Following the unprecedented joint U.S.-Israeli military strikes on Iran on February 28, 2026 — an operation that killed Supreme Leader Ali Khamenei and decimated Iran’s senior leadership — homeland security experts are now warning that Iranian retaliation on American soil is not just possible but likely. FBI Director Kash Patel immediately placed the bureau’s counterterrorism and counterintelligence teams on high alert, while DHS Secretary Kristi Noem confirmed coordination with federal intelligence and law enforcement partners to monitor emerging threats. The concern is not abstract: U.S. counterterrorism agencies are actively monitoring suspected sleeper cells domestically, and adversarial actors including Hezbollah, Hamas’s external networks, and IRGC proxies have historically demonstrated both the intent and capability to strike back after American military actions.
What makes this moment particularly dangerous is the combination of a decapitated Iranian command structure and the asymmetric tools still available to Tehran’s proxies. Colin Clarke, executive director of the Soufan Center, warned that Iran could resort to extreme measures including terrorism. A former NATO commander described Iran as being on “death ground” — facing an existential threat that could push the regime to “go big” in retaliation. Yet as of March 1, 2026, the Department of Homeland Security has not issued a National Terrorism Advisory System alert, a gap that has drawn sharp criticism from security professionals. This article examines the specific threat landscape, the cyber vulnerabilities facing American infrastructure, the domestic sleeper cell concerns, and what Congress and the White House are doing — or failing to do — in response.
Table of Contents
- Why Are Homeland Security Experts Warning of Iranian Retaliation on American Soil?
- The Sleeper Cell Threat Inside the United States
- The Cyber Retaliation Threat to American Infrastructure
- What the Federal Government Is and Isn’t Doing
- Congressional Politics and the DHS Funding Fight
- The Executive Order and Pre-Existing Iran Policy
- What Comes Next in the Threat Landscape
- Conclusion
- Frequently Asked Questions
Why Are Homeland Security Experts Warning of Iranian Retaliation on American Soil?
The warnings stem from a straightforward calculation: Iran’s conventional military options have been effectively destroyed by Operation Epic Fury (the U.S. codename) and Operation Roaring Lion (Israel’s codename), leaving asymmetric warfare — terrorism, cyberattacks, and proxy operations — as the regime’s only remaining instruments of retaliation. A threat intelligence report from cybersecurity firm Anomali stated plainly that the strikes have “destroyed Iran’s conventional military options, making cyber operations the regime’s sole remaining instrument of asymmetric retaliation.” When a nation-state loses its ability to fight conventionally, the historical pattern is a pivot toward unconventional attacks against softer targets, including civilian infrastructure on the adversary’s home turf. Thomas Warrick, a former deputy assistant secretary for counterterrorism policy at DHS, issued one of the more specific warnings: “Iran will try every cyber trick it can mount, testing the Department of Homeland Security, the private sector, and U.S. cyber defenses.” This is not speculation from the margins.
Warrick spent years inside the department specifically focused on these scenarios. The distinction between this moment and previous U.S.-Iran tensions — such as the 2020 killing of Qasem Soleimani — is scale. The 2026 strikes didn’t remove a single commander; they effectively dismantled Iran’s senior leadership structure, which raises both the motivation and the chaos factor behind any retaliatory response. For comparison, after the Soleimani strike in January 2020, Iran responded with a ballistic missile attack on U.S. forces at Al Asad airbase in Iraq — a relatively contained, state-directed response. With the command structure now largely gone, experts fear the retaliation will be less predictable and harder to intercept because it may come from decentralized proxy networks rather than a centralized military apparatus.
The Sleeper Cell Threat Inside the United States
Federal and local law enforcement have boosted on-the-ground security in major U.S. cities since the strikes began, though no specific, credible threats have been publicly identified as of this writing. Behind the scenes, however, U.S. counterterrorism agencies are quietly monitoring suspected sleeper cells on American soil, stepping up surveillance amid heightened fears of retaliation from Iran-linked operatives or sympathizers. The operative word is “quietly” — the government’s public posture has been notably restrained compared to the apparent intensity of its behind-the-scenes activity. The groups under surveillance include networks tied to Hezbollah, Hamas’s external operations wing, and IRGC proxy organizations.
These are not hypothetical threats. Hezbollah has maintained a presence in the United States for decades, primarily through fundraising and logistical networks, though U.S. law enforcement has disrupted several plots over the years that had operational components. The concern now is that the destruction of Iran’s centralized command structure could paradoxically make these cells more dangerous — without clear orders from Tehran, local operatives may act independently, on shorter timelines, and with less regard for strategic consequences. However, it is important to note a significant limitation in public understanding of this threat: much of the intelligence on sleeper cell activity is classified, and government officials have a mixed track record on accurately conveying the severity of domestic terrorism threats to the public. The absence of a specific, credible threat does not mean the threat is low — it may simply mean that intelligence agencies have not yet connected enough dots. Conversely, elevated rhetoric from officials can sometimes reflect political calculations as much as genuine threat assessments. Citizens should take the warnings seriously while maintaining appropriate skepticism about claims that cannot be independently verified.
The Cyber Retaliation Threat to American Infrastructure
The cyber dimension of potential Iranian retaliation may actually pose a greater immediate risk to ordinary americans than a physical attack. With Iranian leadership effectively decimated, the command structure overseeing Tehran’s cyber operations is largely gone, which paradoxically creates a more dangerous situation: more unpredictable, decentralized proxy attacks launched by actors who may not be constrained by the strategic calculations that previously governed state-sponsored cyber operations. A former NSA operative captured the essence of the threat when warning that cyber retaliation is now “in the hands of a 19-year-old hacker in a Telegram room.” The potential targets are alarming in their breadth. According to reporting from Nextgov and Defense One, Iran could target critical infrastructure including power grids, water treatment facilities, and financial institutions.
These are not theoretical vulnerabilities — Iranian-linked hackers have previously been caught probing American water treatment systems and have conducted attacks on financial institutions. The difference now is motivation. A regime fighting for its survival, or the remnants of its cyber apparatus operating without central oversight, may abandon the restraint that previously kept Iranian cyber operations below the threshold of significant physical damage. Security analysts flagged the 48 hours following March 1 as a period of “extreme volatility,” with hacktivists and proxies expected to lead escalation using Telegram and Reddit as coordination hubs. For American businesses and municipal governments that operate critical infrastructure, this is not a Washington problem — it is a local one. A cyberattack on a regional water treatment facility or power grid would be felt most acutely by the communities that depend on those systems, not by policymakers in the capital.
What the Federal Government Is and Isn’t Doing
The gap between the severity of expert warnings and the visible federal response has become a flashpoint for criticism. On one hand, the FBI and DHS have clearly mobilized: Patel’s decision to place counterterrorism teams on high alert was immediate, and Noem’s public statements about coordination with intelligence partners suggest the interagency machinery is engaged. Federal and local law enforcement have increased security presence in major cities. These are standard — and appropriate — responses to a dramatically elevated threat environment. On the other hand, the absence of a National Terrorism Advisory System alert is difficult to explain.
The NTAS is specifically designed for moments like this — to communicate threat information to the public and to state and local law enforcement agencies that may not have access to classified intelligence briefings. As of March 1, 2026, the NTAS website itself notes it has not been updated since February 17, 2026, due to a lapse in federal funding. This is a remarkable admission: the primary public-facing tool for communicating terrorism threats to the American people is effectively offline because of a budget dispute in Congress, at precisely the moment when the threat environment has escalated dramatically. The tradeoff here is a familiar one in homeland security: issuing a public alert can cause panic and economic disruption, while failing to issue one leaves the public uninformed and potentially vulnerable. But the current situation — where experts are loudly warning of retaliation while the government’s official alert system sits dormant due to a funding lapse — represents the worst of both worlds. The public gets the fear without the actionable guidance.
Congressional Politics and the DHS Funding Fight
The timing of the Iran strikes has collided with an ongoing fight over DHS funding in a way that perfectly illustrates how domestic politics and national security intersect — often badly. Republicans in Congress are now citing potential Iran attacks in calls for immediate DHS funding approval, arguing the department needs full resources to counter homeland threats. The argument has obvious merit: it is difficult to defend the homeland when the department responsible for doing so is operating under a funding lapse that has literally taken its terrorism alert system offline. However, the cynicism of the moment should not be overlooked. DHS funding has been a political football for years, frequently held hostage to immigration policy disputes and partisan brinkmanship.
The fact that it takes a major military operation against Iran to generate urgency around funding the department responsible for homeland security reveals a structural problem that predates this crisis. If DHS requires full funding to counter Iranian retaliation — and it does — then it also required full funding last month, and the month before that, when the threats were less dramatic but still real. The limitation worth flagging is this: even with full funding restored immediately, there are capabilities that cannot be spun up overnight. Cyber defense postures, intelligence collection networks, and coordination protocols with state and local agencies require sustained investment and institutional stability. A last-minute funding surge in response to a crisis is better than nothing, but it is not a substitute for the consistent, unglamorous work of maintaining homeland security infrastructure during peacetime.
The Executive Order and Pre-Existing Iran Policy
Before the strikes, the Trump administration had already been escalating pressure on Iran through economic channels. On February 6, 2026, President Trump signed an Executive Order reaffirming the national emergency with respect to Iran, establishing tariffs on countries acquiring goods or services from Iran under IEEPA authority. This executive action was part of a broader “maximum pressure” strategy that preceded the military operation by several weeks, suggesting that the administration was building toward a more confrontational posture well before the February 28 strikes.
The relevance of this earlier action is that it demonstrates the strikes did not occur in a vacuum — they were the culmination of an escalating pressure campaign. For Americans trying to understand the threat environment, this context matters. Iranian leadership, even before the strikes, was already operating under severe economic pressure and perceived existential threat. The military operation dramatically accelerated a confrontation that was already building, which means the retaliatory infrastructure — cyber capabilities, proxy networks, sleeper cells — may have been activated or placed on standby well before February 28.
What Comes Next in the Threat Landscape
The coming weeks will test whether the United States’ homeland security apparatus is capable of defending against the kind of decentralized, multi-vector retaliation that experts are warning about. The conventional wisdom in counterterrorism circles is that the greatest danger period following a major provocation is the first 30 to 90 days, when the desire for retaliation is at its peak and the operational planning that was already underway can be activated quickly. The 48-hour extreme volatility window flagged by analysts may produce the first visible cyber incidents, but the physical threat — from sleeper cells, lone actors, or proxy operatives — could materialize on a longer timeline.
The honest assessment is that nobody knows exactly what form Iranian retaliation will take, and anyone who claims certainty is selling something. What is clear is that the threat is real, the government’s public-facing alert infrastructure is compromised by its own funding disputes, and the decentralized nature of the likely response makes it inherently harder to predict and prevent than a conventional military strike. Americans should pay attention to guidance from local law enforcement, take basic cybersecurity precautions seriously, and hold their elected representatives accountable for ensuring that the agencies responsible for their safety have the resources to do the job.
Conclusion
The joint U.S.-Israeli strikes on Iran have created the most volatile homeland security environment in the United States since the aftermath of September 11, 2001. Expert warnings about potential Iranian retaliation — through terrorism, cyberattacks, proxy operations, and sleeper cell activation — are grounded in a clear strategic logic: with conventional military options destroyed, asymmetric retaliation against American targets at home and abroad is the most likely response from what remains of Iran’s security apparatus. The FBI and DHS have mobilized, but the absence of a formal NTAS alert and the ongoing funding lapse at DHS raise serious questions about whether the government’s response matches the severity of the threat.
What Americans deserve right now is clear communication, fully funded security agencies, and honest assessments of what is known and what is not. The politicization of DHS funding, the dormant terrorism alert system, and the gap between classified intelligence activity and public transparency all undermine the nation’s ability to respond effectively. Whether Iranian retaliation materializes in the coming days or weeks, the structural vulnerabilities exposed by this crisis will persist long after the immediate threat subsides — and addressing them should be a priority that transcends partisan politics.
Frequently Asked Questions
Has Iran directly threatened to attack the United States on American soil?
As of March 2, 2026, no specific, credible threats against the U.S. homeland have been publicly identified by federal law enforcement. However, FBI Director Kash Patel placed counterterrorism teams on high alert immediately after the strikes, and agencies are actively monitoring suspected sleeper cells and proxy networks with ties to Iran.
What is the National Terrorism Advisory System and why hasn’t an alert been issued?
The NTAS is DHS’s primary tool for communicating terrorism threat information to the public and state and local law enforcement. Despite the dramatically elevated threat environment following Operation Epic Fury, no NTAS alert has been issued. The NTAS website itself notes it has not been updated since February 17, 2026, due to a lapse in federal funding — a fact that has drawn sharp criticism from security professionals.
What kind of cyberattacks could Iran launch against the United States?
Experts warn that potential targets include critical infrastructure such as power grids, water treatment facilities, and financial institutions. With Iran’s centralized cyber command structure largely destroyed, the concern is that attacks may come from decentralized proxy hackers and hacktivists coordinating through platforms like Telegram and Reddit, making them harder to predict and attribute.
What should ordinary Americans do to protect themselves?
Follow guidance from local law enforcement, take basic cybersecurity precautions (update passwords, enable two-factor authentication, be wary of phishing attempts), and stay informed through official government channels. There is no need for panic, but heightened awareness is appropriate given the current threat environment.
What are sleeper cells and how real is the threat?
Sleeper cells are operatives placed in a country who live normal lives until activated for a specific mission. U.S. counterterrorism agencies have long tracked networks tied to Hezbollah, Hamas, and IRGC proxies within the United States. The current concern is that the destruction of Iran’s leadership could trigger activation of these networks, potentially without the strategic restraint that centralized command previously imposed.