As the war in Iran intensifies, American officials and security practitioners must confront an uncomfortable reality: conflicts abroad rarely stay confined to the battlefield. The immediate focus has understandably been on the escalating military campaign in the Middle East. Yet history suggests that geopolitical shocks of this magnitude often reverberate far beyond the conflict zone, reshaping the security environment inside the United States itself.

That possibility is now confronting policymakers in Washington. Cyber retaliation, Iran-inspired lone-offender violence, or even operations directed by Iranian intelligence services could all emerge as downstream consequences of the war. The question facing homeland security officials is not simply whether Iran will retaliate, but how that retaliation might manifest on American soil.

Unlike earlier periods of tension with Tehran, including the brief 12-Day War last June, the current conflict carries a far higher potential for spillover effects. The scale of the U.S. operation in Iran and the extraordinary circumstances surrounding the death of Supreme Leader Ayatollah Ali Khamenei have fundamentally altered the strategic landscape. For Tehran’s leadership, the stakes now involve not merely prestige but survival. That reality increases the likelihood that Iran could pursue retaliation across multiple domains, potentially extending beyond the Middle East.

Washington’s crossing of what had long been viewed as Iran’s most inviolable red line—the killing of the supreme leader—will almost certainly provoke a whole-of-government response from Tehran. Iran’s capabilities, along with those of many of its proxy groups, have been weakened in recent years through military pressure and intelligence operations. At the same time, a regime fighting for its survival may feel fewer constraints about how or where it strikes back.

In testimony before Congress, the departing Secretary of Homeland Security, Kristi Noem, emphasized that migrants flagged as potential security risks would be re-screened amid the unfolding conflict. Measures like these are politically salient and may offer a sense of reassurance. But they also risk missing the more plausible sources of danger. The most credible threats to the U.S. homeland are unlikely to arrive through migration channels. Instead, they are more likely to emerge from cyberspace, online radicalization, or covert networks that have been cultivated over time.

In the near term, cyberattacks and violence carried out by inspired lone offenders represent the most immediate risks. Iranian cyber actors and affiliated hacktivist groups retain the technical ability to exploit vulnerabilities in American networks and digital infrastructure. In the aftermath of the 12-Day War last year, several federal agencies issued a joint fact sheet warning about potential Iranian cyber activity. That earlier confrontation did not produce a large-scale cyber campaign against the United States, but the current war presents a different strategic context.

Iranian cyber operations would likely fall below the threshold of catastrophic disruption. Instead, they might involve tactics that Tehran has used before: website defacements, distributed denial-of-service attacks designed to overwhelm servers, and the leaking of stolen information in an effort to embarrass institutions or sow confusion. These methods are relatively low-cost but can still generate significant psychological and political effects.

Disinformation campaigns represent another potential front. Iran has previously experimented with online influence operations aimed at shaping public discourse in Western countries. The regime could once again deploy this playbook, using coordinated social-media activity and fabricated narratives to undermine trust in American institutions or amplify divisions within U.S. society. Such efforts are notoriously difficult to detect in real time, and even harder to counter once they begin spreading across digital platforms.

For the Iranian government, launching massive cyber strikes against American critical infrastructure might offer little strategic payoff. But limited and opportunistic attacks designed to signal capability—or to retaliate symbolically—remain plausible. That possibility makes vigilance essential not only for federal agencies but also for private companies and operators of critical infrastructure. Ensuring that networks are patched, monitored, and defended against intrusion attempts will be a crucial line of defense in the weeks ahead.

Separate from cyber activity, there is also the possibility of violence carried out by individuals inspired by events in Iran. Preliminary reports suggest that such a scenario may already have unfolded. On March 1, a gunman wearing clothing bearing the flag of the Islamic Republic of Iran and a hoodie reading “Property of Allah” opened fire inside a bar in Austin, Texas, killing three people and injuring at least fourteen others. Authorities have not yet established a clear motive, but investigators are examining potential links to terrorism.

Texas Governor Greg Abbott issued a statement declaring that the state would respond forcefully to anyone attempting to exploit the U.S.–Iran conflict to threaten public safety. Whether or not the Austin attack ultimately proves connected to the war, the incident underscores a broader concern. Violent acts carried out by individuals who feel inspired or emboldened by geopolitical events can emerge quickly and with little warning.

Iranian officials themselves may contribute to this risk through inflammatory rhetoric. In the days following Khamenei’s death, Iranian leaders called for vengeance, language that could resonate with extremists already inclined toward violence. On March 2, the Islamic Revolutionary Guard Corps issued a statement warning that Americans “will no longer be safe” either in the United States or abroad. Even vague threats of this kind can have a catalytic effect, encouraging individuals to interpret global conflict as a personal call to action.

Should such attacks occur, they would most likely take place at so-called soft targets—houses of worship, entertainment venues, commercial centers, or other public locations where large crowds gather. Demonstrations and public celebrations related to the war could also become targets. Recognizing this possibility, several major American cities, including New York, Los Angeles, and Washington, D.C., have already increased their security posture since the conflict began. Maintaining heightened vigilance in the coming weeks will be critical as the threat environment evolves.

Looking further ahead, the long-term picture may prove even more consequential. If some form of the Iranian regime survives the war—whether under existing leadership structures or through a military takeover—Tehran could eventually pursue retaliation through directed operations rather than spontaneous violence. The Islamic Republic has historically shown remarkable patience when it comes to revenge.

The killing of Iranian military commander Qassem Soleimani in 2020 offers an instructive precedent. In the years that followed, U.S. law enforcement agencies disrupted several Iranian plots targeting American officials. Iranian leaders repeatedly framed Soleimani’s death as a grievance that demanded retribution, suggesting that revenge was not a matter of if but when. The same logic may now apply to Khamenei.

None of those earlier plots ultimately succeeded. But the timelines involved—sometimes stretching across several years—illustrate how Iranian intelligence services operate. They plan methodically, exploit intermediaries, and wait for opportunities that minimize risk while maximizing impact.

If Iran were to direct operations inside the United States, the likely targets would differ markedly from those associated with lone-offender attacks. Tehran has historically focused on specific individuals or symbolic communities rather than random violence against the general public. Potential targets could include U.S. government officials, prominent Iranian dissidents living in exile, or Israeli and Jewish organizations.

Indeed, previous investigations have revealed Iranian plots aimed at figures such as former National Security Advisor John Bolton, allegedly as retaliation for Soleimani’s death. Dissidents and critics of the Iranian regime have also been frequent targets of Tehran’s intelligence services. These patterns suggest that any future operations would likely follow a similarly selective approach.

Iran’s proxy networks represent another potential variable. Among these groups, Hezbollah stands out as the most capable actor with the theoretical ability to conduct operations outside the Middle East. Over the years, authorities have disrupted several Hezbollah-linked plots in the United States. Yet despite those efforts, the group has never successfully carried out an attack on American soil.

Current circumstances may make such an operation even less likely. Israel’s sustained campaign against Hezbollah has degraded the group’s capabilities, forcing it to concentrate on survival and rebuilding within the region. Launching an attack in the United States could invite overwhelming retaliation and further strain Hezbollah’s already diminished resources.

Other Iranian-aligned militias, such as Iraqi Shiite paramilitary groups or Yemen’s Houthis, pose a far lower threat to the U.S. homeland. These organizations generally lack both the logistical infrastructure and the strategic incentives required to carry out attacks inside the United States. Their focus remains squarely on conflicts within the Middle East.

Still, moments of geopolitical tension often generate their own mythology. In recent weeks, speculation about Iranian “sleeper cells” embedded across the United States has begun circulating in political discourse and media commentary. The phrase conjures images of clandestine operatives waiting patiently for the signal to strike.

Yet the historical record offers little evidence to support such fears. Iranian intelligence operations have typically relied on targeted recruitment, criminal intermediaries, or unwitting participants rather than pre-positioned sleeper agents. The popular narrative of dormant cells lurking across the country owes more to Hollywood thrillers than to documented patterns of Iranian behavior.

Ultimately, the trajectory of the war itself will shape the domestic threat environment. A short and contained conflict may produce little more than rhetorical threats and sporadic cyber activity. A prolonged war, particularly one that destabilizes the Iranian state or leaves deep grievances unresolved, could generate a far more complicated security landscape.

For now, American officials have offered relatively few public statements about the evolving threat picture. Both the Department of Homeland Security and the FBI have indicated that they are closely monitoring developments. If credible threats emerge, those agencies should communicate transparently with the public, as they have during previous periods of heightened tension.

Transparency is not merely a matter of reassurance. It allows citizens, businesses, and local institutions to remain alert and to report suspicious activity when necessary. In an era when distant conflicts can quickly ripple across borders and networks, preparedness depends on information as much as vigilance.

The United States has entered a period of profound uncertainty as the war in Iran unfolds. Whether the conflict ultimately reshapes the domestic security landscape will depend on decisions made thousands of miles away. But the lesson of recent history is clear: when wars escalate abroad, their consequences rarely remain confined to distant battlefields.