Network Infrastructure
We monitor Iranian internet architecture, censorship and surveillance systems, and connectivity patterns. Our work draws on in-country passive telemetry that external measurement cannot replicate, combined with AI-driven analysis at scale.
We document the technical and operational conditions on Iranian networks: the routing decisions, the filtering systems, the connectivity events, the surveillance infrastructure, and the structural changes that shape what Iranian users can do online. The aperture spans the long-running architecture of the Iranian internet and the daily operational decisions that affect specific users at specific moments.
Network infrastructure sits underneath every other thing we cover. Cyber actors whose tradecraft assumes a particular routing topology see their operations degrade when conditions shift. Information operations targeting specific platforms become visible or invisible depending on which protocols are reachable. Procurement networks that depend on specific transaction infrastructure see those channels open or close. We treat the network pillar as the floor under everything else, and watching it carefully changes what we see in every other domain.
Our published research and analysis in this area have informed coverage at major international media outlets and supported government investigations. Where our work has documented specific filtering decisions, connectivity events, or surveillance deployments, it has contributed to public understanding of conditions inside Iran and to policy responses.
Five sub-areas inside the network pillar.
Routing and BGP
Iranian autonomous systems, their peering relationships, and the routing decisions that shape connectivity. AS-level analysis of TCI, Irancell, MCI, and the smaller providers. Observable changes in routing behavior connected to specific government decisions.
Filtering and Censorship
The technical systems used to filter traffic into and out of Iran. Protocol-level filtering, DPI deployments, and the operational signatures of specific filtering decisions. What is being filtered, when, and for whom.
Connectivity Events
Internet shutdowns, regional disruptions, and the structural breaks that interrupt service for specific user populations. Documented timing, scope, affected ASNs, and the political or operational context that explains why an event happened when it did.
Surveillance Infrastructure
The technical infrastructure used to monitor Iranian users and traffic. Lawful intercept deployments, monitoring relationships with foreign vendors, and the surveillance practices that operate alongside formal filtering.
In-Country Telemetry
Passive signal from within Iran that external measurement cannot replicate. Connection-level data about what filtering is being applied, when it changes, what protocols and providers are affected, and which user populations are being targeted by specific decisions.
Our work in network infrastructure draws on in-country passive telemetry, third-party measurement, Persian-language source networks providing ground truth on user-facing conditions, and AI-driven analysis at scale.
Most analysis of Iranian internet conditions relies entirely on third-party measurement aggregated from outside Iran. These sources are useful but not sufficient. We maintain operational visibility through infrastructure that operates inside the country, and that visibility informs our work across every other focus area. The condition of the Iranian internet is the floor under everything else we do.
Read our full approach →Selected research and analysis on network infrastructure.
Traffic Laundering: Iran's Azerbaijani Proxy and the Architecture of Controlled Access
Following Iran's May 26, 2026 internet restoration after a three-month blackout, Cloudflare data revealed Iranian traffic masquerading as Azerbaijani through AS29049 (Delta Telecom Ltd.), enabling both sanctions bypass and granular filtering of Cloudflare-hosted content. MTN Irancell routes connections through two paths: DNS spoofing directing traffic through Hetzner servers in Germany, and SNI proxying through Delta Telecom's Azerbaijani network for users with custom DNS. A formal April 2025 agreement between Iran's state backbone operator TIC and Delta Telecom provides government-level structure for this proxy architecture, which grants whitelisted access to sanctioned platforms like OpenAI while enabling connection-level detection of circumvention tools.
Read on Digital Impact Lab Substack →Iran Digital Pulse: Intranet to Filternet
After 88 days of near-total internet blackout, Iranian officials announced partial restoration on May 26, 2026, with Cloudflare Radar showing traffic reaching only 40% of pre-shutdown levels and 91.6% of restored HTTP requests originating from Tehran. The regime abandoned its failed Internet Pro monetization scheme but maintained the underlying filtering infrastructure blocking Telegram, YouTube, Instagram, and WhatsApp for the general population, while most data centers remained isolated from international peers. Iranian voices rejected official framing of the restoration as a concession, identifying it instead as a tactical shift from intranet to filternet that reset public expectations so heavily filtered connectivity now registers as relief rather than ongoing control.
Read on Digital Impact Lab Substack →Iran Digital Pulse: Code Against the Blackout
Iranian developers inside the country built dozens of circumvention tools between February 28 and May 25, 2026, exploiting the government's exemption of Google services from its nationwide internet blackout. Tools disguise traffic as Google requests, tunnel through Google Apps Script and Drive, or use DNS queries as data channels, distributed freely on GitHub with no commercial backing. One project bypasses the internet entirely, broadcasting VPN configs and news via satellite as QR codes readable by any Android phone, funded by direct donations and accessible to tens of millions with existing satellite dishes.
Read on Digital Impact Lab Substack →The network pillar sits alongside three other domains of Iranian state activity online.
Cyber Operations
Iranian state-aligned threat actors, their infrastructure, and their operations against targets inside and outside the country.
Information Operations
State media ecosystems, IRGC-linked information networks, coordinated inauthentic behavior, and the narratives Tehran promotes online.
Sanctions & Procurement
Front companies, financial evasion, beneficial ownership structures, and the procurement networks that sustain sanctioned activity.