jewish Institute for National Security of America (JINSA), released in February and March 2026.

3.1 Quantified Performance Data from the June 2025 Twelve-Day War

JINSA’s analysis of the June 13–24, 2025 conflict between Iran and the US–Israeli coalition provides the first fully documented, publicly available quantitative record of a long-range integrated air and missile defence engagement between non-contiguous states at operational scale.

Iran launched approximately 574 ballistic missiles toward Israel during the twelve-day engagement. Of these, 322 were assessed as threatening populated areas, military installations or critical infrastructure. Defenders intercepted 273 of the threatening missiles — an interception rate of approximately 85 percent against the threatening subset, and a much higher rate against the total salvo. The 49 missiles that were not intercepted produced confirmed impacts on Israeli territory. In parallel, Iran launched approximately 1,084 Shahed-series loitering munitions; defending systems reportedly engaged and neutralised approximately 99 percent of the drones they tracked.

Even a small leakage fraction at the scale of Iranian salvo launches produces significant consequences. JINSA documents at least 31 deaths and more than 3,000 injuries in Israel from medium-range ballistic missile hits in the June 2025 engagement alone.

These numbers, while representing a tactically impressive defensive performance, carry a structural warning: the 15 percent leakage rate against threatening ballistic missiles — representing 49 successful impacts — produced 31 deaths and over 3,000 injuries in what is one of the most densely defended territories on earth. The absolute performance is high; the residual risk at the scale of Iran’s salvo capacity is not negligible.

3.2 Interceptor Depletion and The Eroding Shield

JINSA’s March 2026 paper, The Eroding Shield, synthesises the June 2025 engagement data with the ongoing 2026 campaign to make an argument that should command serious attention from every nation operating or acquiring missile defence systems: regional air-defence stockpiles are being depleted faster than industrial bases can replenish them.

Israel reportedly informed the United States in March 2026 that it was running critically low on long-range ballistic missile interceptors. Washington officials indicated they had anticipated the shortage for months. Israel publicly denied the report, but within days approved approximately NIS 2.6 billion in emergency defence procurement — a sequence that, whatever the official denials, is more consistent with a real shortfall than with routine programme management.

The economic arithmetic underlying the depletion problem is straightforward and, for defenders, unfavourable. Kinetic interceptors for ballistic missile threats — Arrow-3, Patriot PAC-3 MSE — cost in the range of one to five million US dollars per round. The Iranian ballistic missiles they counter cost a fraction of that. Iran’s mass-produced Shahed-series drones cost an estimated twenty thousand dollars per unit or less. In any sustained exchange, the attacker benefits from a persistent cost-exchange asymmetry: each defensive round costs an order of magnitude more than the offensive round it destroys. Iran can adapt by adding decoys, cluster munitions and varying salvo compositions to increase the shot-doctrine burden on defenders and accelerate inventory burn.

TECHNICAL NOTE
The interceptor depletion problem is not simply a procurement or budgeting failure. It reflects a fundamental structural tension in kinetic missile defence: the unit cost of defence is constrained by the physics and engineering of exo-atmospheric interception — propulsion, seeker, kill-vehicle complexity — in ways that the unit cost of attack is not. A ballistic missile warhead does not need to discriminate, manoeuvre in terminal phase, or achieve sub-metric accuracy. An interceptor must do all three, under electronic countermeasures, in real time, against a target that may be manoeuvring or deploying decoys. This asymmetry is not correctable through greater production efficiency alone.

3.3 Technological Responses: Arrow-4, Iron Beam and the Low-Cost Intercept Imperative

The pressure on interceptor stockpiles is accelerating investment in two categories of lower-cost defensive technology.

The first is high-energy laser systems. Iron Beam, Israel’s directed-energy platform developed by Rafael Advanced Defense Systems, is designed to engage short-range rockets, mortar rounds and small drones at a marginal per-shot cost measured in a few dollars of electricity, compared with tens of thousands for a kinetic intercept. The 2026 campaign is widely described in Israeli defence commentary as an inflection point for Iron Beam deployment: a system that was previously a developmental programme is acquiring urgent operational status as the cost-exchange crisis in kinetic defence becomes impossible to ignore.

The second is Arrow-4, the next-generation exo-atmospheric interceptor under joint development by Israel Aerospace Industries and the US Missile Defense Agency. Public statements from the programme describe AI-assisted trajectory optimisation capable of evaluating thousands of potential evasive flight paths per second, and enhanced discrimination algorithms for separating genuine warheads from decoys and debris — precisely the two failure modes that Iran has been systematically exploiting by varying salvo composition and introducing manoeuvring re-entry vehicles.

For India’s DRDO and the Integrated Guided Missile Development Programme, these developments validate the trajectory toward indigenous laser-based short-range defence and high-precision ballistic interceptors. The engineering case for investing in both the high-tier precision of a system analogous to Arrow-4 and the high-volume, low-marginal-cost coverage of directed-energy point defence is now supported by operational evidence, not theory.

NSH PERSPECTIVE  |  The interceptor depletion data from JINSA’s March 2026 analysis is the most operationally grounded argument yet produced for India’s indigenous air-defence development programmes. The lesson is not that missile defence does not work — the June 2025 data shows it works remarkably well. The lesson is that kinetic-only architectures are economically unsustainable against adversaries with large, cheap offensive inventories. Diversification into directed energy is not a long-term aspiration; it is a near-term operational requirement.

Drone Systems Engineering · Counter-UAS Technology

4. Drone Innovation: From Shahed Swarms to Fibre-Optic FPV

Iran’s drone force has evolved from a supplementary harassment capability into what multiple 2026 assessments describe as a central pillar of its regional strike strategy. The architectural logic is straightforward: large, coordinated waves of loitering munitions, mixed with cruise missiles and ballistic missiles, are designed to saturate regional air defences simultaneously across multiple threat axes. The June 2025 engagement demonstrated the concept at operational scale; the 2026 campaign is refining it under live conditions.

4.1 Iran’s Drone Arsenal in the 2026 Campaign

In the seventy-two hours following the 28 February strikes, Iran launched hundreds of missiles and drones across the Gulf, compelling Bahrain, Jordan, Kuwait, Qatar, Saudi Arabia and the UAE to activate layered air-defence networks. The Shahed-131 and Shahed-136 loitering munitions that form the backbone of this capability are well-characterised: one-way attack platforms with ranges of 900 to 2,500 kilometres depending on variant, powered by small piston engines, with pre-programmed or semi-autonomous inertial and satellite navigation.

Post-strike assessments from the 2026 campaign suggest that AI plays a larger role in route optimisation and swarm management than in autonomous target selection — the systems appear to rely on pre-planned mission parameters updated before launch, with the swarm coordination achieved through timing and launch sequencing rather than real-time inter-drone communication. The distinction matters for counter-UAS design: these are not fully adaptive autonomous systems, but they do not need to be. At the scale Iran can deploy them, pre-programmed saturation is an effective strategy.

4.2 The Wire That Jams Cannot Cut: Fibre-Optic FPV Drones

Every electronic countermeasure system deployed against drone threats in the current conflict — from Israel’s layered IAMD architecture to the RF-jamming units operated by Gulf state forces and US installations across the region — rests on a foundational assumption: that the drone maintains a radio-frequency link to its operator. Jam that link, and the drone loses guidance. Detect that link, and the drone reveals its operator’s position.

A class of first-person-view (FPV) drone that has now been confirmed in Iran-aligned militia arsenals discards that assumption entirely.

Jamming assumes a signal. Fibre-optic FPV drones have no control-link signal to jam. The entire electronic countermeasure layer of most deployed counter-UAS systems is architecturally irrelevant against them.

Fibre-optic FPV drones route their control uplink and video downlink not through radio frequencies but through a thin fibre-optic cable spooled behind the platform during flight. There is no RF emission from the control link. There is no signal to jam, no frequency to track, and no emission to use for direction-finding. From the perspective of every electronic countermeasure system currently deployed in the region, the platform is electromagnetically silent.

The Critical Threats Project and Institute for the Study of War (CTP-ISW) documented footage released in March 2026 by Saraya Awliya al Dam, an Iraqi militia aligned with Iran, showing what expert observers identified as a fibre-optic FPV drone operating within the perimeter of the United States Embassy compound in Baghdad — one of the most heavily defended and electronically monitored installations in the region. The footage was released as propaganda, but its technical significance extends well beyond the intended political message: if a fibre-optic FPV system can operate inside the electronic countermeasure envelope of a tier-one protected installation, the RF-based counter-drone architectures that underpin most existing physical security programmes require fundamental re-examination.

4.3 Engineering Characteristics and Operating Principles

The fibre-optic FPV architecture is, in engineering terms, elegant in its simplicity — which is both the source of its effectiveness and the reason it has proliferated so rapidly from an experimental battlefield technique to a deployable militia capability in under two years.

A standard radio-controlled FPV drone transmits video from an onboard camera to the operator’s goggles via a dedicated video transmitter, typically at 5.8 GHz, and receives control inputs via a separate RF uplink. Both links are detectable, both are jammable, and both impose a line-of-sight or near-line-of-sight range constraint. In the fibre-optic variant, both links are replaced by a single fibre-optic cable wound onto a lightweight spool — carried by the drone or integrated into its airframe — which the platform pays out as it flies. Control signals from the operator travel to the drone through the fibre at the speed of light with negligible latency. High-definition video — 1080p resolution or better — returns from the drone through the same cable with bandwidth that is entirely adequate for precision terminal guidance. The maximum range is determined by spool capacity; operational examples from the Russia-Ukraine war, where these systems were first developed at scale under combat conditions, document effective ranges of twenty to thirty kilometres with appropriately designed spools.

TECHNICAL NOTE
Fibre-optic cable suitable for drone payload deployment is a standard commercial telecommunications component. Dispersion-shifted single-mode fibre in wound-bobbin format is widely available. The primary engineering challenge in a deployable fibre-optic FPV system is not the fibre but the cable management mechanism: the spool must pay out smoothly at the speeds and accelerations typical of a manoeuvring FPV drone — peak angular accelerations can exceed 10g in aggressive flight — without tangling, kinking, or generating back-tension sufficient to affect flight dynamics. Solving this problem with commercially available winding and tensioning components represents exactly the kind of low-cost, high-leverage adaptation that Iran-aligned non-state actors, with state-level engineering support, have demonstrated consistent competence in executing.

Thermal and acoustic detection remain theoretically possible: the drone’s motor and airframe produce heat and noise signatures. However, the small cross-section and low thermal output of a typical FPV platform — commonly under one kilogram, battery-powered — make reliable detection at operationally relevant ranges extremely demanding against the background clutter of urban or semi-urban environments. The platform is fast-moving, visually small, and produces no detectable electromagnetic emissions during normal operation.

4.4 Proliferation Pathway and Strategic Implications

The Russia-Ukraine war served as the development and refinement environment for fibre-optic FPV systems. Russian units including the Plamya assault group documented operational use for precision strikes against fortified positions and armoured vehicles under heavy electronic warfare on both sides of the front. The technical solution was validated at scale before it reached the Middle Eastern theatre.

Iran’s pattern of technology transfer to proxy militias — documented across Shahed-series drone designs, anti-armour missiles, and precision rocket artillery — provides the proliferation pathway from the Ukraine battlefield to Iraqi, Syrian, Yemeni and Lebanese militia arsenals. The Saraya Awliya al Dam footage in Baghdad is best understood not as an isolated incident but as an early operational demonstration of a capability that will spread, as component supply chains, manufacturing knowledge and trained operators diffuse through the Iran-aligned network.

The propaganda dimension also warrants specific attention. Fibre-optic FPV systems can record and transmit high-definition video of their terminal flight path — inside a protected perimeter, up to and including the final approach to a target — with a quality and continuity that produces compelling strike footage. The ability to generate and distribute that footage in near-real-time has been a consistent feature of Iran-aligned information operations, and fibre-optic systems make that footage possible even inside the electronic countermeasure envelopes of hardened targets. The information-operations consequence is as significant as the kinetic one.

4.5 Counter-UAS Design Priorities

The emergence of fibre-optic FPV systems in Iran-aligned arsenals demands specific responses from counter-UAS architects, physical security planners and defence procurement officials.

RF-independent detection must become a baseline layer of any serious counter-UAS architecture. Acoustic detection arrays, calibrated for the rotor frequency signatures of small multirotor platforms, provide detection capability that is independent of the drone’s electromagnetic emissions. AI-assisted electro-optical and infrared sensor networks with wide-area coverage and sufficient resolution to track small fast-moving objects address both fibre-optic and conventional threats with a single sensor layer — the same computer-vision and anomaly-detection analytics that NSH described in the context of the Tehran targeting operation applies directly to counter-drone detection. A drone approaching a perimeter follows a trajectory that deviates from the authorised air-traffic baseline regardless of whether it carries an RF transmitter.

The fibre-optic cable itself, paradoxically, represents a potential detection and interdiction surface. A drone paying out cable over twenty or thirty kilometres leaves a physical trace in the environment. In open terrain, aerial observation or post-incident forensics can trace the cable back to the operator’s position. In urban environments, the cable may interact with buildings, vegetation and infrastructure in ways that constrain the drone’s flight envelope. Understanding and exploiting the operational constraints the cable imposes is a counter-UAS research priority that has received limited attention relative to the RF-jamming paradigm it must now supplement.

NSH PERSPECTIVE  |  India’s DRDO has active counter-UAS programmes, and the Indian Army has deployed RF-based counter-drone systems at sensitive installations following repeated UAS incidents at Jammu and elsewhere. The fibre-optic FPV development is a direct architectural challenge to those RF-centric programmes. NSH will continue to track this technology’s proliferation — and the corresponding development of acoustic, optical and tethered-cable detection techniques — for India’s defence engineering community.

Cyber Warfare Technology · Critical Infrastructure Security

5. Cyber Operations: From the Integrated Kill Chain to the Hacktivist Swarm

5.1 Offensive Cyber in the Integrated Kill Chain

US officials and think-tank analyses increasingly frame the US–Israeli campaign as an integrated operation in which cyber effects were synchronised with kinetic strikes to suppress Iranian air defences, missile launch networks and command-and-control infrastructure from the first moments of the operation. US Cyber Command is described in official statements as playing a front-line role alongside traditional combatant commands — not in a supporting capacity but as a co-equal operational element responsible for degrading Iran’s ability to coordinate a defensive response in the critical opening hours.

The pre-positioned access that enabled this role was, by multiple accounts, established over months and years before the operational date. Tehran’s traffic-camera network was reportedly compromised well in advance, with AI-assisted pattern-of-life analysis supporting the targeting of senior Iranian leadership — a technical chain described in detail in NSH’s earlier Datafied Battlespace report. What the 2026 campaign confirms is that this pre-positioning extended across Iran’s air-defence system: the software infrastructure of Iran’s Integrated Air Defence System (IADS), its data-fusion nodes, radar-to-fire-control communication links, and the management interfaces of Russian-origin systems including the S-300PMU-2, were compromised before a single kinetic round was fired.

This confirms the ‘datafied battlespace’ framing: cameras, mobile networks, radar management systems and social graphs form the sensing and control substrate of an automated kill chain, with human confirmation retained at the decisive final node. The technology does not replace human intelligence; it makes human sources more productive and collapses the cognitive load on analysts processing vast data volumes.

5.2 Iranian and Pro-Iran Cyber Campaigns: The Hacktivist Swarm

On the opposing side, a dense ecosystem of Iranian state-linked advanced persistent threat groups and loosely aligned hacktivist organisations has escalated operations against US, Israeli and allied targets since the war began. Groups including CyberAv3ngers, APT33, APT34, MuddyWater, APT55 and Handala have been documented targeting energy firms, industrial control systems, cloud services and medical-technology companies with destructive wiper malware and data-destruction attacks.

The most operationally significant incident in this period involves the Handala group, which claimed to have exploited Microsoft’s Intune cloud-management platform to remotely wipe more than 200,000 devices across dozens of countries — with the US medical-device firm Stryker reported among those most severely affected. Full forensic confirmation is still emerging, but the incident illustrates a strategic evolution: cloud-management planes, which provide centralised control over endpoint devices across entire enterprises, have become an attack surface of national-security significance. A single compromised management console can achieve the device-destruction effects that previously required individual endpoint compromise at scale.

More than sixty pro-Iran hacktivist groups have meanwhile organised themselves into a coalition operating under the designation ‘Cyber Islamic Resistance,’ coordinating via a dedicated Telegram channel described as an electronic operations room. In the first two weeks following Operation Epic Fury, this coalition claimed over 600 attacks against targets including Israeli defence contractor Rafael, a drone-detection service provider, hotel utilities infrastructure in Tel Aviv, and airports in Bahrain, Saudi Arabia and the UAE. The sophistication of individual attacks varies widely — from script-kiddie defacements to genuine ICS intrusions — but the aggregate effect is a persistent pressure that forces defenders to maintain broad-spectrum monitoring across all perimeter surfaces simultaneously.

5.3 US and Allied Counter-Cyber Measures

On 20 March 2026, the US Department of Justice and FBI seized the four primary internet domains used by the Handala group — one of the first high-profile law-enforcement takedowns of a major Iranian cyber-proxy infrastructure during the active conflict period. Court filings identify Handala as an operation run by Iran’s Ministry of Intelligence and Security (MOIS), providing an unusually strong chain of legal attribution for direct Iranian state responsibility.

At the policy level, the Trump administration’s 6 March 2026 National Cybersecurity Strategy explicitly embraces what commentators have termed an ‘offensive turn,’ citing the Iran war and Operation Epic Fury as proof points for integrated offensive cyber as a standard instrument of US national power rather than a niche or escalatory capability. The strategic implications of this posture for India’s own cyber doctrine — which has historically emphasised defensive resilience over offensive capacity — deserve serious attention in NCSC and CERT-In planning forums.

BFSI-sector advisories issued by security firms including SISA InfoSec in the fourth week of the conflict document new attack vectors specific to the Iran-linked cyber campaign: denial-of-service attacks targeting Microsoft 365 and Copilot attributed to the 313 Team and Anti-Zionist Cyber Group, which briefly disrupted cloud-productivity platforms used by banks and insurers globally. The targeting of cloud-productivity infrastructure — not merely data centres or operational technology — marks a further expansion of the attack surface that financial-sector security operations must monitor.

NSH PERSPECTIVE  |  India’s BFSI sector, healthcare institutions and critical infrastructure operators face the same class of threats documented in the Iran conflict: hacktivist swarms exploiting cloud-management planes, industrial control system interfaces with default credentials, and M365 tenants without hardened conditional-access policies. The engineering responses — cloud-management-plane security, ICS network segmentation, anomaly detection on management interfaces — are known and available. The Iran conflict provides the most current available evidence of their urgency.

Emerging Defence Technology · AI and Space Systems

6. AI, Directed Energy and Space: The Emerging Technology Stack of the 2026 War

6.1 AI as Enabler, Not Autonomous Decision-Maker

Across all domains of the 2026 conflict, AI appears consistently as an operational enabler rather than an autonomous decision-maker. Both the US and Israel deploy AI for sensor fusion, pattern-of-life modelling, route optimisation for strike packages and semi-autonomous drone mission management — while retaining human judgement at the lethal decision node. This architecture is not a concession to doctrine; it reflects a genuine technical and operational judgement that the last mile of targeting, in an environment where misidentification carries severe political and strategic consequences, is irreducibly human.

In the information and cyber domains, AI-driven tools are used for automated intrusion detection, malware classification, bot-based amplification in psychological operations, and — notably — by hacktivist coalitions with limited traditional tradecraft who are explicitly reported to be using AI tools to compensate for skill gaps: automating phishing campaigns, generating elementary exploit scripts, and drafting influence-operation content at volume. The democratisation of AI-assisted attack tooling is a significant and underappreciated development in the lower tier of the hacktivist ecosystem.

6.2 Commercial Space and Satellite ISR

The 2026 campaign consolidates commercial satellite constellations as core operational infrastructure. Commercial imaging satellites are providing rapid battle-damage assessment, monitoring missile launch sites and tracking IAMD salvo effectiveness with turnaround times measured in hours — a capability that was the exclusive domain of national technical means a decade ago and is now routinely integrated into open-source analytical frameworks accessible to think tanks, journalists and hostile intelligence services simultaneously.

Communications satellites, including commercial LEO broadband systems, have maintained partial connectivity for certain actors inside Iran despite blackout conditions — though Iran’s sustained GPS and Starlink jamming campaign, active since January 2026, has significantly degraded those links. The ability of a state to deny space-enabled services within its own territory, while not absolute, is now a demonstrated operational capability that must be factored into resilience planning for any critical system that depends on satellite connectivity as a backup communication path.

6.3 Directed Energy and the Cost-Exchange Rebalance

Beyond Iron Beam, the defence technology reporting on the 2026 conflict points toward a broader programme of directed-energy and low-cost intercept development across multiple nations. Experimental systems include high-energy laser platforms mounted on ground vehicles and naval vessels, microwave-based area-denial weapons designed for drone swarm suppression, and low-cost unmanned interceptor designs — ‘meeting cheap with cheap’ — that sacrifice the exquisite performance of a Patriot or Arrow interceptor for a unit cost that allows mass deployment against saturating threats.

For India, where cost constraints in defence procurement are structurally significant, the logic of combining a small number of high-tier precision interceptors with mass-produced, affordable short-range kinetic counters and non-kinetic directed-energy options is particularly compelling — especially for defending the dense urban areas and critical industrial corridors that represent both the highest-value targets and the most demanding engagement geometries.

Systems Analysis · Engineering Lessons

7. Structural Weaknesses Exposed and Questions for Indian Engineers

7.1 Four Recurring Technical Failure Modes

Across the 2024–26 Iran conflict arc, four structural technical weaknesses appear with sufficient consistency to constitute a taxonomy of vulnerabilities that any nation with analogous characteristics should urgently address.

The economic unsustainability of kinetic-only IAMD.  High-end interceptors are depleting faster than industrial bases can replenish them, while Iran and its proxies continue producing relatively cheap missiles and drones at volume. The June 2025 JINSA data quantifies this dynamic precisely; the March 2026 interceptor-shortage reports confirm it is not hypothetical.

The fragility of centralised internet and telecom architectures.  Iran’s National Information Network enabled both rapid offensive disruption of specific targets and — as the corrected attribution now confirms — equally rapid state-imposed shutdown of the national internet. Excessive centralisation without independent oversight or path diversity is a strategic liability regardless of whether the threat is external attack or domestic misuse.

The persistence of basic cyber-hygiene failures as the decisive attack surface.  Multiple high-impact Iranian and pro-Iran attacks in the 2026 campaign exploited default passwords, misconfigured cloud-management consoles and unpatched industrial-control systems — not zero-day exploits. Boring security engineering remains the decisive factor in whether critical systems survive contact with a determined adversary.

The expanding hardware supply-chain attack surface.  The 2024 Hezbollah pager operation and the 2026 emergence of fibre-optic FPV drones assembled from commercial off-the-shelf components demonstrate that hardware-level compromise — expensive and slow, but offering permanent dwell and imperviousness to software patching — is now an operational reality for non-state actors with state-level backing.

7.2 Design Questions for Indian Stakeholders

For Indian stakeholders across defence R&D, telecom, cloud infrastructure and industrial control, the US–Israel–Iran conflict raises several questions that are not rhetorical but design-specification-level:

—  How should India architect a multi-layered air and missile defence grid that accounts for massed, mixed-salvo attacks combining drones, cruise missiles, ballistic missiles and decoys — without incurring the interceptor-depletion dynamic that is now degrading Israeli and US stockpiles?

—  What level of decentralisation, path diversity and independent monitoring is appropriate for critical national networks like UPI, Aadhaar, national power grids and defence intranets — given Iran’s demonstration of both foreign exploitation and domestic shutdown of a highly centralised architecture?

—  How can Indian BFSI and healthcare sectors harden their cloud-management planes, Microsoft 365 tenants and industrial-control interfaces against the classes of MOIS-linked and hacktivist attacks now documented in the Iran conflict?

—  What changes in procurement, certification and destructive testing are required to ensure that imported and domestically assembled hardware for defence, telecom and industrial use is resistant to long-dwell supply-chain compromise on the Hezbollah model?

—  What RF-independent counter-UAS detection and interdiction capabilities must be added to existing physical security architectures to close the fibre-optic FPV gap that the Baghdad Embassy footage has exposed?

Addressing these questions will determine whether India experiences the US–Israel–Iran conflict as a distant geopolitical spectacle — or as an accurately documented preview of vulnerabilities already present in its own rapidly datafying battlespace.

– NSH Research Desk