The Department of Homeland Security, under Secretary Kristi Noem, issued a National Terrorism Advisory System Bulletin warning of a heightened threat environment across the United States following the launch of Operation Epic Fury on February 28, 2026. The joint U.S.-Israeli military strikes targeted key elements of Iran’s internal security apparatus, and Iranian state media confirmed the death of Ayatollah Ali Khamenei during or shortly after the operation. DHS assessed that while a large-scale physical attack on the homeland remains unlikely, Iran and its proxies pose a persistent threat of targeted attacks, lone-wolf violence, and cyberattacks against American networks and institutions.
The FBI simultaneously raised its terrorism alert level, with Director Kash Patel reportedly involved in coordinating the federal response. Secretary Noem stated she is “in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland.” But the gravity of these warnings is undercut by an awkward reality: a partial government shutdown has left DHS employees missing paychecks, and the NTAS website itself displayed a notice that it had not been updated since February 17, 2026, due to a lapse in federal funding. This article breaks down the specific threats DHS identified, the cyber dimension of Iranian retaliation, how the government shutdown is complicating homeland security readiness, and what precedent exists from earlier strikes on Iran in 2025.
Table of Contents
- What Exactly Did DHS Warn About After the Iran Strikes?
- How Operation Epic Fury Escalated Beyond Previous Strikes
- The Cyber Retaliation Threat Is Not Hypothetical
- What the Government Shutdown Means for Homeland Security Readiness
- The Lone-Wolf Problem and Domestic Extremism Risk
- FBI’s Elevated Alert and Federal Coordination
- What Comes Next in the Threat Landscape
- Conclusion
- Frequently Asked Questions
What Exactly Did DHS Warn About After the Iran Strikes?
DHS’s bulletin identified several distinct threat categories. In the near term, the department flagged Iran-aligned hacktivists as the most immediate concern, warning of low-level cyberattacks including website defacements and distributed denial-of-service attacks against U.S. networks. These types of attacks are disruptive rather than destructive, but they can rattle public confidence and strain resources at a time when agencies are already stretched thin. Beyond cyber threats, DHS warned that the existential threat now facing the Iranian regime could motivate U.S.-based violent extremists or hate crime perpetrators to attack targets perceived to be Jewish, pro-Israel, or linked to the U.S.
government and military. This is a critical distinction: the threat is not limited to Iranian operatives on American soil. It extends to domestic actors who may be radicalized or emboldened by the geopolitical crisis. The bulletin also raised the specter of lone-wolf attacks, which are notoriously difficult to detect and prevent because they often involve individuals with no formal ties to terrorist organizations. The overall assessment stopped short of predicting a catastrophic event. DHS explicitly stated that a large-scale physical attack on the homeland is unlikely, but emphasized that Iran’s capacity for targeted, asymmetric retaliation should not be underestimated, particularly if the reports of Khamenei’s death are fully confirmed.
How Operation Epic Fury Escalated Beyond Previous Strikes
This is not the first time DHS has issued an NTAS bulletin in response to U.S. military action against Iran. In June 2025, following Operation Midnight Hammer — a series of U.S. and Israeli strikes targeting Iranian nuclear facilities — DHS warned of a heightened threat environment driven by expected Iranian retaliation. That earlier advisory set the template for the current one, but the scale of Operation Epic Fury represents a significant escalation.
Operation Midnight Hammer targeted infrastructure. Operation Epic Fury targeted the regime’s internal security apparatus, and the confirmed death of Iran’s supreme leader fundamentally changes the calculus. DHS assessed that Iran is expected to escalate retaliatory actions if reports of Khamenei’s death hold, which means the threat window is not a brief spike but a sustained period of elevated risk. The comparison matters because it suggests a pattern: each round of strikes raises the baseline threat level, and the return to normalcy takes longer each time. However, if the Iranian regime fractures internally in the wake of Khamenei’s death, the threat picture could shift in unpredictable ways. A weakened central government may lose control over proxy networks, which could either reduce coordinated attacks or result in more chaotic, freelance violence from groups no longer tethered to a coherent command structure.
The Cyber Retaliation Threat Is Not Hypothetical
Defense and cybersecurity experts have warned that the Iran strikes will test U.S. cyber strategy both abroad and at home. Iran has a well-documented history of cyber operations against American targets. During previous periods of tension, Iranian-linked groups have targeted U.S. financial institutions, government agencies, and critical infrastructure. The expectation now is that these capabilities will be deployed more aggressively. DHS specifically identified Iran-aligned hacktivists as the most immediate short-term threat.
The distinction between hacktivists and state-sponsored operators matters. Hacktivists tend to favor visible, disruptive attacks — defacing government websites, launching DDoS campaigns, leaking data — rather than the stealthier, more destructive operations that state intelligence services conduct. But the two categories are not mutually exclusive. Iran has a history of using hacktivist fronts as cover for more sophisticated operations, and the chaos following regime destabilization could blur these lines further. For U.S. businesses and local government agencies, the practical concern is that they may become targets of opportunity. A mid-sized municipality’s water treatment system or a regional hospital’s network may not be a strategic military target, but hitting soft civilian infrastructure sends a political message and strains an already overtaxed federal response apparatus.
What the Government Shutdown Means for Homeland Security Readiness
The timing of the Iran strikes could not be worse from a domestic preparedness standpoint. A partial government shutdown has left DHS employees working without pay, and the agency’s own NTAS website carried a disclaimer that it had not been actively managed since February 17, 2026 — eleven days before Operation Epic Fury began. The contradiction is stark: DHS is issuing warnings about heightened threats while simultaneously unable to keep its primary public-facing threat communication tool updated. Republicans in Congress have seized on the situation, citing the Iran strikes to pressure Democrats into approving DHS funding. The political dynamics are a familiar tradeoff: national security urgency becomes leverage in a budget fight, and the people caught in the middle are the DHS employees and the public they are supposed to protect.
Whether the funding impasse accelerates a resolution or becomes another chapter in Washington’s dysfunction remains to be seen, but the operational impact is real. Analysts have raised legitimate concerns about homeland security readiness when the workforce responsible for monitoring and responding to threats is demoralized and financially stressed. The comparison to previous government shutdowns is instructive. During the 2018-2019 shutdown, TSA agents called in sick at elevated rates, and Coast Guard members went without pay while conducting operations. The current situation adds an active military campaign against a state adversary to that mix, which raises the stakes considerably.
The Lone-Wolf Problem and Domestic Extremism Risk
DHS’s warning about domestic violent extremists and hate crime perpetrators deserves particular attention because it represents a threat category that is largely outside the reach of traditional counterterrorism tools. A coordinated attack by an Iranian proxy can, in theory, be detected through intelligence channels. A lone individual who self-radicalizes in response to news coverage and decides to attack a synagogue, a military recruiting station, or a government building is far harder to anticipate. The bulletin’s language was specific: DHS warned that targets perceived to be Jewish, pro-Israel, or linked to the U.S. government and military face elevated risk.
This tracks with historical patterns. After previous escalations in the Middle East, hate crimes against Jewish and Muslim Americans have spiked, often perpetrated by individuals with no connection to foreign actors. The risk runs in multiple directions — anti-Semitic violence from those sympathetic to Iran, and anti-Muslim violence from those who conflate the Iranian regime with Muslim Americans broadly. The limitation here is that local law enforcement is the primary line of defense against lone-wolf attacks, and many local departments lack the intelligence resources and training to identify pre-attack indicators. Federal-local information sharing has improved since 9/11, but it remains uneven, and a government shutdown further degrades those channels.
FBI’s Elevated Alert and Federal Coordination
The FBI’s decision to raise its terrorism alert, with Director Kash Patel reportedly involved in the response, signals that the federal law enforcement apparatus is treating the post-strike period as a genuine operational crisis rather than a routine advisory update. The FBI’s role complements DHS’s: while DHS sets the threat advisory framework, the FBI conducts the investigations, runs informants, and coordinates with the Joint Terrorism Task Forces that operate in cities across the country.
The practical effect of an elevated FBI alert is increased surveillance of known subjects, more aggressive monitoring of online extremist chatter, and closer coordination with state and local partners. For the public, it means a period where federal agents are operating at heightened tempo, but it also means that the same workforce affected by the shutdown is being asked to do more with less.
What Comes Next in the Threat Landscape
The trajectory of the domestic threat environment depends heavily on what happens in Iran over the coming weeks. If the regime collapses or fragments, the proxy networks that Iran has built across the Middle East — Hezbollah, various Iraqi militias, the Houthis — may act independently, and some may seek to demonstrate relevance through attacks on Western targets. If the regime reconstitutes under new leadership, a more calculated, sustained retaliatory campaign becomes the greater concern.
For Americans, the most important takeaway is that this is not a threat that resolves quickly. DHS’s June 2025 bulletin after Operation Midnight Hammer remained in effect for months. The current threat environment is more severe, and the domestic complications — the shutdown, the political polarization, the strain on federal resources — mean that the gap between the threat and the government’s capacity to address it is wider than it should be. Resolving the DHS funding crisis is not just a budget question; it is a national security imperative.
Conclusion
The DHS National Terrorism Advisory System Bulletin issued after Operation Epic Fury reflects a genuine and multi-layered threat to the homeland. Iranian cyber retaliation, lone-wolf attacks, hate crimes against perceived Jewish or pro-Israel targets, and targeted operations by Iranian proxies all represent distinct risk categories that require different defensive responses. The FBI’s elevated alert and Secretary Noem’s public statements indicate that federal agencies are taking these threats seriously, but the partial government shutdown undermines confidence in the government’s ability to execute.
The immediate priorities are clear: resolve the DHS funding lapse so the workforce can focus on its mission, maintain aggressive intelligence sharing between federal and local law enforcement, and prepare for a sustained period of elevated risk rather than a short-term spike. The death of Khamenei, if fully confirmed, does not end the threat — it transforms it, potentially making it less predictable and harder to deter. Americans should stay informed through official DHS and FBI channels and report suspicious activity, while recognizing that the threat landscape after these strikes will take months, not days, to stabilize.
Frequently Asked Questions
What is the current DHS threat level after the Iran strikes?
DHS issued a National Terrorism Advisory System Bulletin warning of a heightened threat environment. The bulletin assesses that a large-scale physical attack is unlikely but that Iran and its proxies pose a persistent threat of targeted attacks, lone-wolf violence, and cyberattacks.
Is the DHS threat advisory website up to date?
As of the strikes on February 28, 2026, the DHS NTAS website displayed a notice that it had not been actively managed since February 17, 2026, due to a lapse in federal funding caused by a partial government shutdown.
What types of cyberattacks is DHS most concerned about?
In the short term, DHS is most concerned about Iran-aligned hacktivists conducting low-level cyberattacks such as website defacements and DDoS attacks against U.S. networks. More sophisticated state-sponsored cyber operations remain a longer-term concern.
Has DHS issued similar warnings before regarding Iran?
Yes. In June 2025, after Operation Midnight Hammer targeted Iranian nuclear facilities, DHS issued an NTAS bulletin warning of a heightened threat environment. The current warning follows the same pattern but reflects a more severe escalation.
Who is most at risk from domestic attacks related to the Iran strikes?
DHS specifically warned that targets perceived to be Jewish, pro-Israel, or linked to the U.S. government and military face elevated risk from U.S.-based violent extremists or hate crime perpetrators motivated by the conflict.