To understand why the U.S. Defense Intelligence Agency just rated its closest Middle East ally a “critical” counterintelligence threat — and why the exploding-pager operation that maimed thousands of Hezbollah members was even possible — you have to follow a single thread that runs through all of it. It starts in a Department of Energy lab around 2007, runs through a worm that escaped onto the open internet in 2010, and ends in 2026 with Google paying $32 billion for a four-year-old Israeli startup whose founders all served together in the same military intelligence unit.

That thread is Unit 8200, Israel’s signals-intelligence corps — the rough equivalent of the U.S. National Security Agency — and the story of how it became simultaneously the most audacious offensive cyber power on earth and the talent factory underpinning the defensive stack that banks, hospitals, and governments worldwide now run on. This is the third piece in our look at the new fracture in U.S.–Israel cyber relations, after the DIA’s “critical” designation and the Grim Beeper supply-chain attack. It’s the one that explains the other two.

Act I: Stuxnet, the cyberweapon that broke the physical world

In 2006, under President George W. Bush, the United States launched a covert program with the codename Operation Olympic Games. The goal was to sabotage Iran’s uranium-enrichment program at Natanz without firing a shot — Bush reportedly saw it as the only alternative to an Israeli conventional airstrike that could ignite a regional war. President Obama inherited the program and accelerated it.

The weapon was Stuxnet, and it was a genuine joint venture: the NSA built the core of the malware, the CIA handled the human tradecraft of getting it into an air-gapped facility, and Israel’s Unit 8200 was the partner on the other side. To test it, U.S. labs built a replica of Natanz’s cascade using P-1 centrifuges acquired from Libya after Qaddafi abandoned his nuclear program, and conducted “destructive testing” until the code could reliably make centrifuges tear themselves apart while reporting normal readings to their operators. Deployed, Stuxnet temporarily knocked out roughly 1,000 of the 5,000 centrifuges spinning at Natanz.

It was the first time in history that lines of code physically destroyed industrial infrastructure — the birth certificate of cyber-kinetic warfare. And it only became public because of a mistake: in 2010, a programming flaw let the worm jump from Natanz onto an engineer’s laptop and, from there, onto the open internet, where security researchers found and unraveled it. Two years later, in June 2012, the New York Times’ David Sanger published the definitive account, naming the U.S. and Israel. Neither government has ever formally admitted it.

The strategic lesson Israel took from Stuxnet wasn’t only “cyber can break things.” It was that the people who can do this — the 8200 conscripts who reverse-engineered Siemens controllers and wrote the exploit chains — are the most valuable human capital a small country can manufacture. So it manufactured them at scale.

Act II: The conveyor belt

Israel’s mandatory conscription funnels its most mathematically gifted 18-year-olds into Unit 8200, where they spend their late teens and early twenties doing real offensive and defensive operations against sophisticated adversaries — work that, anywhere else, you’d need a decade and a clearance to touch. Then they muster out, often by 25, with elite skills, a dense alumni network, and no shortage of ideas. The result is the most productive entrepreneurial pipeline in the history of the technology industry:

  • Check Point Software — co-founded by 8200 alumnus Gil Shwed, the company that essentially invented the commercial firewall.
  • Palo Alto Networks — founded by Nir Zuk, now a roughly $100B+ next-generation security giant.
  • CyberArk — the privileged-access leader co-founded by Udi Mokady and Alon Cohen.
  • Wiz — cloud security, founded by Assaf Rappaport, Ami Luttwak, Yinon Costica, and Roy Reznik, who served together in 8200 for nearly a decade.
  • Armis (Nadir Izrael, Yevgeny Dibrov), SentinelOne (Tomer Weingarten), Cybereason (Lior Div), and dozens more.

The same pipeline feeds the offensive commercial industry too — the spyware vendors whose tools we’ve documented at length, from the Predator/Intellexa ecosystem to NSO Group’s Pegasus. The line between “8200 alumnus building a cloud-security unicorn” and “8200 alumnus building a zero-click mobile implant” is, in human terms, often one career decision wide.

Money followed the talent and then started leading it. Cyberstarts, founded by investor Gili Raanan (also a Sequoia partner), has become the default first check for alumni founders; Raanan has said that 90–95% of the founding teams he sees are Unit 8200 veterans. Team8, the venture studio founded by former 8200 commander Nadav Zafrir, runs a “company factory” model and is backed by Eric Schmidt, Cisco, Microsoft, Walmart, and Temasek. The capital, the operators, and the alumni network form a closed, self-reinforcing loop that no other country can replicate.

Act III: 2026 — the year the ecosystem went supernova

If you wanted a single year to mark Israel’s total capture of the cybersecurity industry’s commanding heights, 2026 is it:

  • On February 11, 2026, Palo Alto Networks closed its $25 billion acquisition of CyberArk — a pivot into identity security driven by the rise of AI and machine identities. CyberArk’s founder and several executives are 8200 alumni.
  • On March 11, 2026, Google completed its $32 billion all-cash acquisition of Wiz — the largest exit in Israeli history and one of the biggest acquisitions Google has ever made, cleared only after antitrust probes in the U.S. and EU.
  • The “Rising in Cyber 2026” industry list named fourteen Israeli companies — nearly half the entire roster.

And underneath the headline deals sits the quieter structural fact that has Washington’s counterintelligence officials uneasy. According to a database compiled by an independent researcher and reported by Drop Site News, more than 1,400 veterans of Israeli intelligence — roughly 900 of them from Unit 8200 — hold engineering and security roles inside U.S. tech companies, including an estimated ~250 at Microsoft and dozens each at Google, Meta, Apple, Nvidia, and Intel. These aren’t junior seats; they’re the people building and securing the platforms that route the world’s transaction data, cloud workloads, and communications.

The paradox that the DIA just made official

Here is the uncomfortable synthesis of all three stories. The same national security apparatus that built Stuxnet with the NSA, that booby-trapped Hezbollah’s pagers, and that runs the world’s most aggressive commercial-spyware industry also trained the founders and staffs the engineering benches of the companies defending much of the planet’s digital infrastructure. For two decades, that paradox was treated as an unalloyed good — a friendly superpower of cyber talent, celebrated in glossy profiles of the “startup nation.”

In 2026, the framing cracked. When the DIA rated Israel a “critical” intelligence threat after spyware turned up on U.S. officials’ phones, it was implicitly acknowledging the other half of the equation that the industry press had spent years cheering. The critic Paul Biggar put the concern bluntly: banks using Palo Alto Networks have transaction data “passing through servers that are controlled by spies, or former spies.” That is almost certainly an overstatement of operational risk — being an 8200 alumnus is not the same as being an active foreign agent, and the overwhelming majority of these engineers are exactly what they appear to be: brilliant people building real products. But “almost certainly” is doing a lot of work in a sentence about national security, and it’s precisely the ambiguity that a “critical” counterintelligence rating is designed to force into the open.

The tension isn’t hypothetical anymore. We’ve watched Microsoft cut off an Israeli military unit’s cloud access over mass surveillance, watched reporting surface an alleged “winking mechanism” by which U.S. cloud giants tipped Israel off about sensitive data requests, and watched the broader 2026 Iran–Israel–U.S. cyber conflict drive a wedge between allied interests that once looked permanently aligned.

The thread, pulled tight

Stuxnet proved a state could weaponize code to break the physical world. Grim Beeper proved a state could weaponize the supply chain itself. And the Unit 8200 ecosystem proved that the human capital behind both could be spun into a commercial empire so deeply woven into global infrastructure that you cannot cleanly separate “the cyber power we rely on” from “the cyber power we’re warned about.”

None of these three facts is new. What’s new in 2026 is that they’re finally being held in the same hand at the same time — by the Pentagon, by regulators waving through $30-billion deals, and by every CISO who just realized that “where did this technology come from, and who built it?” is no longer a marketing question. It’s a threat-model question. The same one Hezbollah should have asked about its pagers.

Sources

Further reading