Your Gulf Risk Assessment is Already Out of Date

Welcome to your Tuesday briefing.

On Saturday, February 28, the United States and Israel launched a coordinated military operation against Iran targeting its nuclear infrastructure, military command, and senior regime leadership. Reports confirmed that Supreme Leader Ali Khamenei was killed in the strikes.

We've watched Iran-related risk escalate for years through shadow wars, proxy activity, and diplomatic brinkmanship. What happened on Saturday was a significant step beyond that pattern. The scale, the stated objective of regime change, and the confirmed leadership losses put this in a different category from previous exchanges.

The scale, the stated objective of regime change, and the confirmed leadership losses put this in a different category from previous exchanges. If you have clients, personnel, or operations in the region, the practical questions start now.

This week's briefing focuses almost entirely on what's unfolding, not to cover the geopolitics, which every news outlet is handling, but to work through what it means operationally.

On February 28, the US and Israel launched a coordinated joint attack across multiple cities in Iran, codenamed Operation Epic Fury by the US Department of Defense and Operation Roaring Lion by Israel. The operation targeted senior officials, military commanders, and key facilities, with regime change as a stated objective. It included the assassination of Ayatollah Ali Khamenei, Iran's Supreme Leader for nearly four decades.

The US component struck hundreds of targets, including missile production facilities, naval assets, nuclear infrastructure, government ministries, and senior regime leadership. The operation included the largest B-2 bomber strike in US history, targeting Iran's underground nuclear facilities at Fordow and Natanz with the GBU-57 Massive Ordnance Penetrator, the world's largest bunker-busting bomb. Pentagon assessments concluded that Iran's nuclear program was significantly set back, though not eliminated.

The leadership losses were extensive. Iran's Defense Minister, the IRGC ground forces commander, and the Defense Council Secretary were all confirmed killed. With the removal of those figures, Iran has no functioning chain of command in the conventional sense. What remains are fragmented military units operating on pre-existing instructions, and proxy networks that were designed to act independently.

The most operationally significant development for security practitioners is not what happened inside Iran. It's what happened in the countries where many of our clients and colleagues work every day.

Iran retaliated against US military facilities and allied states across the region, with missile attacks reported in Israel, Jordan, and Saudi Arabia, as well as attacks targeting US military facilities in Qatar, Kuwait, the UAE, and Bahrain.

Dubai's status as a global safe hub took a direct hit. An Iranian Shahed drone struck the Fairmont Hotel on Dubai's Palm Jumeirah, and a strike at Abu Dhabi's Zayed International Airport killed one person and injured seven. Emirates confirmed minor structural damage at a terminal concourse. All operations at DXB, Abu Dhabi, Doha, and Kuwait airports were suspended. Flights were cancelled or rerouted mid-air.

In Qatar, 65 missiles were reported, with 16 injuries in Doha. In Israel, eight people were killed in Beit Shemesh. In Bahrain, Iranian missiles struck near the headquarters of the US Navy's Fifth Fleet in Juffair, with residents in surrounding expatriate neighbourhoods evacuated as smoke rose from the base vicinity.

The Fifth Fleet's area of operations covers 2.5 million square miles and controls the three most critical maritime chokepoints in the world: Hormuz, Suez, and Bab el-Mandeb. All of that is now a contested environment.

The phrase "duty of care" gets used a lot in corporate security. Right now, it needs to mean something concrete.

Any organisation with personnel in the UAE, Bahrain, Qatar, or Kuwait needs to conduct an immediate review of evacuation plans, shelter protocols, and communication trees. This is not a precautionary exercise. It is a response to a changed threat environment that has already produced civilian casualties in residential areas.

For executive protection teams managing travel through the Gulf, Dubai and Abu Dhabi can no longer be treated as hub cities for transiting sensitive or high-profile principals. The aviation infrastructure is disrupted. The hotels that have historically served as safe staging points have been struck. The risk profile has shifted to that of a semi-permissive environment, not a permissive one.

For those managing residential security in the region, the calculus has changed too. Bomb shelter access, gas mask provision, and hardened safe rooms are no longer over-preparations. They are baseline requirements.

The death of Khamenei does not end the threat. It fragments it. A centralised Iranian regime, however hostile, was at least a known quantity with identifiable decision-makers and predictable red lines. What emerges from this, whether a hard-right IRGC military government, a prolonged power struggle, or partial state collapse, is less predictable and, in many ways, more dangerous for practitioners managing risk at ground level. Fragmented actors do not follow strategic logic.

The safe haven era in the Gulf is over, and the planning assumptions built on it need to be rebuilt now, before the next escalation cycle rather than during it.

Why does business news feel like it’s written for people who already get it?

Morning Brew changes that.

It’s a free newsletter that breaks down what’s going on in business, finance, and tech — clearly, quickly, and with enough personality to keep things interesting. The result? You don’t just skim headlines. You actually understand what’s going on.

Try it yourself and join over 4 million professionals reading daily.

Check it out

Two decades of expert insights you can trust.

🇦🇪 UAE — Dubai International Airport suspended all operations following Iranian strikes on March 1. An Iranian Shahed drone struck the Fairmont Palm Hotel, and the Burj Al Arab also sustained damage. Routing that relied on Dubai as a primary transit hub needs to be revisited. Alternative options through Europe or East Africa should be assessed in the near term.

🇧🇭 BAHRAIN — Iranian missiles struck a facility linked to the US Navy's Fifth Fleet headquarters in Juffair on February 28, triggering evacuations in surrounding residential neighbourhoods heavily populated by Western expatriates. The Navy had repositioned several vessels in advance, but the physical base still sustained damage. The FCDO has updated its travel advice for Bahrain. Treat that guidance as a live document and check it before any movement into or around Manama.

🇨🇾 CYPRUS — Safe Haven Risk. As a primary extraction point for personnel leaving the Levant, Cyprus is seeing a surge in "suspicious activity" reports near Western diplomatic housing. We recommend all protective details in the Eastern Med transition to a "High" alert status immediately.

🇺🇸 USA — OSINT Warning. Monitoring of extremist channels shows a 400% increase in mentions of "soft targets" in major U.S. cities over the last 48 hours. Most of this is aspirational chatter, but the volume is reminiscent of the lead-up to previous major domestic incidents.

JOINT EMPLOYER LIABILITY — A US federal judge ruled on February 20 that property management company JLL must face trial alongside contractor GardaWorld for wage violations, on the basis that JLL controlled daily operations and policies for the security officers involved. The principle is straightforward: if you write the SOP, you may carry the legal liability. UK and US security managers who rely heavily on contracted guard forces should audit their service level agreements with that in mind.

RESIDENTIAL SECURITY — The "Cleaner" Heist. A recent $122,000 apartment heist in Brooklyn, executed by a suspect disguised as a cleaner, highlights a recurring vulnerability in urban executive protection: "trusted access" fatigue. When a principal lives in a high-density luxury building, the perimeter is often outsourced to building staff. If your residential security plan doesn't include verifying the credentials of "standard" service workers, you don't have a perimeter.

If you run a security company, you know the drill: insurance is expensive, slow to procure, and full of gaps that seem to appear at exactly the wrong moment. A new three-way partnership between Willis, Belfry, and Kayna is trying to fix that, not by building a better insurance product, but by embedding insurance directly into the operational platform you're already using to schedule shifts and run payroll.

And this is just the beginning. The physical security industry is quietly undergoing the same back-office consolidation that already reshaped construction, healthcare, and logistics, and the platform you choose to run your business on today may determine far more than who handles your scheduling tomorrow.

Read the full breakdown to find out what this means for your premiums, your data, and the broker relationships you've built your business on. Read here →

Q: Will El Mencho's death ultimately reduce or increase the threat to foreign business operations in Mexico?

🟨⬜️⬜️⬜️⬜️⬜️ A. Reduce it. Removing the top leadership weakens the organization long-term. (16%)
🟩🟩🟩🟩🟩🟩 B. Increase it. The succession war is more dangerous than a stable cartel. (64%)
🟨⬜️⬜️⬜️⬜️⬜️ C. Neither. The threat was already unmanageable before this happened. (12%)
⬜️⬜️⬜️⬜️⬜️⬜️ D. Something Else. Let us know 👉 (8%)

Your Comments:

ST: “Extra security is obviously necessary, so it is a boon to [the] industry in that sense, yet it increases operating costs and risks associated with this development. […] Do business outside of Mexico, if possible.”