Tracking the U.S.-Israel-Iran War with OSINT Tools: A Practical Guide

When Operation Epic Fury launched on February 28, 2026, the fog of war hit the internet in real time. Airspace across the Gulf locked down, Iran’s internet connectivity collapsed to roughly 4% of normal levels, and dozens of hacktivist groups began flooding Telegram with cyberattack claims within 48 hours of the first strikes.

Open-source intelligence tools let researchers, journalists, security professionals, and curious citizens observe real-time signals of these events without classified access. The challenge is knowing which tool fits which question, and how to combine them.

This guide covers the OSINT stack best suited to this conflict, a practical workflow for using these tools together, and how to read the cyber dimension of the war specifically. For the full cyber threat intelligence analysis, see the SOCRadar deep-dive on Iran War vs. Israel and US Cyber Reflections.

• Reminder: The tools below are for research and situational awareness.

The OSINT Tool Stack

Each tool below illuminates a different layer of the conflict.

General Situation: World Monitor

Link: worldmonitor.app

A live geopolitical events aggregator pulling in conflict reports, strike claims, and breaking developments in near-real-time. Good as the entry point for broad situational awareness across the Middle East theater. When you see an incident claim here, note the geographic coordinates and timestamp before pivoting to other tools for corroboration.

Best for: Event stream, early breaking reports, broad theater overview, customizable dashboard

Cyber Operations: SOCRadar Iran-Israel Cyber Conflict Dashboard

Link: SOCRadar Iran-Israel Cyber Conflict Dashboard

The definitive resource for the cyber dimension of this conflict. Tracks APT group activity, hacktivist operations, DDoS campaigns, data leaks, defacements, and Telegram channel signaling, all tied directly to this conflict. Covers groups like MuddyWater, APT42, Cyber Av3ngers, Cyber Islamic Resistance, DieNet, and NoName057(16) with analyst-vetted assessments rather than raw claims.

Unlike the other tools in this list, the SOCRadar dashboard is purpose-built for the cyber domain and separates verified intelligence from noise, which is the distinction that matters most when hundreds of claims per day are circulating.

Best for: APT tracking, hacktivist campaign monitoring, OT/ICS intrusion claims, verified cyber intelligence

Conflict Mapping: Conflictly

Link: conflictly.app

Conflict mapping and incident tracking with geographic visualization. Useful for understanding the spatial spread of strikes, drone impacts, and reported incidents across Iran, Israel, and Gulf states. Use alongside World Monitor: World Monitor gives you the feed, Conflictly puts it on the map.

Best for: Geographic incident tracking, drone impact mapping, spatial spread of the conflict

Unconventional Signal: Pizzint Watch / Pentagon Pizza Index

Link: pizzint.watch

A real-time dashboard monitoring pizza order activity around the Pentagon in Arlington, Virginia. Based on the Cold War-era observation that late-night pizza deliveries to government buildings correlate with crisis activity, Pizzint brings the so-called Pentagon Pizza Theory into the digital age using publicly available data. When the index spikes at odd hours, it has historically suggested unusual activity inside the building. Unconventional, but a legitimate OSINT type.

Aviation Tracking: ADS-B Exchange and Flightradar24

Links: globe.adsbexchange.com |flightradar24.com

Both tools track aircraft in real time, but they serve different purposes. ADS-B Exchange is unfiltered and uncensored: it does not remove aircraft at government request, so sensitive and military flights that disappear from other trackers allegedly should show up here. Flightradar24 has broader coverage, a cleaner interface, and better historical playback, but suppresses many military and government aircraft. Use ADS-B Exchange to spot what is actually flying; use Flightradar24 to track airspace closures and civilian diversions that signal something is happening on the ground.

How to Use These Tools Together

Knowing which tool answers which question is the core OSINT skill. Here is a practical workflow:

Step 1: Start with the situation feed

Open World Monitor and Conflictly simultaneously. World Monitor gives you the raw event stream; Conflictly puts it on a map. Note geographic coordinates and timestamps from any incident claim before moving on.

Step 2: Cross-check with airspace signals

Go to ADS-B Exchange and check aircraft activity over the reported area in the same time window. If you see sustained ISR orbits, something is likely happening. Civilian airspace closures on Flightradar24 are often the first public confirmation of major strikes.

Step 3: Surface early claims

Pizzint Watch aggregates Telegram and social signals that travel faster than verified reports. These are unverified leads, not confirmed facts. Corroborate before citing.

Step 4: Layer in the cyber picture

For anything touching digital infrastructure, DDoS claims, website outages, hacktivist announcements, APT activity, pivot to the SOCRadar Iran-Israel Cyber Conflict Dashboard. This is the only tool in this list built specifically for the cyber domain.

Step 5: Verify before sharing

A DDoS “takedown” backed by a check-host.net screenshot is not evidence of infrastructure compromise. OT intrusion claims require independent technical verification. Apply skepticism proportional to the severity of the claim.

Reading the Signals: What Each Indicator Means

The Cyber Front: Why It Needs Its Own Tools

Cyber operations were not a side effect of this conflict. They were part of it from the first hour. The coordinated attack that took Iran’s internet connectivity to 4% of normal levels on February 28 ran alongside the kinetic strikes, disabling the IRGC-linked Tasnim outlet and taking IRNA offline precisely when Iran’s leadership needed communications most.

For OSINT researchers, general conflict trackers are insufficient for this layer. Hacktivist activity in the first 72 hours of the conflict generated hundreds of claims across over 100 Telegram channels. The challenge is not finding claims, it is evaluating them.

The key hacktivist groups operating in this conflict as of early March 2026:

• Cyber Islamic Resistance – coordinating multiple collectives under a joint Electronic Operations Room
• DieNet – providing DDoS tooling used by smaller groups; targeting Gulf state government, airport, and utility infrastructure
• NoName057(16) – Russian-affiliated, now directing operations toward Israel alongside European targets
• Z-Pentest Alliance – pro-Russian; published claimed HMI screenshots of Israeli water infrastructure access on March 4

When hacktivist activity spikes on a particular target, it does not always mean damage has occurred. But it tells you the target has entered the declared threat landscape. That is intelligence, and it means those organizations need to act regardless of whether today’s specific DDoS claims are accurate.

The more operationally significant signals are the shifts in targeting logic. When groups move from government website DDoS toward claiming OT and ICS access, as several did by March 4, that represents a threshold shift in stated ambition even before technical verification.

Go Deeper

This guide covers the general OSINT layer. For the full cyber threat intelligence analysis including APT group profiles, a MITRE TTP matrix, behavioral indicators, and defense recommendations for targeted organizations, read the complete SOCRadar findings:

Iran War vs. Israel and US Cyber Reflections – SOCRadar

For live cyber conflict tracking updated as events develop:

SOCRadar Iran-Israel Cyber Conflict Dashboard

All tool links are for research and situational awareness. Verify claims independently before drawing conclusions.