Refael Franco has spent his career at the intersection of intelligence and cybersecurity, first as part of the Shin Bet, then as one of the founding members of the Israel National Cyber Directorate, where he eventually led national cybersecurity operations. In 2020, he ran the national response to an Iranian cyberattack on Israel’s water infrastructure. After October 7th, he opened a civilian war room and helped locate more than 66 missing and kidnapped people using his team’s cyber and intelligence capabilities.
He is now the founder and CEO of Code Blue, a crisis management company built around a core product called Blue Castle. He spoke with IsraelTech on the floor of CyberTech in Tel Aviv.
The Iran Water Attack: A Turning Point
In April 2020, Iranian actors attacked Israeli water facilities with the goal of altering chlorine levels and causing mass casualties. Franco describes it as the first time Iran moved from theoretical threat to actively attempting to kill people inside Israel, not through rockets but through infrastructure sabotage.
As head of national cybersecurity at the time, Franco led the response. The INCD, operating as part of the Israeli intelligence community, identified Iran as the source of the attack, activated the national emergency response team, and moved to close the vulnerabilities fast. The attack was stopped with no damage and no casualties.
He credits two things: advance intelligence that gave the team early warning, and the fact that the organizations involved listened and acted quickly. He also notes, with some candor, that Iran underestimated Israel’s ability to detect and respond, which worked in Israel’s favor.
What the Israel National Cyber Directorate Became
The INCD was established in 2012 by the current Prime Minister, with a mandate to protect all civilian infrastructure, from critical systems like water, electricity, and gas, down to the general public. Franco was the third employee.
What started as a strategic concept on paper became, over the following decade, a national cyber Iron Dome, his term, connected to allies across the US, Germany, Italy, the UK, and others. The logic behind the coalition is straightforward: a threat detected in Israel can be shared with partners who can protect their own civilian infrastructure, and vice versa. No country, however capable, can defend against sophisticated nation-state threats alone.
Israel is now the most targeted country in the world for cyberattacks, ahead of China and the US. Franco notes this with dry humor: not exactly the kind of global leadership the Prime Minister had in mind, but there is no competition at the top.
How the Ecosystem Was Built
Franco’s view on what made the Israeli cybersecurity ecosystem is worth sitting with because he names three specific drivers rather than offering the usual vague credit to startup culture.
The first is the military. Mandatory service, combined with elite tech units that take teenagers and put them through intensive technical training, produces a steady pipeline of people ready to build and operate in high-stakes environments.
The second is government incentive structures. Israel has mechanisms that allow founders with a strong idea and a basic presentation to receive government funding before they have customers, revenue, or certification. Removing early capital barriers meaningfully broadens who can start a company.
The third, which Franco considers the most consequential, is reducing bureaucracy for startups trying to work with government as a customer. A five-person company cannot meet the procurement requirements that exist for large enterprises, but those requirements do not exist to exclude startups, they are just legacy rules that were never updated. Franco pushed from inside the government to create pathways where early-stage companies could work with government agencies without being required to meet certification and balance sheet thresholds designed for established vendors.
He built one of the more notable examples of this himself: an accelerator at Israel’s Ashdod Port, a traditional industry that had no obvious connection to cyber or innovation. Of 42 companies that entered, 11 completed the program successfully, and two went on to become unicorns.
The Threat Landscape Is Shifting
On current and emerging threats, Franco is specific in ways that go beyond the standard briefing.
Iran, he says, has changed its tactics significantly. The INCD spent years learning Iran’s operational models, and Iran knows it. Rather than continuing to attack Israel directly through known methods, Iran has moved toward building infrastructure that looks legitimate to developers. Fake open-source repositories and developer tools that appear credible are being used to deliver malware directly into companies, bypassing the perimeter controls those companies have built to stop conventional attacks. If a developer downloads a tool from what appears to be a reputable source, the malware enters behind every layer of defense.
The second significant shift is collaboration between Iran and organized cybercrime groups. Nation-state capabilities and criminal infrastructure are merging, with Iran using criminal networks’ tools and reach to conduct operations, and those groups benefiting from state-level support.
The third trend is AI-driven social engineering. Deepfakes are now being used as part of offensive operations at a scale and quality that was not possible a year or two ago. Social engineering has always been an effective attack vector. AI makes it dramatically harder to detect.
What Code Blue Does
Code Blue is built around a central premise: breaches are no longer a question of if, they are a question of when. Prevention matters, but the question organizations are not preparing for well enough is what happens in the first 48 hours of a serious incident.
Franco describes that window as requiring approximately 1,000 decisions, from understanding the scope of the attack, to deciding who is responsible for which response functions, to determining whether to pay a ransom, to managing communications with regulators, insurers, customers, and the press. No team can make that many high-quality decisions under that kind of pressure without structure and support.
Blue Castle, the company’s AI-powered platform, is trained on Code Blue’s own operational knowledge and experience rather than general-purpose language models. It recalculates risk and prioritizes tasks every 15 minutes during an active crisis, helping commanders make decisions with current information rather than the last briefing they received. It covers legal, forensic, intelligence, business continuity, and PR dimensions simultaneously.
The human side of Code Blue’s offering is a multidisciplinary response team, structured the way Franco operated at the intelligence and national levels, with a single commander responsible for connecting the dots across all functions and making the call on strategy. The company currently serves more than 100 clients, with roughly 70 percent in Israel and 30 percent internationally across the US, Germany, Italy, and the UK. The team operates follow-the-sun, 24 hours a day, 365 days a year. Code Blue is actively building out its North America presence.
Insurance companies are also a significant referral channel. Code Blue is on approved panels for cyber insurers who route incident response work to vetted providers when a claim is triggered.
October 7th
The conversation includes a personal dimension that cannot be omitted. On October 7th, a family member of Franco’s, who was responsible for security at Kibbutz Be’eri, was murdered by Hamas. That night, Franco drove to Be’eri and brought surviving family members to his home for two months. On October 8th, he opened a civilian war room staffed by more than 100 volunteers, combining cyber capabilities with geographic intelligence, GIS tools, big data analysis, and Arabic speakers. The operation helped locate more than 66 missing and kidnapped people.
He describes it simply as a crisis. His team runs crisis response. They applied those capabilities, with the stakes as high as they get.
About Refael Franco and Code Blue
Refael Franco is the founder and CEO of Code Blue, an Israeli crisis management company specializing in cyber incident response. He previously served in the Shin Bet and was one of the founding members of the Israel National Cyber Directorate, where he led national cybersecurity operations including the response to the 2020 Iranian water infrastructure attack. Code Blue’s Blue Castle platform provides AI-driven crisis management support, and the company’s response team operates globally. Franco spoke with IsraelTech at CyberTech in Tel Aviv.
