In December 2014, Cylance published its Operation Cleaver report — a comprehensive intelligence document revealing a years-long Iranian state-sponsored cyber espionage campaign that had penetrated critical infrastructure targets across 16 countries, including airlines, airports, energy companies, military installations, and government agencies. The report was one of the first major public disclosures of an Iranian advanced persistent threat operation at this level of detail.
Stuart McClure's "Prevention is Everything" post accompanied that report with a strategic argument: the Operation Cleaver findings were not just intelligence about a specific campaign. They were evidence for a fundamental thesis about how organizations need to approach security. The Iranian attackers used a combination of custom tools and commodity malware, many of which had not been seen before in the wild. Traditional signature-based detection tools had no basis for identifying these novel threats. A prevention model based on mathematical properties of executable code — rather than known-bad signatures — was the only approach with a realistic chance of stopping them before they caused damage.
The post also addressed the broader context of nation-state cyber warfare. Operation Cleaver targeted infrastructure that was, in many cases, managed by private-sector organizations without the security posture one might expect from high-value national security targets. This was a deliberate attacker strategy: targeting the softer underbelly of critical systems rather than the hardened government networks. The implication for private-sector organizations managing any part of critical infrastructure was clear and urgent.
Operation Cleaver became one of the most cited examples in Stuart's public argument for why prevention-first security is not a nice-to-have but an operational necessity.