The notification lands without warning: 'Apple detected a targeted mercenary spyware attack against your iPhone.' What used to happen in silence—companies silently detecting government surveillance attempts—now triggers immediate, transparent user alerts from Apple, Google, and WhatsApp. This shift from reactive threat detection to proactive threat notification marks a critical inflection in security expectations. Users, enterprises, and policymakers face a new reality: if you're targeted, you'll know. The question is no longer whether you're being attacked, but what you do when that notification arrives.

Jay Gibson's phone buzzed one ordinary day with a message that stopped him cold. "Apple detected a targeted mercenary spyware attack against your iPhone." The irony wasn't lost on him—Gibson had previously worked at companies building exactly the kind of sophisticated surveillance tools that trigger these warnings. Still, the notification sent him into a panic. He called his father, powered down his device, and bought a replacement.

Gibson is no longer an outlier. He's part of an accelerating cohort of people receiving these notifications from Apple, Google, and WhatsApp—all companies that have fundamentally shifted how they handle government spyware detection. Where these platforms once worked quietly in the background, analyzing telemetry data and threat signatures to identify state-sponsored attacks, they now surface that intelligence directly to users. The change represents a critical inflection point in how the security industry handles transparency around government-sponsored threats.

But here's the tension that makes this moment significant: the tech companies alert, then they step away. They've established that users are targets. They provide some basic hardening recommendations—enable Lockdown Mode on Apple devices, activate Google's Advanced Protection Program, update your apps. Then silence. The infrastructure for helping people actually respond to these notifications barely exists outside of certain protected categories.

This is where the market inflection becomes visible. Apple and Google have essentially created a new category of demand: forensic investigation services for people who've been targeted with government spyware like NSO Group's Pegasus or Paragon Solutions' Graphite. The notification sends the signal. The victim searches for help. The ecosystem is scrambling to meet that demand.

For journalists, dissidents, and human rights activists, there's a triage system. Access Now's Digital Security Helpline—a 24/7 operation with security experts—can help. So can Amnesty International's investigation team, which has years of experience documenting spyware abuse. The Citizen Lab at the University of Toronto has been analyzing these cases for 15 years. These organizations operate at the intersection of security and human rights.

But what about everyone else? Corporate executives, politicians, business leaders—the categories of people who are absolutely targets of government spyware but fall outside civil society protection networks? They're left to navigate a fragmented private market. iVerify offers app-based detection and forensic investigation on both iOS and Android. Safety Sync Group, the startup from security researcher Matt Mitchell, specifically focuses on vulnerable populations. Hexordia, run by forensic investigator Jessica Hyde, offers investigation services. Lookout provides an intake process for government spyware incidents. Costin Raiu, formerly of Kaspersky's elite GReAT team, now leads TLPBLACK—a small research operation that accepts direct email referrals from suspected spyware victims.

The technical reality of what happens after you get one of these notifications adds another layer of complexity. Access Now's incident response lead Hassan Selmi described the current approach as a "smash and grab" strategy: sophisticated government spyware infects a device, harvests as much data as possible, then attempts to erase all traces of itself. This defensive tactic—removing the forensic fingerprints—means investigators often find nothing even when the initial compromise was real.

This creates a perverse situation where users receive a notification confirming they were targeted, but later forensic analysis may yield no evidence of successful infection. The psychological impact is real and significant. The remediation path, however, remains identical: enable hardening features like Apple's Lockdown Mode, switch on multi-factor authentication, use security keys, keep systems updated, restart devices regularly, scrutinize suspicious links and attachments. The advice is sound but procedural—it can't undo what may have already been accessed.

What's actually shifting here is the baseline expectation for transparency in the security industry. Apple and Google didn't have to notify users of government spyware attempts. They could have quietly hardened their systems, patched vulnerabilities, and improved detection without saying a word. Instead, they've chosen disclosure. That choice cascades through the ecosystem. Enterprise security teams now know they need incident response capabilities that account for government-grade threats. CISO hiring is expanding to include forensic investigation expertise. Private security firms are hiring ex-intelligence community operatives to staff incident response teams. The market is repricing security capabilities around the assumption that sophisticated threats are not hypothetical—they're happening now, visible to major platforms, and actionable by users.

The timing creates distinct windows for different audiences. For enterprises, the window for establishing incident response partnerships is now—waiting creates organizational liability. For security professionals, the skill demand for government spyware analysis is immediate, and supply is constrained. For security tool builders, integrating government spyware detection into product roadmaps has moved from nice-to-have to table-stakes. The forensic investigation space, previously a niche consulting market, is becoming a venture-backed growth sector.

The shift from silent threat detection to transparent user notification represents a fundamental reset in security expectations. Apple and Google have essentially declared that government spyware targeting is not an edge case—it's a routine threat that platforms will surface to users. For enterprises and decision-makers, this window requires immediate action: establish forensic investigation partnerships, develop incident response protocols, and prepare security teams for government-grade threat scenarios. For professionals, new career pathways in forensic investigation and incident response are opening. The next inflection to monitor: whether regulatory bodies begin requiring incident response standards for companies that notify users of government attacks, turning voluntary transparency into mandated disclosure frameworks.