I want to talk about the most consequential and least-discussed cyber security story of 2026 so far, which is that Israel maintained access to what the Financial Times reported as “nearly all” of Tehran’s traffic camera network, used what Haaretz cybersecurity reporter Omer Benjakob described as “very cutting-edge data processing or big data fusion techniques — what from a layman’s perspective you would call AI” to construct a comprehensive pattern-of-life model for Iran’s Supreme Leader, and then used that model to identify the location and timing for the precision airstrike that killed Ali Khamenei on February 28. A nation-state used compromised civilian surveillance infrastructure and AI-powered analysis of the resulting video feed to plan and execute the assassination of a foreign head of state. That is not a cybersecurity headline. It is the headline. And the reason it matters for every enterprise security practitioner reading this is that the cameras Israel spent years quietly accessing in Tehran are architecturally identical to the cameras hanging over the entrance of your office building, your data centre, and your manufacturing floor.

What’s Actually Happening

The Financial Times broke the surveillance element of the Khamenei assassination on March 11: Israeli intelligence maintained access to “nearly all” of Tehran’s traffic camera networks. In partnership with the CIA, Israel used those camera feeds to conduct sustained pattern-of-life analysis on senior Iranian leaders including Khamenei himself — mapping his routes, his timing, his vehicle convoy configuration, the predictable rhythms of his movement through the capital. That intelligence fed directly into the targeting decision for the airstrike that killed him on February 28.

Omer Benjakob, Haaretz’s cybersecurity correspondent, expanded on the technical dimension in his NPR interview on March 11: “Israel used, or very likely used, very cutting-edge kind of data processing or big data fusion techniques that from a kind of layman or citizen perspective you would call AI.” Benjakob added that “Israel is likely much further along than the US is in developing its own AI systems for military use” — a significant statement given the US capability baseline.

The CyberSec Guru’s comprehensive timeline of the war’s cyber operations fills in additional context: “Years of hacking Tehran’s traffic cameras allowed Israel to map the ‘pattern of life’ of the Supreme Leader, leading to his elimination.” The Wikipedia cyberwarfare article on the 2026 Iran war confirms: “Israeli intelligence reportedly maintained long-term access to Tehran traffic-camera networks and mobile-phone infrastructure, using the feeds to support targeting of senior Iranian leaders, including the strike that killed Khamenei.”

This is the operational timeline: years of access — established covertly, maintained quietly, generating continuous surveillance data — combined with AI-powered pattern analysis of that data, producing targeting intelligence specific enough to support a precision strike against a protected target in a hostile capital city. The cyber operation and the kinetic operation were not sequential. The cyber operation was the intelligence prerequisite that made the kinetic operation possible at all.

The scale of the camera network access is worth pausing on. Tehran’s traffic camera infrastructure is a government-operated urban surveillance system — the same class of infrastructure that exists in every major city in the world. These are IP-connected cameras, managed through networked video management systems, accessible remotely by the infrastructure operators, and therefore accessible by anyone who can compromise those management systems. The Israeli intelligence operation apparently compromised not one camera, not one district, but “nearly all” of Tehran’s network. That is a systematic, sustained, city-wide surveillance capability achieved entirely through cyber means.

The mobile phone infrastructure access is the second dimension the Wikipedia article documents. Combined with camera access, mobile network data provides triangulation of location, communication patterns, and associations — the full pattern-of-life intelligence picture. This combination — compromised camera networks plus mobile infrastructure plus AI-powered fusion analysis — is what the FT’s sources describe as the operational intelligence base for the Khamenei targeting.

As I noted in my original analysis of the Iran cyber-kinetic war’s opening phase, the February 28 operation represented a point of convergence where cyber operations were not supporting kinetic action — they were constitutive of it. The camera intelligence was not background context for the targeting decision. It was the targeting decision. Without years of sustained camera network access and AI-powered analysis of the resulting data, the precision of the strike that killed Khamenei in his own compound was not achievable.

The Cyber Layer Nobody Is Writing About

The mainstream coverage of the Khamenei assassination has focused on the geopolitical consequence — the succession crisis, Mojtaba Khamenei’s ascension, the leadership vacuum in the IRGC command structure. The cybersecurity coverage has focused on the initial network disruption and the hacktivist response. Neither has spent serious time on the most consequential technical revelation: urban surveillance infrastructure is a primary intelligence collection surface for nation-state cyber operations, and it has been for long enough that it produced the intelligence needed to kill a head of state.

Every city in the world operates traffic cameras, CCTV networks, and video surveillance infrastructure. Every large commercial building operates IP-connected camera systems. Every data centre, hospital, airport, and manufacturing facility runs network video management systems accessible from administrator terminals. And the security posture of that infrastructure — the firmware update cadence, the default credential discipline, the network segmentation between camera management systems and IT infrastructure, the logging and access monitoring — is, in the overwhelming majority of cases, significantly worse than the security posture of the IT infrastructure in the same building.

The reasons for this are structural and depressingly familiar. Physical security cameras were historically managed by physical security teams, not IT security teams. IP-connected cameras were adopted for operational convenience — remote viewing, centralised management, digital archiving — without the security architecture that adoption warranted. The camera management systems that run video surveillance infrastructure are frequently running vendor-provided software with default credentials, infrequently patched firmware, and network connectivity that bridges the camera segment to the enterprise IT network without meaningful segmentation. The camera that monitors your server room entrance is, in many enterprise deployments, on the same network segment as your file servers.

Recorded Future and Shodan both maintain data on internet-exposed camera management systems. Shodan’s persistent scan data has consistently found tens of thousands of IP cameras and network video recorders directly accessible from the public internet, many running factory default credentials or known-vulnerable firmware versions. The specific firmware vulnerabilities in Hikvision, Dahua, and Axis network cameras have been documented in CVEs going back years. Hikvision cameras specifically were cited in a 2021 CISA advisory, an NCSC advisory, and multiple subsequent vulnerability disclosures for critical authentication bypass and remote code execution vulnerabilities. Many of those devices remain unpatched in production deployments globally.

My research on protecting submarine cable and satellite infrastructure through AI surveillance addresses the dual nature of surveillance infrastructure: the same AI-powered analysis capability that enables protective surveillance of critical infrastructure also enables offensive pattern-of-life collection against the people and operations inside that infrastructure. The Khamenei case is the first publicly confirmed example of that capability producing kinetic effects. It will not be the last.

The quantum and AI threat dimensions I’ve written about previously include exactly this convergence: AI-powered analysis of surveillance data, applied at scale, produces intelligence that was previously achievable only through human surveillance at orders of magnitude greater cost and risk. An intelligence operation that would have required fifty human agents maintaining physical surveillance of a target for years was replicated by compromised camera infrastructure and AI-powered video analysis. That capability does not exist only in Israeli military intelligence. It exists in every sophisticated state actor’s toolkit, and its application is not limited to foreign heads of state.

Why It Matters Beyond the Conflict Zone

The enterprise translation is specific and uncomfortable.

Your physical security camera infrastructure is an IT security problem that most IT security teams have not fully owned. The cameras that record your executive suites, your server rooms, your manufacturing floors, your sensitive document handling areas, your boardrooms — they are IP-connected devices running software, connected to your network, accessible via management interfaces that may or may not be adequately secured.

An adversary with access to your camera management system has access to continuous video surveillance of the people and operations inside your building. In an enterprise context, that means: executive meetings where strategy is discussed, data centre operations where privileged access patterns are visible, manufacturing processes where proprietary procedures are observable, and physical security procedures where vulnerabilities can be identified. This is not a hypothetical intelligence value. It is the same intelligence value that Israeli intelligence extracted from Tehran’s traffic cameras — the only difference is the target.

The pattern-of-life dimension is equally applicable to corporate targets. An adversary running AI-powered analysis of your camera feeds over weeks or months can identify: which executives are in which meetings, when they arrive and leave, who they meet with off-calendar, the predictable security patterns of your sensitive facilities, and the physical procedures your security staff follow for access to restricted areas. This intelligence has direct value for social engineering, targeted physical access, and competitive intelligence operations.

The secondary risk is lateral movement from camera infrastructure to IT networks. A compromised network video recorder on a segment that connects to your enterprise network is a pivot point into that network. The camera itself is the initial access. The network segment is the attack surface. This is not a theoretical attack path — it is documented in multiple incident response cases where camera infrastructure has been used as the initial foothold for subsequent IT network compromise.

For executives specifically: personal security awareness needs to include the camera infrastructure of the venues you use. The conference room you use for sensitive meetings — what cameras are in it, who manages them, how are they secured? The building you visit for sensitive negotiations — what is its camera infrastructure posture? The hotel business centre where you take calls when travelling — what are the cameras recording? These are physical security questions that now have explicit cyber threat dimensions confirmed by the highest-profile case of 2026.

What Went Wrong

Tehran’s camera infrastructure was, apparently, compromised systematically and maintained for years without detection. The failure modes are the ones consistent with any large-scale IP camera deployment: default or weak credentials on camera management systems, infrequent firmware updates, inadequate monitoring of access to camera management interfaces, and network architecture that did not isolate camera management systems from the broader government network infrastructure.

The enterprise parallel is the same failure mode applied to commercial building infrastructure. Physical security cameras were never designed to be intelligence collection surfaces because when they were installed, they were not IP-connected devices. The transition to IP-connected network cameras happened in the 2000s and 2010s, driven by cost and convenience. The security architecture never caught up because physical security and IT security remained organisationally separate, and the camera infrastructure fell into the gap between them.

The Fix — Fixer’s Advice

The camera infrastructure audit is the immediate operational action. Here is what it actually requires.

Complete inventory of IP-connected camera infrastructure:

Enumerate every IP-connected camera, network video recorder, and video management system in your organisation. This sounds obvious. Most organisations do not have an accurate, current inventory of their physical security camera infrastructure in their IT asset management system — because cameras were historically managed by facilities or physical security teams whose asset records are separate from IT asset records. Fix this. The inventory is the prerequisite for everything else.

Credential audit and default credential elimination:

Every camera management system, network video recorder, and camera device in your inventory should be audited for default credentials. Factory defaults on IP cameras are widely documented — Hikvision’s default admin/12345, Dahua’s admin/admin, and equivalent combinations for dozens of other vendors are in every script kiddie’s playbook and every nation-state operator’s reconnaissance toolkit. Change them. All of them. Document the changed credentials in a privileged credential management system, not in the spreadsheet on the physical security manager’s desktop.

Firmware update programme:

Establish a firmware update cadence for camera infrastructure consistent with your enterprise endpoint patching cadence. IP cameras receive firmware updates that address security vulnerabilities. Those updates are not applied by default. The Hikvision and Dahua CVEs documented in CISA advisories over the past three years include remote code execution vulnerabilities exploitable without authentication. If your camera firmware has not been updated in the past twelve months, treat those devices as unpatched endpoints — because they are.

Network segmentation:

Camera management traffic should be on a network segment isolated from enterprise IT infrastructure, with no lateral connectivity between the camera segment and the corporate network. The camera management workstations that require access to both should be hardened endpoints with application whitelisting, not general-purpose workstations with enterprise network access. The video archiving storage that camera management systems write to should be on dedicated infrastructure with access controls that prevent the camera segment from reaching enterprise file systems.

Access monitoring for camera management systems:

Camera management system access should generate audit logs. Those logs should be monitored for: access from unexpected IP addresses, access outside normal operational hours, bulk export of video archive data, configuration changes to camera settings or recording parameters, and administrative account creation. Most camera management systems generate these logs. Most organisations are not monitoring them. An adversary maintaining sustained access to camera infrastructure for intelligence collection will use the camera management system’s own access controls to avoid detection — which means access logging is the primary detection mechanism.

Executive and sensitive meeting location assessment:

For executives handling sensitive strategy, M&A, legal, or regulatory matters: conduct a physical security assessment of the venues used for those discussions, specifically addressing camera infrastructure. This is not about avoiding cameras — it is about understanding whether the camera infrastructure in those venues is administered and secured to a standard consistent with the sensitivity of what is being discussed inside the space. Conference rooms, boardrooms, and executive meeting areas that are served by camera management systems with inadequate security posture are intelligence collection surfaces for adversaries who can access those management systems.

Final Call-Out

Israel used years of access to Tehran’s camera network, plus AI-powered pattern-of-life analysis, to kill a head of state. That capability did not appear from nowhere and it will not disappear now that it has been used. Every sophisticated state actor has observed the operational template. The cameras in your enterprise facilities are not functionally different from the cameras in Tehran’s intersections — they are IP-connected devices running patchable firmware, accessible via management interfaces, and generating continuous surveillance data that is valuable intelligence if an adversary can reach it. The difference between Tehran’s cameras and yours is that Tehran’s cameras were already interesting to a nation-state intelligence operation. Yours may become interesting. The time to audit and harden that infrastructure is before it is accessed, not after the video appears somewhere it shouldn’t.