Shutting Down the Internet
Iran built Dezhfa as a national cyber defense suite that supports internet isolation under the National Information Network NIN. Dezhfa blends incident response, threat collection, and network enforcement under CERT.IR and links civilian cyber teams with IRGC-aligned defense bodies. Dezhfa strengthens resilience against malware and service disruption, while expanding state visibility into domestic network activity through national DNS filtering, scanning, and large-scale telemetry. Iranian officials publish large attack-prevention numbers, yet public data lacks independent audit and mixes nuisance scanning with high-end intrusions. Dezhfa increases the cost of foreign access into Iranian networks and improves Tehran messaging on attribution and deterrence, while also enlarging domestic control capacity during unrest.
Principal actors and roles
- Ministry of ICT — announced Dezhfa in May 2019 under Minister Mohammad Javad Azari Jahromi and funded development and operations
- CERT.IR MAHER — runs day-to-day monitoring, warning, coordination, and incident response workflows tied to Dezhfa
- Supreme Council of Cyberspace — sets policy directions for NIN and cyber sovereignty concepts
- Passive Defense Organization — links cyber defense to infrastructure protection and civil-military escalation paths
- IRGC cyber units — consume Dezhfa telemetry for defense readiness, training, and intelligence support
- Basij cyber groups — expand training throughput and provincial participation via simulation platforms and exercises
- Iranian ISPs and major service providers — implement DDoS mitigation, DNS filtering, and network controls under national guidance
- Iranian universities and knowledge-based firms — build and adapt tools, often on open-source foundations
- Iranian public and private sector — supply samples, receive warnings, and absorb enforcement side effects
Dezhfa includes ten connected sub-projects that cover malware trapping, file scanning, DDoS mitigation, botnet mapping, endpoint and router hygiene checks, training ranges, national-scale scanning, penetration testing as a service, industrial intrusion detection, and DNS filtering. Iranian reporting describes funding near two hundred billion rials for development and near three hundred billion rials for ongoing operations.
Comparative component map — actions, data, defense value, control value
| Dezhfa component | Primary action | Signals gathered | Defense value | Control value |
| National Telephony system Honey Net | Lures and traps malware via nationwide honeypots | Malware samples, exploit patterns, source IP telemetry | Early warning and sample capture for rapid triage | Builds broaden visibility into inbound probing and domestic infection trends |
| Native Explorer multi-engine scanner | Scans uploaded files with multiple AV engines | Submitted files, detection hits, hash clusters | Speeds malware ID and signature creation | Centralizes sample flow inside Iran and normalizes domestic reporting |
| Samat DDoS defense | Detects and mitigates traffic floods | Netflow, volumetric anomalies, attack fingerprints | Improve service during flooding campaigns | Encourages ISP-level traffic shaping and centralized enforcement |
| Bina botnet and vulnerability mapping | Tracks infected hosts and botnet structures | Infected host lists, C2 patterns, exposed services | Supports takedown coordination and patch prioritization | Creates a national inventory of weak systems tied to owners and sectors |
| Checkup SSL DNS modem tests | Tests common user security gaps | TLS config results, DNS resolver health, router exposure | Raise baseline hygiene and reduces easy compromise | Expands state touchpoints into consumer networking and DNS behavior |
| Syman training platform | Trains web exploitation and defense skills | Training activity telemetry and skill pipelines | Improves domestic defender and red team competence | Expands talent pipelines for IRGC-aligned cyber formations |
| Dana national IP scanner | Scans Iranian IP space for exposures | Open ports, service banners, vulnerable versions | Speeds discovery of exposed systems and weak configs | Enables centralized awareness of domestic infrastructure posture |
| Sina PTaaS | Offers centralized remote testing tools | Authorized scan results, vuln reports | Lowers barrier for routine security testing under sanctions | Concentrates sensitive assessment data inside state-visible platforms |
| Sadid ICS IDS | Detects suspicious ICS traffic, Siemens-focused | ICS protocol events, PLC command anomalies | Adds intrusion alerting for industrial networks | Links cyber alerts to infrastructure security governance and escalation |
| Secure Umbrella DNS filter | Blocks malicious domains and sinkholes botnet C2 | DNS queries, blocked domain lists, infection beacon attempts | Cuts malware command traffic and reduces drive-by compromise | Routes DNS through national resolvers and expands content control options |
- implications for cyber defense, domestic control, and external attribution
- Iran gains a tighter cyber defense loop — Dezhfa collects samples, scans artifacts, maps exposures, and pushes mitigations through national coordination.
- State visibility expands as traffic shifts toward national services — DNS filtering, scanning portals, and national telemetry reduce blind spots inside Iran.
- Internet shutdown resilience improves — NIN continuity tests and Dezhfa integration support service stability during disconnection events.
- Foreign operators face shorter dwell time — honeypots, scanners, and national scanning increase detection probability and speed sample capture.
- Attribution narratives strengthen — Iran uses Dezhfa telemetry to name adversaries and frame cyber conflict as foreign aggression, regardless of independent verification limits.
- Domestic repression capacity grows — national DNS, anomaly detection, and infrastructure-level monitoring strengthen the state toolkit during protest cycles.
Drivers behind Dezhfa rollout and sustained investment
- Sanctions pressure blocks routine access to commercial cyber tools and paid services, pushing domestic toolchains and local hosting.
- Stuxnet legacy shapes Iranian planning — industrial intrusion detection and infrastructure defense received sustained attention after sabotage precedent.
- WannaCry exposure signaled gaps — earlier honeynet efforts reportedly missed the outbreak, incentivizing improved sensor coverage and response workflows.
- Unrest cycles demand isolation readiness — authorities seek a network posture that sustains banks and services during external cuts while preserving monitoring reach.
- Cyber conflict messaging supports deterrence — public claims of foiled attacks strengthen domestic morale and signal readiness to foreign adversaries.
Context timeline — milestone sequence tied to Dezhfa logic
| Year | Event | Relevance to Dezhfa |
| 2010 | Stuxnet impact on Iranian industrial targets | Drives ICS detection focuses and infrastructure defense emphasis |
| 2017 | WannaCry spread pressure | Exposes response and visibility gaps in prior sensor projects |
| May 2019 | Iran announces Dezhfa under ICT Ministry | Formalizes a national cyber defense suite tied to NIN |
| 2019 onward | Recurrent cyber incident claims and deterrence messaging | Expands public narrative of resilience and attribution capability |
Reported performance and observable effects
Iranian officials claim dramatic detection improvement and large attack counts blocked, including figures near nineteen million attacks from twenty-four countries soon after launch and thirty-three million attacks in a year. Reporting also describes early volume metrics such as thousands of scanned files and hundreds of warnings.
Claim audit table — what Iran reports versus analytic confidence
| Reported claim | What the claim likely measures | Analytic confidence |
| 200 percent detection improvement | Expanded sensor coverage, more alerts, more telemetry | Medium — sensor expansion raises counts even without threat growth |
| Nineteen million attacks from twenty-four countries | Internet-wide scanning, botnet probing, commodity exploit attempts | Medium — counts often include noise and low-skill probing |
| Thirty-three million attacks blocked in one year | Aggregated alerts across ISPs, honeypots, DNS, scanning | Medium to low — public reporting lacks audit and standardized taxonomy |
| No successful breaches | Public-facing narrative control | Low — breach disclosure incentives run against transparency |
| NIN continued function in 142 disconnection tests | Service continuity inside domestic routing | Medium — continuity fits NIN design goals, independent validation remains limited |
Simple volume reality check chart — attack counts often mix noise with high-end intrusions
Attack intensity bands — relative, not numeric
- Commodity scanning and bot probing — ██████████ very high
- DDoS attempts against services — ██████ high
- Targeted intrusion campaigns — ███ moderate
- ICS sabotage-grade activity — █ low
Strategic foresight analysis for 2026 to 2029
Iran likely expands Dezhfa integration across ISPs and high-value sectors, especially energy, telecom, finance, and government services. Dezhfa also likely tightens the link between cyber defense telemetry and internal security workflows during protest risk periods. Foreign operators likely shift toward stealthier tooling, supply-chain access, and identity-based intrusion paths that reduce exposure to honeypots and malware trapping.
Strategic drivers and signposts
| Driver | Direction | Signposts to watch | Expected effect |
| Sanctions and procurement constraints | استمرار and tightening cycles | Growth in domestic PTaaS, domestic AV engines, local cloud scanning | More Iran-hosted security tooling and data concentration |
| Protest and stability concerns | Recurrent | Expansion of national DNS mandates, aggressive VPN disruption, rapid isolation drills | Stronger monitoring and enforcement inside NIN |
| Infrastructure sabotage risk | Persistent | Wider ICS vendor coverage beyond Siemens, more sector drills, mandatory ICS sensors | Better detection of plants and pipelines |
| Regional cyber escalation | Episodic spikes | Public attribution statements, retaliatory hack claims, joint exercises | More public deterrence messaging and faster response cycles |
| Talent pipeline and training | Growth | Expansion of training ranges and competitions linked to Basij networks | Larger pool of operators and defenders |
Scenario sets three plausible futures
Scenario A — Fortress deepening and routine isolation drills. Iran expands mandatory DNS filtering and national scanning for most service providers. NIN isolation exercises grow more frequent and more seamless for banking and government services. Domestic control rises and incident response speed improves, while foreign collection operations shift to identity compromise and insider vectors.
Scenario B — Defense growth with uneven execution. Iran expands tooling, yet tool quality and operator discipline vary across provinces and sectors. Commodity threat handling improves, while advanced intrusions persist through weak points in supply chains, credentials, and legacy industrial networks. Tehran continues high-volume success claims, while quiet breach recovery continues behind public messaging.
Scenario C — Counter-pressure and adaptation race. Foreign actors feed deception traffic, poison telemetry, and exploit blind spots in domestic toolchains. Iran responds with stricter network controls, heavier monitoring, and faster escalation links to security services. Domestic friction rises as enforcement side effects hit business operations and citizen access patterns.
Planning implications for analysts and defenders outside Iran
- Collection priorities shift toward NIN enforcement nodes — DNS resolvers, national scanning outputs, ISP-level mitigation partners, and CERT messaging patterns
- Attribution assessment needs stronger sourcing discipline — Iranian public claims require independent corroboration and careful taxonomy separation between scanning noise and targeted intrusion
- Tradecraft for access into Iran trends toward low-sample, low-noise methods — identity compromise, trusted relationships, and supply-chain footholds reduce exposure to honeypots and malware trapping
- Human security risks rise for domestic technologists — state visibility and centralized security portals increase traceability for activity tied to dissent or unauthorized tools
Early warning indicators — operational signals that forecast a tighter fortress
- Mandatory resolver policies expand and enforce compliance
- National-scale scanning advisories escalate from technical teams to senior officials more often
- ICS sensor mandates widen beyond Siemens environments
- Public messaging shifts from defense success claims toward explicit retaliation signaling
- Domestic PTaaS and training platforms gain formal links to IRGC-aligned recruiting pipelines
Analysis
Iran has pursued an “internet isolation” strategy centered on its National Information Network (NIN) – a domestic intranet that can operate independently of the global Internet. A key pillar of this strategy is Dezhfa (Persian for “Digital Fortress”), a comprehensive cyber defense program unveiled in May 2019 by Iran’s ICT Minister, Mohammad Javad Azari Jahromi. Developed with about 200 billion rials (~$1.4 million) in funding, Dezhfa consists of ten interconnected security sub-projects, with ongoing operational costs around 300 billion rials (~$2.1 million). Iranian officials describe it as a “strong fortress” that guards the country against cyberattacks. Dezhfa’s launch was promoted as a significant step to protect national infrastructure, online services, and citizens’ data by detecting malware, deterring attacks, and stopping their spread. It is tightly integrated with Iran’s national CERT (CERT.IR) and coordinates cyber incident response across the country. Iranian authorities claim Dezhfa has dramatically improved threat detection (by 200% according to one official) and thwarted millions of attacks – including “33 million cyber-attacks in one year,” with no successful breaches reported. This report provides a structured analysis of Dezhfa’s components and their functions, its role within Iran’s NIN architecture, the political context of its development, its integration with the IRGC’s cyber doctrine, and implications for domestic control, malware response, and external attribution.
Components of the Dezhfa “Digital Fortress”
Dezhfa comprises a suite of Indigenous (“native”) cybersecurity systems, each addressing a specific threat area. Together, these components monitor for threats across Iran’s networks, improve response capabilities, and neutralize attacks across the national intranet and beyond. The main Dezhfa components include:
National Telephony System (Honey Net Malware Trap): A nationwide honeypot network serving as a “national malware trap”. Over 5,000 sensor nodes are deployed across Iran to lure, detect, and collect malware that is infiltrating various parts of the country’s infrastructure. This system – also called “Honeycomb Net” – monitors network traffic for malicious code and maps infections with high accuracy. It builds on Iran’s earlier honeynet projects; for instance, a predecessor, the Honeynet Initiative (HNI), with ~2,000 sensors ran for years but infamously failed to catch the WannaCry ransomware outbreak in Iranian networks. Learning from that, the new Telephony/Honeynet system uses modern honeypot technology (based on open-source tools such as Dionaea) to actively lure malware actively. By deploying customized honeypots nationwide, Iran’s CERT can observe global hacking attempts (e.g., botnets scanning for victims) and capture incoming malware samples, which support early warning and threat analysis. This honeynet data not only helps neutralize malware before it spreads but also provides intelligence on attack sources (over nineteen million attacks from twenty-four countries were recorded by this system within months of launch).
“Native Explorer” System (Multi-Engine Malware Scanning): An online malware scanning and analysis platform – essentially Iran’s version of VirusTotal. Referred to as the “Native Browser/Raider” or “Virus KAV” system, it allows users and organizations to upload suspicious files for scanning by multiple antivirus engines. This service is offered free to the public and private sector as part of Dezhfa’s “Shield of Defiance” infrastructure�. The platform originally ran on a scanner. certcc. It (under Iran’s CERT) leverages four integrated anti-malware engines (with plans to expand to 30) to detect viruses in uploaded files. In concept, it works much like VirusTotal – scanning files against numerous AV signatures and reporting results – but using locally hosted engines to ensure sovereignty. This “virus mining” system (KAV) helps identify malware types and infections across Iranian networks. Notably, it is built on existing antivirus technologies rather than wholly new code: the system serves as a wrapper that feeds files to known AV engines and aggregates the detections. By offering a domestic malware sandbox, Iran reduces reliance on foreign services and can encourage entities to report malware samples internally. The Native Explorer system had scanned over 3,000 files and 140 applications in its first few months, issuing hundreds of security warnings and reports to fix vulnerabilities.
Native Samat System (DDoS Defense): A platform dedicated to detecting and mitigating distributed denial-of-service (DDoS) attacks. Samat is a DDoS mitigation system under development at an Iranian university research center, initially tested in lab environments. It is being tuned to handle large-scale traffic floods and is intended for deployment by Iran’s Internet providers (FCPs) and online businesses to absorb or block DDoS attacks. As a “native” solution, Samat has no domestic competitors in Iran (previously, companies had to rely on foreign DDoS protection services). Iranian engineers are essentially trying to build an in-country equivalent to commercial DDoS mitigation networks. Once fully operational, Samat will help keep the National Information Network online during DDoS attacks and reduce reliance on external mitigation services.
Bina System (Botnet and Vulnerability Mapping): A centralized system for tracking botnets and mapping vulnerabilities across the country’s IP space. Bina continuously collects data on infected “zombie” machines and known vulnerabilities in Iranian networks. It helps map out botnet command-and-control (C2) structures and compromised hosts inside Iran. The system differentiates between types of botnet attacks – for example, direct attacks launched from hacker-controlled “zombie” PCs versus indirect attacks routed through C2 servers. By cataloging these threats, Bina can notify network owners of infections and coordinate takedowns. However, its current focus is primarily on simpler attack types; officials note that the system “can only clean up” basic botnet incidents so far, implying that more complex peer-to-peer or hybrid botnets remain a challenge. Still, Bina’s country-wide view of vulnerabilities is valuable – within months, it reportedly identified 20,000 vulnerable systems in Iran that could be exploited. This data feeds into warning alerts to fix weak points before adversaries leverage them.
“Checkup” System (SSL/DNS/Modem Security Assessment): An online diagnostic service that checks standard user-facing security settings�. The Checkup system offers three free security tests for the public: (1) It evaluates the configuration and validity of a website’s SSL/TLS certificate to ensure web services are appropriately encrypted. (2) It inspects the DNS settings of users (or domains) to detect if they are using unsafe or hijacked DNS resolvers that could redirect them to malicious sites. (3) It scans the user’s internet modem/router for open ports or known vulnerabilities, warning owners if their home/office routers are insecure. By focusing on these “five points of vulnerability” (as Iranian experts phrase it) for everyday users, the Checkup system aims to raise baseline security awareness. For example, if a user’s DNS queries are being redirected to a hacker’s server, or if their Wi-Fi router has a default password, Checkup will flag it. This service is implemented by Iran’s “Skilled Center” hub (CERT) and helps sanitize the domestic network by empowering users to fix fundamental security issues.
Syman System (Penetration Testing Training Platform): A training and simulation environment for web penetration testing. The Syman system provides a sandbox with intentionally vulnerable web applications where Iranian cybersecurity students and professionals can practice hacking techniques safely. It is built on open-source training tools – specifically the Damn Vulnerable Web Application (DVWA), a deliberately insecure web app used globally to teach web vulnerabilities�. Through Syman, users can learn and simulate common attack types such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and brute-force attacks. The platform guides trainees on exploiting these flaws and defending them against them. By hosting DVWA and similar labs internally, Iran encourages development of home-grown cybersecurity talent (including IRGC and Basij cyber units) without relying on foreign labs. It effectively “vaccinates” Iranian developers and security teams by improving their skills in finding and fixing weaknesses. Syman’s use of an existing open-source tool (customized for Farsi/local use) exemplifies how Dezhfa’s “native” systems often adapt known solutions rather than inventing from scratch.
Dana System (Nationwide IP Surveillance Scanner): A national network scanning system that continuously probes the entire country’s IP address space for vulnerabilities and anomalies. Dana (meaning “wise” in Persian) acts like an Iranian version of port scanning/search engines such as Shodan – it maps open ports, exposed devices, and security weaknesses across Iran’s networks. By scanning all IP ranges in Iran, Dana can discover unpatched servers, misconfigured services, or signs of malware across thousands of organizations. The data is likely fed into the Bina database and used by authorities to warn entities about “cyber pollution” (i.e., infections) or to proactively lock down critical weaknesses. Details on Dana are scarce (Iran’s CERT intentionally avoided publicizing it), but Iranian reports credit it with identifying tens of thousands of vulnerable systems nationwide. Essentially, Dana provides Iran’s cyber defenders with continuous situational awareness of the country’s cyberspace – a key advantage for an isolated intranet, enabling quick mitigation of threats before foreign attackers can exploit them.
Sina System (Penetration Testing as a Service – PTaaS): A cloud-based security testing platform offering automated penetration testing services to organizations. The Sina system (also referred to as “Sinai”) provides a web platform where companies can submit their IT systems or applications for remote vulnerability assessment and penetration testing. It essentially centralizes expensive security tools and makes them available on demand to domestic users, addressing a common problem in Iran: many local companies and “red teams” lack access to the latest penetration testing tools or cannot afford licenses due to sanctions and cost. Sina, developed at an Iranian “academic app center,” solves this by hosting tools in a cloud environment and allowing teams to conduct authorized scans and exploits via the service. By pooling resources, it reduces costs and improves access to professional security testing for Iranian businesses, thereby boosting overall cyber hygiene by enabling more organizations to test their defenses regularly. In essence, Sina is Iran’s domestic answer to managed security testing services – improving defensive readiness while keeping sensitive data within national borders.
“Sadid”/”Strain” System (ICS Intrusion Detection for Industry): An intrusion detection system (IDS) tailored for industrial control systems (ICS), specifically those using Siemens industrial equipment. Born out of Iran’s experience with attacks such as Stuxnet, this system monitors industrial network traffic (PLC commands, etc.) for malicious patterns or unauthorized activity. Sadid (meaning “solid” or “precise”) – sometimes translated as “Strike” or “Strain” in English – is designed to guard critical infrastructure such as power plants, oil facilities, and manufacturing systems that often rely on Siemens PLCs. It inspects ICS network protocols and triggers alerts if, for example, malware attempts to send dangerous commands to controllers or if unknown devices attempt to access the control network. Iran’s communications ministry has highlighted this “native industrial firewall” as a success in self-sufficiency, now deployed on “all Siemens industrial systems” nationwide. In time, developers plan to extend support to other industrial brands beyond Siemens. The ICS IDS is likely used in tandem with Iran’s Passive Defense Organization (often led by IRGC) to harden vital infrastructure against cyber-sabotage. By detecting intrusions into industrial networks in real time, Sadid provides a crucial layer of defense to prevent another Stuxnet-like attack – or at least to alert operators quickly and contain damage.
“Secure Umbrella” System (DNS Traffic Filtering): A protective DNS service that blocks known malicious domains and command-and-control servers, thereby sheltering users from botnets. The “Safe Umbrella” system operates a national DNS resolver that filters out any DNS records associated with malware or botnet controllers, meaning if a device inside Iran is infected and tries to reach out to a hacker’s server (e.g., by resolving a C2 domain name), the Umbrella DNS will refuse to resolve or return a safe null address. By “deleting records of bot networks” from DNS responses, the system cuts off malware communications at the network level. Iran’s cyber authorities promote this as a secure DNS option for users to avoid falling into “the net” of hacker-run networks. In some cyber-attacks, attackers hijack victims’ DNS settings or use DNS to redirect traffic; the Umbrella service counters this by ensuring users get authentic, safe DNS results. Essentially, it is a national equivalent to commercial secure DNS services (much like Cisco’s Umbrella product) that can sinkhole botnet traffic. By deploying it broadly, Iran can not only protect less-savvy users from known threats but also observe and log attempted lookups to malicious domains – generating intelligence on botnet activity targeting Iranian networks. This system is part of Iran’s move to provide trusted domestic internet services; citizens using state-sanctioned DNS will be automatically shielded from many global cyber threats (at the cost of routing their traffic through government filters).
Each of these components is built or customized in Iran (hence branded “native”), though several incorporate open-source technologies under the hood (e.g., Dionaea honeypot, DVWA training app, etc.). By developing indigenous versions, Iran claims technical self-reliance in cybersecurity. Dezhfa’s systems cover a broad spectrum – from trapping malware and scanning files, to mapping botnets and training personnel – reflecting a holistic approach to national cyber defense. Notably, these tools are interconnected. For example, malware caught by the Telephony honeynet can be analyzed via the Explorer multi-AV engine; vulnerabilities found by Dana scanning can be verified via Sina’s testing platform; botnet domains identified by Bina are fed to the Secure Umbrella for blocking; and so on. This integration under one “Cyber Defense Shield” allows Iran’s CERT to coordinate incident response and threat intelligence effectively across the National Information Network.
Placement in the National Information Network Architecture
Dezhfa is architecturally a security shield for Iran’s National Information Network (NIN), sitting at the core of the country’s domestic internet infrastructure. The NIN is an isolated national intranet enabling Iranian communications and online services to continue even if global Internet access is cut. Dezhfa’s systems are built into this network as protective layers. According to officials, Dezhfa identifies and neutralizes a vast portion of threats on the NIN. It is not limited to the intranet alone – its reach extends to detecting threats “in infrastructure, on the internet, on equipment networks, [and] on cell phones” as well – but safeguarding the NIN is the primary goal.
In practice, Dezhfa operates under Iran’s national CERT (CERT.IR) and related cybersecurity centers�. The national CERT (also known as MAHER, Iran’s incident response coordination center) is tasked with both cybersecurity incident response and maintaining the NIN’s security. Dezhfa provides the CERT with an integrated toolkit: honeypots deployed at network backbones, DNS filtering at national gateways, scanning services, and warning systems for all ISPs and organizations, effectively embedding security monitoring and incident response within the fabric of the national intranet. For example, traffic flowing through domestic Internet Exchange Points can be monitored by the Telephony honeynet sensors; major Iranian ISPs and data centers likely run Samat DDoS protection appliances and use Umbrella DNS; and CERT analysts can centrally view the country’s threat landscape via Bina and Dana scans.
This deep integration was demonstrated when the ICT Ministry conducted tests by disconnecting Iran from the global Internet – all 142 tests showed that the National Information Network continued to function independently, with local services and banks staying online. Dezhfa’s presence is a significant factor in that resilience: it ensures that, even when isolated, the domestic network is not overwhelmed by cyberattacks or malware outbreaks. Essentially, Dezhfa is the “security shield” of the NIN, enabling Iran to operate a closed, secure network fortress when needed. It also acts as a bridge between the open Internet and the intranet – filtering incoming traffic and data for threats. Any cyber events on Iranian infrastructure (whether originating abroad or internally) are meant to be detected and handled by Dezhfa’s systems in coordination with CERT.IR and network operators.
Organizationally, Dezhfa was initiated by the Ministry of ICT (Information and Communications Technology) under Jahromi’s direction, but it also connects with other bodies, such as the Supreme Council of Cyberspace and the Passive Defense Organization, for policy and implementation. CERT.IR (which falls under the ICT Ministry’s National Cyber Security Center) operates most of Dezhfa’s services on a day-to-day basis. However, its data and alerts feed into national decision-making: for instance, if Dana scan finds a critical vulnerability in a power grid control system, CERT.IR will alert the Passive Defense Organization (often led by military/IRGC personnel) to secure that asset. In this way, Dezhfa is embedded into Iran’s cyber governance structure, linking civilian cyber authorities with military and infrastructure protection units. The platform’s alerts are even tiered by sensitivity – recent guidelines instruct that severe vulnerability warnings be escalated “from the group of users to the highest levels of chiefs of staff” depending on severity, showing the strategic importance of Dezhfa within Iran’s national security architecture: it is not just an IT tool, but part of the command-and-control for national cyber defense.
Political Context and Development
The launch of Dezhfa came amid heightened cyber threats and sanctions pressure on Iran. In early 2019, facing what it called a surge in foreign cyber-attacks, Iran’s government sought to project strength by announcing a “home-grown cybersecurity wall.” Azari Jahromi, the youthful ICT Minister, unveiled Digital Fortress (Dezhfa) on World Telecommunications Day in May 2019, framing it as a defensive response to “full-force cyber warfare” waged by Iran’s enemies. The project’s branding invoked nationalism and self-reliance: Jahromi emphasized that it was developed domestically and at a comparatively low cost (a few million USD) given the country’s budget constraint. By touting ten indigenous cyber defense systems, the regime aimed to show that, despite sanctions (which made importing security solutions difficult), Iran could innovate and protect itself.
Politically, Dezhfa’s unveiling also had a public reassurance motive. Shortly before, there were publicized incidents of cyber espionage and sabotage against Iran (for example, the aftermath of Stuxnet and waves of data-wiping attacks like Shamoon). In response, Iranian officials claimed that “not a single successful attack” had occurred due to their new defenses. Jahromi and his deputies boasted that millions of attacks were being detected and neutralized. For instance, by mid-2019, they stated that Dezhfa had already detected nineteen million cyber-attacks originating from twenty-four countries within a few months. By year’s end, Jahromi cited even higher figures – “33 million cyber-attacks” foiled in one year – attributing this success to Iran’s “cyber defense shield.” These claims, while impossible to verify, were used domestically to bolster the narrative that Iran’s cybersecurity investment was paying off and that the nation could withstand the “cyber-terrorism” of its adversaries.
Funding for Dezhfa, roughly two hundred billion rials, was allocated in Iran’s development budgets despite an ailing economy. The relatively low cost (due to reliance on open-source and local talent) was a selling point, but sustaining these services also required ongoing support (~$2 million annually). The government justified the expense by citing the critical need to protect the digital economy. They pointed out that as Iran’s digital services (e-banking, ride-hailing apps, government e-services) grew, so did the risks – any disruption would “take a toll on the economy” and daily life. Dezhfa was thus positioned as a guardian not just of security but also of Iran’s nascent digital economy and citizens’ privacy. Officials claimed it would protect personal data, fight online fraud, and even help deter foreign propaganda or subversion.
Another political aspect was messaging to adversaries. By publicly discussing Dezhfa’s capabilities (such as the ICS firewall and DDoS defense), Iran signaled to the US, Israel, and others that attacks would be complex or would be met with countermeasures. For example, after reports of a U.S. cyber-attack on Iranian missile control (June 2019), Iran downplayed its impact and pointed to Dezhfa as proof that they can neutralize such strikes. In late 2019, Iran also announced it had foiled a “massive foreign cyber-attack” on government infrastructure, again crediting the Dezhfa firewall for repelling it, serving a propaganda purpose: portraying Iran as having an impregnable digital fortress and discouraging further attacks.
However, Tehran’s rhetoric also acknowledges that Dezhfa is a work in progress. Only a few of the ten subprojects were fully live at launch; the rest were rolled out over subsequent months. By 2020, the ICT Ministry announced several services “becoming operational,” aligning with Jahromi’s promise that more sub-systems would come online to strengthen the NIN. The government has continued to invest in these projects, often via academic grants and private “knowledge-based firms” inside Iran, as part of a broader push for cyber self-sufficiency. Periodic reports in Iranian media highlight improvements – for instance, an update noted that Dezhfa’s systems had identified 18,000 pieces of malware and issued thousands of vulnerability warnings to Iranian organizations in a few months. Such statistics are publicized to demonstrate Dezhfa’s effectiveness and vigilance.
In summary, Dezhfa’s development was driven by Iran’s defensive posture under pressure: it was unveiled as a national achievement in cyber defense, intended to unify efforts against foreign cyber aggression while also bolstering domestic control of the Internet. The political leadership leverages Dezhfa to show that Iran is not sitting idle – it is actively fortifying its “cyber borders” much like its physical borders.
Integration with IRGC Cyber Doctrine and Operations
Iran’s Islamic Revolutionary Guard Corps (IRGC) has its own robust cyber apparatus and doctrine, which Dezhfa complements and reinforces. The IRGC’s cyber strategy has long stressed the development of indigenous capabilities, the defense of critical infrastructure, and the preparation for asymmetric cyber warfare. Dezhfa’s existence directly serves these goals:
Coordination in Cyber Defense: The IRGC, particularly through bodies such as the Passive Defense Organization and the Cyber Defense Command, closely coordinates with civilian cyber centers. Dezhfa provides the technical backbone for national cyber defense, while the IRGC provides much of the operational muscle. For example, when the Sadid/ICS IDS detects an intrusion at a power plant, IRGC cyber units (responsible for critical infrastructure defense) are likely to receive those alerts and respond on the ground. The integration is such that Dezhfa’s CERT-run monitoring and the IRGC’s incident responders act in concert as a national Computer Emergency Response Team for major incidents. This unified approach is part of the IRGC’s doctrine of “cyber sovereignty” – keeping detection and response within Iranian control. In practice, IRGC cyber command units participate in national cyber drills using Dezhfa platforms, and information flows between CERT (under the ICT Ministry) and IRGC intelligence are exchanged in real time during attacks.
Dezhfa’s development included several subprojects that received input or resources from research centers connected to the IRGC. Academic centers that frequently collaborate on military projects developed both the DDoS defense (Samat) and the PTaaS platform (Sina). The IRGC has a history of funding university cyber research (to train and recruit talent for its ranks). By investing in these “native” solutions, the IRGC ensures backdoor access and tailored features that align with its needs. The industrial firewall (Sadid) is directly in line with IRGC’s focus post-Stuxnet: IRGC commanders publicly championed the creation of a “native firewall to counter cyber-attacks on industrial control systems”, which is now realized in Sadid. Thus, Dezhfa fulfills an IRGC requirement for a self-sufficient ICS defense across strategic sectors such as nuclear, oil, and utilities – all areas where the IRGC plays a protective role.
Basij Cyber Battalion Synergy: The IRGC’s Basij militia runs “cyber battalions” tasked not only with online propaganda but also with local cyber defense at the provincial level. Dezhfa’s training and analysis tools bolster the capabilities of Basij cyber units. For instance, the Syman penetration testing simulator is likely used in Basij cyber training courses to improve their offensive and defensive skills. The Basij Cyber Council has held nationwide cyber drills and hackathons in which participants use platforms like Syman and Sina to practice attacking and securing systems, creating a pipeline of skilled young hackers and defenders aligned with IRGC objectives. Moreover, Basij volunteers can act as eyes and ears, feeding into Dezhfa: they might deploy honeypot nodes from the Telephony system within their local networks or assist in analyzing malware caught by the Explorer system, amplifying Dezhfa’s reach through a human network.
Intelligence and Attribution: The IRGC’s cyber doctrine emphasizes identifying the enemy and retaliating if necessary. Dezhfa provides the data needed for attribution of cyber-attacks. IRGC cyber analysts examine the malware samples and attack patterns collected by Dezhfa to trace them back to foreign threat actors. Iranian officials have credited Dezhfa with uncovering specific campaigns, such as an espionage attack linked to APT27 (a Chinese state-linked hacker group), claiming they not only blocked the attack but also “identified the perpetrators” behind it. This level of attribution is practical for IRGC intelligence and propaganda – it allows Iran to call out specific countries or groups for cyber aggression. The IRGC can incorporate these findings into its broader deterrence doctrine, possibly justifying its own offensive cyber operations as retaliation. In public statements, IRGC commanders and Iran’s cyber officials often cite the statistics and successes of Dezhfa (such as millions of attacks foiled) to demonstrate Iran’s alertness and, implicitly, warn adversaries that their cyber espionage efforts have been exposed.
Incident Response and “Cyber War” Readiness: In Iran’s view, it is already engaged in a low-level cyber conflict with the West and regional foes. The IRGC sees Dezhfa as a wartime command system for the cyber domain. All the pieces – honeynets, scanners, firewalls, etc. – feed into a centralized situational awareness that IRGC can use during a crisis. When Iran faces a concerted cyber offensive (for example, during periods of political tension or military conflict), IRGC-led response teams would work alongside CERT staff at the Rescue Management Center (the Iranian term for their cyber emergency center). Together, they would use Dezhfa to detect attacks, rapidly, triage incidents (e.g., isolating infected parts of the network), and deploy countermeasures or patches. This civil-military cooperation is ingrained in IRGC doctrine; they train for scenarios where simultaneous attacks on government networks, banks, and critical infrastructure might digitally besiege Iran. Dezhfa essentially provides the “radar and air-defense system” for Iran’s cyberspace, while the IRGC provides the soldiers and commanders to operate it under fire.
Overall, Dezhfa augments the IRGC’s broader cyber strategy by providing a unified defensive shield that the IRGC can trust and help direct. It embodies the IRGC’s principles of self-reliance (built internally), defense in depth (multiple systems covering different threat vectors), and integrated response (linking technical detection with operational action). The IRGC, in turn, provides Dezhfa with institutional support, workforce (cyber experts), and legitimacy as a critical national defense project. This symbiosis ensures that in any serious cyber incident, Iran’s response is swift and centralized – a fusion of Dezhfa’s technical capabilities with the IRGC’s command structure.
Implications and Impact
Dezhfa’s deployment has far-reaching implications for Iran’s internal controls, its ability to handle malware threats, and its approach to attribution of cyber incidents. As an integrated national cyber defense platform, it influences both the domestic repression toolkit of the regime and its posture on the international cyber stage.
Enhanced Internal Control & Censorship: Dezhfa strengthens the regime’s hand in monitoring and controlling domestic internet use, indirectly bolstering internal repression capabilities. By routing more of Iranian online activity through national services (e.g., domestic DNS, local cloud scanners), the state gains greater visibility into what users are doing. The Secure Umbrella DNS not only blocks malware domains but could also be used to filter undesirable content or communications by simply flagging them as “malicious.” Likewise, nationwide intrusion detection sensors and scanners can detect the use of encrypted tools or unusual traffic patterns, which might indicate dissidents using VPNs or secure messengers. In times of civil unrest, Iran has proven it can isolate the country from the global Internet; with Dezhfa in place, the authorities can keep critical services running on the intranet while more effectively sniffing out digital “troublemakers”. For example, if activists attempt to exfiltrate data or coordinate via malware-like means, the Telephony honeypot or Bina system might catch those signals as “anomalous,” alerting security forces. Dezhfa’s data can feed into Iran’s surveillance apparatus – providing leads on which IP addresses or devices are behaving “suspiciously.” In short, a fortified NIN means the government can more confidently shut off external internet access (to quash protest organizing) while maintaining surveillance and control internally. This dual capability – isolation plus inspection – tightens the state’s grip on online dissent and makes Iran’s Internet censorship regime more robust. Activists face a scenario where not only are they cut off from the world during crises, but the very network they are forced onto (the NIN) is heavily monitored and filtered by systems like Dezhfa.
Improved Malware Response & Resilience: On the positive side, Dezhfa greatly improves Iran’s capacity to respond to malware outbreaks and cyber threats within its borders. The combined use of honeypots, multi-engine scanning, and nationwide vulnerability sweeps means Iran can identify new viruses or exploits faster and coordinate a response. For instance, if a worm starts spreading on Iranian networks, multiple Dezhfa layers would activate: the honeynet traps samples and flags the outbreak, the Virus KAV scanner identifies the malware and checks if antivirus signatures catch it, and the Checkup system might notify users to update their systems. A pain point in the past – Iran was caught off-guard by threats like Stuxnet (2010) and WannaCry (2017) due to limited early warning. Now, with Dezhfa, Iran has a central clearinghouse for malware. The CERT can rapidly push out alerts or even block traffic (via Umbrella DNS or ISP cooperation using Samat/Bina info) to contain the spread. Dezhfa’s ICS IDS (Sadid) also means that critical industrial systems are no longer “blind” to cyber intrusions – any suspicious PLC command or payload can trigger alarms, giving engineers a chance to intervene before damage is done. Overall, this translates into a more cyber-resilient infrastructure, which is crucial given Iran’s reliance on aging industrial technology and the very real threat of state-sponsored cyberattacks. In cyberwar game scenarios, Iran can simulate attacks using Syman and test its defenses with the actual Dezhfa sensors, continually refining its tactics. The result is a closed-loop improvement cycle in national malware defense. While Iran’s cyber defenses may not be top tier globally, Dezhfa significantly narrows the gap, making it harder for attackers to achieve strategic impact (especially when Iran’s network is in isolated mode).
Challenges for External Attackers and Attribution Efforts: Dezhfa complicates the operations of foreign cyber actors in Iran and enables Tehran to engage in its own attribution and naming-and-shaming campaigns. Attackers can no longer assume an easy foothold or prolonged stealth in Iranian networks – honey traps and scanners are lurking everywhere. Any malware used against Iran risks being quickly collected and analyzed by Iranian experts, raising the cost for adversaries: they must design stealthier tools or risk their malware samples getting into Iran’s hands (and potentially shared or publicized). In several cases, Iranian officials have publicized details of alleged foreign attacks detected by Dezhfa, sometimes even identifying the source country or hacker group. For example, Iran claimed it foiled an espionage attempt by China’s APT27 and a major attack linked to the U.S., attributing them confidently – a capability bolstered by having their own data collection infrastructure. Dezhfa gives Iran the evidence (malware code, attack signatures, victim logs) to attribute attacks and accuse adversaries on the international stage. Creating implications for the global cyber discourse: Iran can rebut accusations against itself (for its hacking activities) by pointing out that it is under constant attack too, and it can use Dezhfa’s stats to rally support against what it calls “cyber terrorism” and unilateral sanctions that harm cybersecurity.
Additionally, by catching attacks early, Iran can harden its networks faster, reducing the window in which foreign operations can succeed. However, it is worth noting that determined adversaries may also try to trick or overwhelm Dezhfa – for instance, feeding false malware or using techniques to evade honeypots. The cat-and-mouse game continues, but Iran now at least has a structured defense apparatus to play that game.
National Pride and Deterrence: The very existence of Dezhfa is a propaganda tool internally and a deterrent signal externally. Internally, it boosts morale among Iran’s cyber workforce and aspiring tech youth – showing that Iran has its own high-tech projects. It also serves as a recruitment and retention tool; talented engineers might be drawn to work on these significant projects (and thus less tempted to migrate abroad). Externally, as mentioned, it is a part of Iran’s deterrence strategy: much like test-firing a new missile, announcing a new cyber defense system is meant to make enemies think twice. Whether Dezhfa is as effective as advertised or not, Iran’s leadership consistently highlights its capabilities in official statements, suggesting it believes this contributes to cyber deterrence. Indeed, after some major cyber incidents in the Middle East, Iranian officials have stated that their Digital Fortress prevented similar harm in Iran, influencing the calculations of adversaries: they might divert to softer targets, or need to allocate more resources to penetrate Iran’s defenses, knowing Iran is actively watching and ready to publicize any caught attack.
Iran’s Dezhfa program has transformed the country’s cyber defense posture from a patchwork of reactive measures to a more unified, proactive shield. It tightens the regime’s control over cyberspace at home – aiding censorship and surveillance – while making Iranian networks a more challenging target for foreign cyber operations. It embodies Iran’s strategy of digital self-reliance: using mostly domestic talent and open-source tech to fortify the nation against both external aggression and internal “destabilization” via cyberspace. Dezhfa’s full effectiveness remains to be tested against top-tier offensive actors, but it undeniably gives Iran a stronger hand in the ongoing invisible war in cyberspace and underscores the country’s commitment to an isolated yet secure national internet.
