Approach
How we work, and what makes the work different from generalist analysis of Iran. Four things distinguish what we do, and they compound on each other.
Most analysis of Iran’s digital operations is produced by generalist firms covering many regions, often with limited Persian-language capability and no operational visibility into Iranian network conditions. The result is reporting that arrives in English already filtered, days or weeks behind events, and frequently missing the context that makes it intelligible.
We have been doing this work since 2018, and the capabilities described below were built across that period. This page describes them concretely, not as a statement of values, but as a description of what the work actually requires.
Four things distinguish our approach from generalist analysis: we work in Persian as a primary research language, we maintain operational visibility into Iranian network conditions, we build the technology we use, and we treat source protection and attribution as disciplines with documented methodology. Each of these informs the others.
Iranian state operations are documented in Persian first.
Iranian state operations, the public reactions to them, and the internal disagreements that drive them are documented, discussed, and contested in Persian first. Reporting that arrives in English is already filtered: by what reached Western newsrooms, by what their sources chose to surface, by what translation work was prioritized. The English-language version of any Iran story is downstream of the Persian-language version, often by days or weeks.
We work in Persian as a primary research language, not as an output of translation tools. Our team maintains source relationships in Iranian-language closed channels that most Western firms cannot reach, and we monitor public Persian-language discourse at scale through internal infrastructure built for that purpose.
The single most important factor separating depth from surface in this domain is whether you can read the room in Persian.
This applies across all four of our focus areas. Cyber operations are debated in Persian-language Telegram channels before tooling reaches public threat reports. Information operations are coordinated in Persian and translated outward; observing the Persian-language version reveals patterns the translated version conceals. Sanctions evasion involves entities whose Persian-language disclosures contradict their English-language presentations. Network infrastructure changes generate Persian-language complaints that document what’s happening on the ground before any technical telemetry would pick it up.
Persian-language capability is not a feature. It is a precondition for serious analysis of this region.
We see what’s happening on Iranian networks because we are on them.
Most analysis of Iranian internet conditions relies on third-party measurement: routing data, public probes, anomaly detection feeds aggregated from outside Iran. These sources are useful and we use them. They are not sufficient.
We maintain operational visibility into Iranian network conditions through infrastructure that operates inside the country. This gives us in-country passive telemetry that external measurement cannot replicate. We see connection-level signal about what filtering is being applied, when it changes, what protocols and providers are affected, and which user populations are being targeted by specific decisions.
This visibility informs our cyber, information operations, and sanctions analysis as much as it informs our network infrastructure work. When the Iranian internet behaves abnormally, the structural conditions that allow specific operations to succeed or fail change with it. Threat actors whose tradecraft assumes a particular routing topology see their operations degrade. Information operations targeting specific platforms become visible or invisible depending on which protocols are reachable. Procurement networks that depend on specific transaction infrastructure see those channels open or close.
The condition of the Iranian internet is the floor under everything else we do. Watching it carefully changes what we see in every other domain.
We do not publish operational details of how this visibility is maintained, for source-protection reasons described later. The capability is real; the methods are deliberately not described.
We build the technology we use.
The volume of Iran-related material relevant to our work now exceeds what any team can process by hand without losing signal. State media output, social media discourse, leaked documents, threat-actor infrastructure, financial filings, network telemetry: each of these streams produces more in a day than a small team could read in a week.
We build internal platforms that ingest these streams, classify and link findings to actor records we maintain, surface anomalies, and accelerate analysis. The technology is built for our use, not productized for resale. Our engineers and analysts work from the same platforms; there is no handoff between a tooling team and an analytical team because the people writing the queries are the people interpreting them.
AI-driven analysis is integrated throughout. We use it where it earns its keep: large-scale Persian-language classification, entity resolution across noisy datasets, anomaly detection in network-condition telemetry, and first-pass review of high-volume material that would otherwise go unread. Where AI does not earn its keep, on attribution decisions, source assessment, and the analytical judgments that determine what we publish, we do not use it.
AI is a force multiplier on the parts of the work that scale. The parts that don’t scale are still ours to do.
This is a deliberate position. Many threat-intelligence and analytical firms now describe their work as AI-driven in ways that obscure who is accountable for the output. AI assists in drafting our published work. Every piece is reviewed and signed off by an analyst who can defend each claim and source. The accountability for what appears under the Digital Impact Lab name sits with a person, not a model.
Source protection and attribution are disciplines, not afterthoughts.
Working on Iran exposes specific people to specific risks. Sources who speak with us face professional, legal, and physical consequences if their identities or operational channels are revealed. Subjects of our research, even those documented from public material, can be exposed to coordinated harassment when our work amplifies them outside Iran.
We treat source protection as a methodological discipline. The operational details of how we maintain in-country visibility are not published. The provenance of specific findings is documented internally but not always externally. Closed-channel material that informs our analysis is reflected in published work without identifying the channel. We do not amplify Persian-language voices into English-language products without considering what amplification does to the specific person being amplified.
Attribution is a parallel discipline. We do not make attribution claims we cannot defend, and we document the methodology behind the claims we do make. Standards of evidence are explicit. Confidence levels are stated.
Claims are sourced. Methodology is documented. We treat the claims we publish as ones we will defend.
These commitments are visible in our published work. Our threat intelligence dossiers on CERTFA Radar cite specific evidence chains. Our analytical pieces on the Digital Impact Lab Substack distinguish between what we observe directly, what we infer, and what remains uncertain.
This is the part of the work that is least visible to readers but most consequential to the people who appear in it. Doing it correctly takes time and reduces the volume we can publish. We treat that trade-off as the right one.
Persian capability, in-country visibility, purpose-built technology, and source-protection discipline. None of these alone is rare. The combination is.
Each of these capabilities reinforces the others. Persian-language discourse becomes more useful when network conditions are observable, because we can see what users are reacting to. Network visibility becomes more useful when Persian-language complaints provide ground truth. Both become more useful when proprietary infrastructure can process them at scale. All three become trustworthy only when source-protection and attribution discipline preserve the standing required to do the work.
These capabilities took years to build. The combination described above is what produces the difference between surface analysis and depth on a country this difficult to read, and it is the difference our published work has been demonstrating since 2018.
See our recent work →