Alex: It's Thursday, March 5th, 2026. This is Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. The cyber dimension of the Iran strikes is coming into sharper focus, and it's rewriting assumptions about how offensive cyber integrates into kinetic operations. We'll talk about the hacktivist wave that followed, an eleven billion dollar deal that's about to reshape cyber insurance, Google's annual zero-day report, a major phishing platform takedown, an iOS exploit kit that's jumped from Russian intelligence to criminal markets, and why the Pentagon's Anthropic cutoff should be a wake-up call for every CISO listening. Let's start where the stakes are highest.

Jordan: So Risky Business put out their analysis this morning on what they're calling the four-hour cyber war on Iran. And the framing is exactly right. Cyber operations were integral to the opening salvo of the US-Israeli strikes. They weren't a sideshow. They weren't a "nice to have." They were instrumental in the operation targeting Supreme Leader Khamenei directly. This is the clearest example we've ever seen of cyber as a first-strike enabler in a major military operation.

Alex: And what's equally significant is the Iranian response. A nationwide internet blackout within four hours. That's a defensive playbook we've theorized about but rarely seen executed at national scale under actual combat conditions.

Jordan: Right. Iran essentially pulled the plug on its own internet to limit further cyber penetration and to control the information environment. It's a blunt instrument, but it tells you something about how seriously they assessed the cyber threat in those opening hours. They were willing to accept massive economic and communications disruption to stop the bleeding.

Alex: For CISOs, the takeaway isn't about Iran specifically. It's about what this means for threat modeling. If you're operating in any sector adjacent to geopolitical friction, energy, defense, financial services, critical infrastructure, you need to update your assumptions. Cyber is now a confirmed component of opening-day military operations, not a theoretical one. Your threat models should reflect that.

Jordan: And the speed matters. Four hours from first strike to internet blackout. The decision cycles in this domain are compressing dramatically. If you're waiting for a threat intelligence briefing to tell you things have escalated, you're already behind.

Alex: Which brings us directly to story two. Within days of the strikes, 149 hacktivist DDoS attacks hit 110 organizations across 16 countries. Two groups, Keymous+ and DieNet, drove nearly 70 percent of that activity. This is the retaliatory wave that follows every major geopolitical event now. It's become predictable.

Jordan: Predictable in pattern, unpredictable in targeting. That's the problem. These groups don't follow a rational target selection process. You might be a mid-size logistics company in the Netherlands and suddenly you're on someone's hit list because of a perceived alliance. The 16-country spread tells you everything. This isn't surgical. It's scattershot.

Alex: If you're a CISO and you haven't stress-tested your DDoS resilience in the last 90 days, this is your prompt. And you should be setting up geopolitical trigger alerts with your threat intel team. When kinetic operations happen, assume the hacktivist wave is 48 to 72 hours behind.

Jordan: Shifting gears to something that's going to affect every CISO's budget conversation. Zurich acquiring Beazley for eleven billion dollars. That is a massive consolidation in cyber insurance.

Alex: This is a big deal. Beazley has been one of the most sophisticated cyber insurance underwriters in the market. They've driven a lot of the innovation in how policies are structured, how risk is assessed, how incident response is embedded into coverage. Zurich is enormous but hasn't been the cyber leader. This acquisition changes that overnight.

Jordan: So what does it mean practically?

Alex: Three things. First, market concentration. When your dominant cyber insurer gets bigger, your negotiating leverage as a policyholder potentially shrinks. Second, underwriting standards. Beazley has been aggressive about requiring specific security controls for coverage. Expect those standards to propagate across Zurich's broader book. Third, and this is the one I'd watch most closely, pricing dynamics. In the near term, consolidation usually means upward pressure on premiums as the combined entity rationalizes its portfolio.

Jordan: CISOs who've been using cyber insurance as a meaningful risk transfer mechanism need to be gaming this out now, not when their renewal comes up in Q3.

Alex: Exactly. Talk to your broker. Understand what the combined entity's appetite looks like for your sector. And if you've been deferring investments in controls that insurers care about, this is the moment where that deferred investment starts costing you real money.

Jordan: Let's talk about Google's annual zero-day report, because the numbers are sobering. Ninety zero-days actively exploited in 2025, up from 78 the year before. Nearly half targeted enterprise software and appliances. And the top attributed exploiters were commercial spyware vendors and China-linked actors.

Alex: That enterprise targeting number is the one I'd bring to the board. We've been watching zero-day exploitation shift from consumer endpoints toward enterprise infrastructure for several years now, and this data confirms the trend is accelerating. Firewalls, VPN appliances, collaboration platforms. These are the things attackers are burning zero-days on.

Jordan: And the spyware vendor angle connects directly to our next story. Google and iVerify jointly published analysis on an iOS exploit kit called Coruna. Twenty-three previously undocumented iOS exploits, originally attributed to Russian state actors, now proliferating into criminal campaigns including crypto theft.

Alex: Twenty-three undocumented exploits in a single kit. That's an extraordinary arsenal. And the proliferation pattern is what should concern every CISO. State-developed tools leaking into criminal ecosystems is not new, but the velocity is increasing and the target surface is mobile, where most enterprises have less visibility.

Jordan: If you have executives, board members, or anyone with access to sensitive data carrying iOS devices, and of course you do, this changes your mobile threat calculus. The assumption that iOS is inherently more secure than alternatives has always been relative. This kit makes it a lot less relative.

Alex: Action items here are concrete. Ensure mobile device management is enforced on every device with access to corporate resources. Push iOS updates aggressively. And if you're in a high-risk sector, look at mobile threat detection solutions. iVerify's involvement in the analysis is not coincidental. They have a product in this space.

Jordan: Now, a genuinely good news story. Europol led a coalition takedown of Tycoon 2FA, one of the largest phishing-as-a-service platforms operating. This thing was sending fraudulent emails to over 500,000 organizations monthly. Microsoft seized 330 domains. It's been active since August 2023.

Alex: Tycoon 2FA was particularly nasty because it was purpose-built for adversary-in-the-middle attacks against MFA-protected accounts. It didn't just phish credentials. It phished sessions, which means your standard MFA was not a defense.

Jordan: The takedown creates a window. Operators who relied on Tycoon 2FA are temporarily disrupted. Use this window. Audit your logs for known Tycoon 2FA indicators. And more importantly, use it as internal ammunition to accelerate your move to phishing-resistant authentication. FIDO2, passkeys. If your MFA can be proxied, it's not enough.

Alex: Agreed. This takedown is a reprieve, not a solution. The next PhaaS platform is already out there.

Jordan: Quick hit on the LexisNexis breach. Hackers leaked 2GB of files including 400,000 personal records. LexisNexis confirmed it. If your organization uses LexisNexis for due diligence, legal research, compliance workflows, this is a third-party risk event. Assess your exposure, notify your privacy team, and check whether any of your data or your customers' data could be in that dataset.

Alex: Moving to the governance story that honestly might be the most important operational lesson of the week. The Pentagon ordered all agencies to phase out Anthropic technology within six months. And it exposed something uncomfortable. Only 15 percent of CISOs surveyed said they could map their AI vendor dependencies.

Jordan: Fifteen percent. That number should embarrass this industry.

Alex: It should. And here's the thing. This isn't hypothetical risk. The government just told agencies to rip out a specific AI vendor. If that happened to your organization tomorrow, with any AI provider, could you even identify everywhere it's embedded? Not just what you procured directly, but what's running inside your vendors, your sub-vendors, your shadow SaaS platforms?

Jordan: The AI supply chain is the new shadow IT problem, except it's deeper and harder to see. These models are embedded in tools your employees adopted without a procurement process. They're in APIs your vendors call without disclosing it. The dependency graph is invisible to most organizations.

Alex: My advice: treat this as an urgent inventory exercise. Start building your AI dependency map now. Don't wait for your own Anthropic moment.

Jordan: Brief mention of Fig Security raising 30 million in Series A to address SecOps pipeline visibility. The thesis is that CISOs can't see when their SIEMs, data lakes, and automation tools are silently failing. It's a real problem. If your detection pipeline has a gap and nobody notices, you're flying blind and confident about it. Worth watching.

Alex: Let's bring it together. Jordan, what's the thread you see running through today's stories?

Jordan: The thread is dependency exposure. Whether it's dependency on internet connectivity in a warzone, dependency on a single cyber insurer, dependency on the assumption that iOS is secure, dependency on MFA that can be proxied, or dependency on AI vendors you can't even enumerate. Every one of these stories is about an organization or a nation discovering that something they relied on was more fragile than they thought.

Alex: And the CISO's job is to find those dependencies before they're tested. Map them. Stress-test them. Have a plan for when they fail. The Iran strikes showed us that at national scale. The Anthropic cutoff showed it at the vendor level. The zero-day report showed it at the technology level. The pattern is the same.

Jordan: If you do one thing this week, pick the dependency you understand the least and go pull the thread. You'll be surprised what you find.

Alex: That's our show for Thursday, March 5th. Thanks for spending your morning with us. We'll be back tomorrow with more. This is Cleartext.

Jordan: Stay sharp.