The United States is heading into one of the most security-intensive stretches in recent memory. The 2026 FIFA World Cup, the country’s 250th anniversary celebrations, and a contentious midterm election cycle are converging in a span of months — each event a magnet for a different range of threat actors, and all three arriving against a backdrop of elevated political polarization, reduced federal security resources, and a generative AI landscape that is making it easier than ever for bad actors to plan, organize, and strike.
RANE’s Global Security and Cyber analysts recently convened to map the threat landscape across three main categories: varying forms of violence, cyber threats, and disruptive protest activity. Here is what organizations need to know.
FIFA World Cup (June 11th – July 19th): 104 matches across 11 US cities, plus venues in Canada and Mexico. The expanded format — up from 64 matches in prior editions — means a longer window of exposure and significantly more complex cross-border security coordination.
America’s Semi-Quincentennial (July 4th and surrounding weeks): The 250th anniversary of the Declaration of Independence will see expanded events well before and after the holiday itself, including military parades, concerts, and celebrations in major cities. The event is being organized by two distinct groups — America250, a bipartisan congressional initiative, and Freedom 250, aligned with President Trump — adding a layer of political symbolism that makes it a particularly attractive target.
Midterm Elections (November 3rd): Midterms typically generate less security concern than presidential elections. This cycle is different. High political polarization, declining approval ratings tied to energy prices and domestic policy controversy, and an active protest movement are expected to make this midterm season more volatile than usual.
Add to these Pride Month, general summer travel, and a range of smaller local events, and corporate security teams have an unusually dense calendar to manage.
Islamist Extremism: Intent Is Elevated
The baseline threat from Islamist lone actors and small cells remains elevated for all three events. These actors — radicalized through sympathy for extremist ideology, US involvement in the Middle East, or targeted propaganda from foreign groups — tend to use readily available weapons: vehicles, bladed weapons, firearms, or crude IEDs. They generally lack formal tactical training, which limits the sophistication of attacks, but the sheer density of crowds at these events means even a low-capability attack can produce significant casualties.
Islamic State has already released propaganda specifically linked to the World Cup. The ongoing US-Iran conflict, combined with ongoing tensions over Israel and Gaza, is providing additional motivation for attack. Iranian-linked threat actors present a distinct layer of risk: while their capabilities are constrained — Iran tends to rely on criminal intermediaries with poor tradecraft — their intent is explicit. US authorities recently accused an Iran-backed militia commander of plotting bombings on US soil. High-risk targets include Jewish and Israeli-linked organizations, defense sector companies, and, following Iran’s threats to retaliate against Western financial and tech institutions, those sectors as well.
The World Cup introduces a specific wrinkle: as an inherently country-versus-country competition, disputes over team participation and match locations have already surfaced tensions that could further inflame these dynamics.
Domestic Extremism: The Threat Runs Both Directions
A notable shift since President Trump returned to the White House has been an uptick in left-wing extremist incidents — most recently, the shooting at the White House Correspondents’ Dinner.
The baseline expectation is continued semi-regular attacks by lone actors across the political spectrum, with left-wing individuals more likely to act in the current political climate. The semi-quincentennial, framed as a pro-administration event, is a logical target for those with anti-government grievances. Smaller, less secured gatherings — neighborhood World Cup watch parties, local campaign events — present softer targets where threat actors blocked from major venues may redirect their efforts.
Two escalatory scenarios are worth monitoring: left-wing groups becoming more formally organized (not the baseline, but not impossible), and far-right groups mobilizing against left-wing targets, particularly in connection with midterm activities and potential voting facility threats.
AI Is Accelerating Risk Across the Board
Generative AI is now a force multiplier for virtually every category of cyber threat actor.
Nation-state groups like China and Russia — already the most sophisticated actors in the world — are integrating AI across the full attack lifecycle: vulnerability detection, exploitation, reconnaissance, lateral movement, and data exfiltration. China’s orientation remains primarily toward cyber espionage rather than disruption, but the speed and scale of intrusion activity is increasing. More risk tolerant Russia continues to lead in information operations, using AI to generate synthetic media content and close the persuasiveness gap with Western audiences.
Cybercriminal and hacktivist groups are using AI to compensate for skill gaps they previously couldn’t bridge — developing malware, launching phishing campaigns at scale, and automating the kind of intrusions that once required significant technical expertise. Scam emails and spoofed websites targeting FIFA World Cup and Pride Month attendees were already circulating as early as December 2025.
Iran’s cyber capabilities have been degraded by recent strikes and personnel losses, but isolated attacks — distributed denial of service, website defacement, and opportunistic intrusions into critical infrastructure — remain plausible. The water and wastewater sector in particular has been a point of Iranian interest; local operators in that sector tend to have weaker cybersecurity postures than their profile might suggest.
The Disinformation Environment
With reduced content moderation efforts at major platforms and AI enabling the rapid production of convincing fake content, the information environment heading into the semi-quincentennial and midterms is going to be genuinely difficult to navigate. Expect coordinated narrative campaigns across social media, synthetic media that impersonates legitimate news sources, and a surge in AI-generated content designed to inflame political tensions or suppress voter participation.
CISA’s Reduced Capacity
The Cybersecurity and Infrastructure Security Agency, the federal government’s lead civilian cybersecurity entity, has lost a third of its personnel since the start of the second Trump administration. The proposed 2027 federal budget would reduce the agency’s funding by another 30%. This is happening as nation-state cyber threats are at a historic high. The gaps this creates may not be immediately visible — that’s precisely the concern. When defensive capacity shrinks, intrusions that would previously have been detected may go unnoticed for months.
All three events are lightning rods for activism — not just the midterms, which carry obvious political valence, but also the World Cup and the 250th, both of which carry symbolic weight as targets for groups seeking global attention.
The baseline: sustained, large-scale anti-government protests are coming. The group behind the No Kings protest — which has drawn over a million participants in previous iterations — has already announced plans for demonstrations around the semi-quincentennial. Highway blockades, protests in major public squares, and attempts to disrupt or delay events themselves are all likely tactics. Activist groups have explicitly expressed interest in disrupting high-profile events rather than simply marching past them. And sabotage to critical infrastructure cannot be ruled out.
Beyond pre-planned protests, geopolitical flash points and domestic incidents (immigration enforcement actions, for example) have consistently triggered rapid mass protest responses in major cities — sometimes within hours. Organizations need to monitor not just scheduled events but the broader news cycle for triggers that can generate unplanned disruption.
The Federal Security Capacity Question
The Trump administration’s national security reorganization — with its reorientation toward narco-terrorism, immigration enforcement, and countering left-wing violence — has created notable gaps in areas like right-wing extremism monitoring and Islamist counterterrorism resources. Federal counterterrorism funding disputes with New York, a prolonged DHS shutdown that generated over 1,000 TSA resignations, and delayed World Cup security grants to state and local governments have all introduced uncertainty into event preparation timelines.
None of this guarantees a security failure, but it does mean organizations should not assume the federal government will identify and neutralize all threats in advance.
This post is drawn from RANE’s webinar “Upcoming U.S. Events Have Security Professionals on Edge: How Organizations Can Prepare,” featuring Global Security Analysts Caroline Hammer and Isaia Galace, Cyber Analyst Ali Plucinski, and Director of Analysis Sam Lichtenstein. To speak with a RANE analyst about your organization’s specific exposure, visit ranenetwork.com.
