Jordan: This week, a wiper attack hit Stryker. A medical device company. Thousands of workers sent home. And the group claiming credit said it was retaliation for a U.S. military strike on Tehran. If you needed a single moment that crystallized where we are in 2026, that was it. Geopolitics is no longer background noise for security teams. It is the job.

Alex: Welcome to Cleartext. I'm Alex Chen. It's Saturday, March 14th, and this is your week in review. If the daily episodes got away from you this week, no judgment — it was a lot. Here's what mattered and what it means going into next week. We're going to cover four major themes: the Iran threat elevation and what it means for your posture right now; a governance story that should be sitting on every CISO's desk — and every general counsel's; a market-moving acquisition that reshapes cloud security; and a set of breach and vulnerability stories that collectively tell you something important about where your defenses may be soft. Jordan, let's start with Iran.

Jordan: So the Stryker story broke Tuesday via Krebs, and it's the kind of story that gets your attention fast. The pro-Iran Handala group is claiming a wiper attack against one of the largest medical device manufacturers in the world. More than five thousand workers sent home from Stryker's Ireland hub. Their U.S. headquarters reportedly had a building emergency. And the framing from Handala was explicit — this is retaliation for U.S. military action against Tehran.

Alex: And this didn't happen in a vacuum. The day before, Cybersecurity Dive had a piece laying out the broader threat elevation picture — critical infrastructure, local governments, major enterprises all flagged as being at heightened risk from Iranian cyber actors. CISA had been making noise about this, and then Stryker happens and suddenly the threat briefings feel very concrete.

Jordan: What makes this week different from prior Iran threat cycles is the Stryker attack itself, but also a third story that came out of Dark Reading on Wednesday. Iran's Ministry of Intelligence is now actively partnering with actual criminal groups. Not impersonating them — partnering with them. That is a meaningful operational shift. Historically Iranian APTs dressed up as criminals for plausible deniability. Now they're getting real criminal infrastructure, real criminal tradecraft. Attribution becomes harder, response becomes more complicated, and the attack surface just got wider.

Alex: So what do you do with this as a CISO? Because I've seen some organizations this week who are treating this as a background threat advisory. I don't think that's the right posture.

Jordan: It's not. The practical playbook here is pretty clear. Review your Iranian TTP coverage — CISA has updated guidance, there are fresh indicators from the Stryker incident that are circulating. Make sure you have visibility into your OT and critical systems because that's where wiper attacks do maximum damage. And honestly, if you're in healthcare, manufacturing, defense industrial base, or critical infrastructure — your board needs to hear from you about this before they read about it in the Wall Street Journal.

Alex: The Stryker attack is also a healthcare supply chain story. Medical device manufacturers sit at the intersection of operational technology, patient safety, and manufacturing. A wiper attack doesn't just disrupt IT — it can halt production of devices that are in clinical use. That is a material safety issue, not just a cyber issue. And that distinction matters enormously when you're talking to your board and your legal team.

Jordan: One more thread here — Salt Typhoon. CyberScoop ran a piece midweek about officials worried that momentum for tougher telecom security rules is fading because the public has moved on. And I find that maddening. Salt Typhoon was one of the most significant espionage operations ever conducted against U.S. telecom infrastructure. The fact that news cycles don't care about it anymore doesn't mean the risk went away. CISOs at telcos, and frankly anyone deeply dependent on telecom infrastructure, should be actively advocating for stronger baseline requirements, not waiting for regulation to force it.

Alex: Let's move to governance, because there were two stories this week that I think deserve to be read together. The first is the new national cyber strategy out of the Trump administration. BankInfoSecurity had solid coverage on it — the headline is that the strategy envisions private-sector participation in offensive cyber operations. Stronger federal-private partnership, potentially including going on offense against nation-state adversaries and ransomware gangs.

Jordan: Which sounds great until you think about it for thirty seconds. Who authorizes the operation? Who's liable when it goes wrong? What happens when a private company conducts an offensive action and it's misattributed? These are not hypotheticals — these are the hard questions that general counsels are going to be asking, and right now there are no good answers in the public record.

Alex: The second governance story is more personal and frankly more urgent for people in this audience. The CISO liability piece. Regulators are increasingly pursuing personal accountability after major breaches. And the consequence that the piece in BankInfoSecurity laid out is something I hear in private conversations all the time — experienced practitioners are becoming reluctant to take CISO roles. When the downside scenario of doing your job is a federal prosecution, you have to think hard about whether you want to sit in that chair.

Jordan: And the chilling effect on risk reporting is real. If CISOs are afraid that accurate, honest risk documentation becomes evidence in a prosecution, they start hedging. They write for the lawyers, not for the board. Which means boards get worse information. Which means worse decisions. It's a negative feedback loop that ultimately makes everyone less secure.

Alex: The legal and liability exposure question and the offensive operations question are actually connected. Both are about the expanding scope of what CISOs are responsible for without a corresponding expansion of authority or protection. If you don't have a current conversation happening with your board, your general counsel, and your D&O insurer about personal liability, that is the call to schedule Monday morning.

Jordan: Let's talk about the market. Google closed the Wiz acquisition this week. Thirty-two billion dollars, all cash. Largest acquisition in Google's history. Largest cybersecurity acquisition ever. Full stop.

Alex: Here's what I'd tell any CISO using Wiz right now: Google has explicitly said Wiz will continue operating under its own brand across multiple cloud platforms. They're not pulling it behind a Google Cloud wall — at least not yet. But the vendor relationship just changed materially. Your Wiz rep now works for Google. Your renewal conversations happen in a different context. Multi-cloud neutrality is the stated promise; vendor lock-in risk is the real question to press on in your next QBR.

Jordan: And for CISOs not using Wiz — competitive displacement is coming. When a thirty-two billion dollar acquisition closes, the category consolidates around it. Whatever your current CSPM or cloud security stack looks like, expect a more aggressive competitive environment in the next twelve months.

Alex: Kevin Mandia also raised a hundred and ninety million for Armadin this week — autonomous AI security agents for the SOC. Mandiant's founder putting that kind of capital behind fully autonomous threat response is a signal worth watching. We're not there yet, but this is what your SOC looks like in three years if the technology delivers.

Jordan: Now let's run through the breach and vulnerability picture quickly because there's a lot here. The Cisco SD-WAN emergency directive from CISA is a top-priority patching event — admin-level access via confirmed active exploitation. If you haven't pushed that through your change management process already, that's the first thing Monday morning. And two Chrome zero-days were patched Thursday, both confirmed exploited in the wild. Browser-based initial access is never going away. Make sure your patch deployment isn't lagging on endpoints.

Alex: The Salesforce story is one I want to linger on for ten seconds because this is now the third wave of attacks exploiting Experience Cloud misconfigurations in six months. Three waves. Same vector. Same ShinyHunters-linked group. At some point this is no longer a Salesforce problem — it's a configuration governance problem. If you haven't audited your guest user permissions and your Experience Cloud settings, that's overdue.

Jordan: The incident responder story out of The Record is disturbing and important. DOJ alleging that an IR firm employee was conducting attacks and then negotiating higher ransomware payouts from the same victims he was supposedly helping. This is a supply chain trust problem wearing a different suit. How do you vet the people you call when everything is on fire? The answer can't just be reputation. You need contractual controls, independent verification of responder actions during active incidents, and honestly a pre-established relationship with law enforcement so you have a second channel that's not going through your IR provider.

Alex: And the AI-generated malware story from BleepingComputer deserves a mention. Slopoly — a piece of malware used in an Interlock ransomware attack, almost certainly written with generative AI, described by IBM researchers as unsophisticated but operationally effective. That last part is what matters. You don't need sophisticated malware to maintain persistent access for a week and exfiltrate data. The barrier to entry for building functional malware just got lower in a way that's permanent and irreversible.

Jordan: Which connects to the AI coding agents story — DryRun Security's report showing that Claude Code, OpenAI Codex, Gemini agents — all of them introduce known vulnerability classes at high rates into production code. Both stories point in the same direction: AI is accelerating both the attack side and the development side, and security is not keeping pace in either direction.

Alex: So let's step back. What was this week?

Jordan: This week was the moment the geopolitical threat became undeniable and operational. Stryker is a Fortune 500 company. They make surgical robots and orthopedic implants. They got wiped. When that's your threat landscape, the conversation about whether geopolitical cyber risk is a "them problem" is over.

Alex: The through-line I keep coming back to is accountability without authority. CISOs are being asked to defend against nation-state wiper attacks, prepare for a national strategy that might involve offensive operations, manage personal legal liability, vet their own incident responders for corruption — all while patching emergency Cisco vulnerabilities and cleaning up Salesforce misconfigurations. The scope is expanding. The personal risk is expanding. And in most organizations, the authority and the resources are not expanding at the same rate.

Jordan: If you take one thing into your week: the Iran threat is not a news story to monitor. It is an active operational threat requiring an active operational response. Review your wiper resilience. Review your backup architecture. Review your OT segmentation. And brief your board before they ask you.

Alex: The daily show is back Monday. We'll be watching what Stryker discloses over the weekend, whether any other organizations surface as Iran-linked wiper targets, and what the first real implementation questions around the new national cyber strategy look like when they hit the Hill next week. Until then, thanks for spending part of your Saturday with us. Stay sharp.

Jordan: Stay sharp.