They Hired Me, Hazed Me, and Fired Me by Mail
Inside the network that helped shape the Stuxnet narrative and built companies entrusted with America's critical infrastructure.
This is Part two of Hacking, but Legal’s Blavatnik series. Read Part one: “Where the West’s Cyber Chiefs Land, and Who Pays for the Landing”.
This is the story of a magazine article about a computer worm, a network of intelligence professionals who built companies around America’s critical infrastructure, and the months I spent inside one of those companies before being fired by a letter left in my mailbox. The connection between these threads is not that one caused the other, but that I was inside the second before I understood the first, and understanding the first is what eventually made the second make sense.
On the very first morning I reported to Accenture as a Senior Manager — newly hired to lead the FusionX team, one of the most respected red-teaming operations in American cybersecurity — co-founder Tom Parker stepped out of an elevator, strode through the glass doors, took one look at me, and said, “Who are YOU?” I gave my name and my title, and politely informed him I was a new hire starting that day. He grimaced, said nothing further, and walked away.
That was early June. By November of that same year, I would be terminated without cause by a letter mailed to my Manhattan apartment. In the intervening months, I had not been permitted to do the job I had been hired to do: lead a team of elite consultants to help solve the Fortune 500’s most pressing technical security concerns. A direct report who had followed me from a previous employer and I were assigned a single foreign financial client, taken off that job without explanation, and given nothing else. He has since confirmed this account. I was then placed on administrative leave, also without explanation — my equipment seized, my access revoked, and presence maintained just enough to be monitored while we were both excluded from everything of consequence.
I initially mentally framed what happened in common terms: I was the only dark-skinned woman in the group, and some of the hostility I encountered felt like it might have something to do with that. The cybersecurity industry has a well-documented problem with both racism and sexism, and I have been on the receiving end of both throughout my career. I spoke publicly about sexism and discrimination in the field after working on the Biden campaign in 2020. When the DerbyCon security conference shut down in 2019 after women and minorities raised concerns about harassment, the community blamed the people who spoke up — including me, just for having been quoted in the story.
What I experienced at FusionX was part of that broader pattern. But the deeper story, which I have reconstructed from public records, patent filings, corporate registrations, my own email inbox, and the documented career trajectories of the people involved, concerns what FusionX actually was, who controlled it, and the web of intelligence community veterans, oligarch capital, and privatized state power standing behind a company entrusted with the security architectures of U.S. government agencies and major multi-national corporations.
The Article That Knew Too Much
On October 5, 2010, Tablet Magazine published a brief essay on the Stuxnet worm, “Modern Warfare, Too” by Michael Tanji. The worm had recently been discovered infecting industrial control systems worldwide with a pronounced concentration in Iran. Tanji’s byline identified him as “a former supervisory intelligence officer who worked on information warfare issues at the Defense Intelligence Agency.” The article appeared in a curated “Web Wars!” series alongside a companion piece by Yossi Melman, the veteran Israeli intelligence correspondent for Haaretz, whose connections to the Mossad establishment are well documented. In 2020, Donald Trump elevated Melman’s account of the killing of the head of Iran’s nuclear program on Twitter.
Israeli journalist Shimon Aran, who served in the IDF’s Unit 8200, claimed to have notified Melman of the retweet, and that he was “very surprised..”
Melman’s article “Coded,” published in Tablet Magazine in October 2010, argued that Israel “may or may not” have been behind Stuxnet, and that it didn’t particularly matter. Tanji’s American-perspective article reached the same conclusion by a different route. On its surface, “Modern Warfare, Too” reads as competent analysis from a highly qualified commentator. Tanji correctly identified Stuxnet as targeting Siemens SCADA software, noted the worm’s sophistication, and speculated about Israeli involvement. When the article is mapped against what was publicly known in October 2010 and what would be confirmed months or years later, it is strikingly prescient.
The Symantec Stuxnet dossier, published in late September 2010, had concluded that “the ultimate target of Stuxnet remains unknown.” Ralph Langner, the German industrial control systems researcher who first speculated publicly that Natanz was the target, described his own assessment as “speculation.” The precise mechanism by which Stuxnet destroyed centrifuges by manipulating frequency converters manufactured by Fararo Paya and Vacon on Siemens S7-315 PLCs would not be confirmed until November 2010 at the earliest.
Joint U.S.-Israeli authorship under Operation Olympic Games was not reported until a New York Times piece in January 2011, and not fully confirmed until David Sanger’s June 2012 account. Kim Zetter's Countdown to Zero Day, the definitive account of Stuxnet's discovery and the operation behind it, provided much of the framework I used to verify what was and was not publicly established at each point in this timeline.
Tanji, writing in early October 2010, got the strategic picture almost perfectly right while remaining conspicuously vague on technical details.
He characterized Stuxnet as designed “not to kill, but simply to disorient: cyber tear gas.” Langner’s 2013 analysis, “To Kill a Centrifuge,” would confirm this framing years later, finding that the attackers “took great care to avoid catastrophic damage” and instead sought to induce early rotor failures that would be indistinguishable from routine engineering problems. He described digital weapons as “disposable sniper rifles, not cluster bombs,” a metaphor that reflects offensive cyber doctrine of the kind that has since become standard material at war colleges, but had no place in public discourse in 2010.
He observed that Stuxnet was “sophisticated enough, it is targeted enough, to make the sufficiently suspicious in Iran wonder if there is in fact not someone on the inside who has passed information.” In 2024, the Dutch newspaper De Volkskrant revealed that a recruited AIVD agent named Erik van Sabben had been the human penetration vector who physically introduced the malware into Iranian facilities. What Tanji had framed as speculation now reads more like a description of the actual effect.
He invoked Effects-Based Operations doctrine by name: “you don’t want to destroy the power plant, you just want to turn it off, because eventually you want the lights to come back.” At the time of that writing, no one outside a small circle of officials understood that this was the operational philosophy of Olympic Games. Each of these judgments was subsequently confirmed. None were established in the public record when Tanji wrote them down. All of them served the strategic communication interests of the operation’s sponsors.
In response to a request for comment from this publication, Tanji said that his article relied on no classified knowledge.
“Any analytic tradecraft used to draw conclusions or make judgments can be found in any number of books on the topic of intelligence analysis,” he wrote. “Likewise, nothing in the article relied on any classified information. If it had, my half of this conversation would be coming from an IP attributable to a federal prison.”
He said that he does not know Yossi Melman, and had not read Melman’s companion piece. He acknowledged maintaining “a decent sized network of friends and former colleagues with extensive experience in IW/CNO” (Information Warfare and Computer Network Operations) but said he has “no idea if any of them was involved with Stuxnet.”
While the article was remarkably prescient, the author says it was solely the product of publicly available analytic tradecraft.
The Author’s Credentials
Tanji was not a casual observer of cyber operations. His career placed him at the center of the American military cyber apparatus during its formative period. He began as a U.S. Army SIGINT analyst, served in Desert Storm, and moved through a succession of increasingly sensitive positions: intelligence specialist at U.S. Army Intelligence and Security Command (INSCOM), then the Defense Intelligence Agency, where from 1998 to 2004 he served as Supervisory Intelligence Officer in the Information Warfare Office within the Transnational Warfare Group. Profiles published by OODA Loop and CSO Online also place him at NSA and the National Reconnaissance Office.
At DIA, Tanji was selected as one of a “handful of intelligence officers selected by-name” to support the Joint Task Force for Computer Network Defense (JTF-CND), the direct precursor to U.S. Cyber Command. He represented DIA on National Security Council and National Intelligence Council cyber projects, deployed in a counterintelligence and HUMINT role during Operation Allied Force, and after September 11 created the Department of Defense’s first computer forensics and intelligence fusion team. He left government in 2005 and co-founded Kyrus Tech, which later partnered with Microsoft to disrupt the Zeus botnet. He is also listed as one of the co-founders of security firm Carbon Black.
In 2009, Tanji edited Threats in the Age of Obama, a compendium of national security essays published by Nimble Books. Among the twenty-one contributors were Matt Devost and Bob Gourley.
The Book and Its People
Bob Gourley was a Naval Intelligence officer who became the first Director of Intelligence (J2) at JTF-CND, the same organization Tanji had supported, and later served as Chief Technology Officer of the Defense Intelligence Agency, the same agency where Tanji had worked in the Information Warfare Office. After leaving government, Gourley co-founded OODA LLC with Matt Devost. His website CTOvision.com published approving coverage of Tanji’s work at Kyrus Tech.
Devost’s biography takes a different turn. He arrived at SAIC in 1995. By his own account, buried in keywords at the bottom of his LinkedIn resume, he directed the Coalition Vulnerability Assessment Team, supported the President’s Commission on Critical Infrastructure Protection and the Defense Science Board, served on the President’s National Security Telecommunications Advisory Committee, and provided support during the Solar Sunrise investigation — the 1998 Department of Defense cyber intrusion that directly led to the creation of JTF-CND. He was twenty-five years old.
In 1996, Devost co-founded the Terrorism Research Center and began operating from devost@terrorism.com. A 2004 USPTO trademark filing shows the organization attempting to register “TERRORISM.COM” from an office on North Fairfax Drive in Arlington, Virginia. The trademark was refused as “merely descriptive.” Today, terrorism.com redirects to the website of DEV Capital, Devost’s investment entity. At iDEFENSE, he built a cyber-intelligence operation serving Fortune 500 clients. At Security Design International, he ran penetration testing and vulnerability assessments against what he described as “every critical infrastructure segment.”
Then, in 2006, Erik Prince purchased Devost’s companies and merged them with the consulting group led by Cofer Black, the former Director of the CIA’s Counterterrorism Center, to create Total Intelligence Solutions. Devost became its president. Rob Richer, former CIA Associate Deputy Director of Operations, served as CEO. The Washington Post reported that Prince had “built Total Intel” from Devost’s firms.
Total Intelligence Solutions functioned as something akin to a privatized CIA: staffed with former senior Agency officers, capitalized by the Blackwater fortune, and selling intelligence services to governments and corporations alike. Devost ran its day-to-day operations with more than sixty employees.
Both Sides of the Table
In June 2010, Devost co-founded FusionX LLC with Tom Parker, a British cybersecurity expert who had presented with him at Black Hat on adversary characterization back in 2003. FusionX offered red-teaming, penetration testing, and cyber defense, promising that its “best in class technical assessment teams will target your information assets using the highly tailored tactics, techniques and procedures (TTP’s) of your most likely attackers.” Its clients included Fortune 500 companies and government agencies.
From March 2010 through April 2013, Devost simultaneously held an appointment as a Special Government Employee advising the Under Secretary of Defense for Policy, the Deputy Assistant Secretary of Defense for Cyber Policy, and “other senior leadership” on cyber strategy. This period encompassed the discovery of Stuxnet, the operational peak of Olympic Games, the achievement of full operational capability by U.S. Cyber Command, and the formulation of the country’s first comprehensive cyber strategy.
The dual position would have given Devost visibility into both the government’s offensive and defensive cyber posture and the vulnerability landscape of the private sector at the same time.
In 2015, Accenture acquired FusionX. Devost became a Managing Director leading Accenture’s Global Cyber Defense practice, while Parker took on global growth and strategy for Accenture Security’s 6,200-person organization, which generated more than $1.8 billion in annual revenue. Their access scaled accordingly. After both left Accenture, Parker served as Deputy CISO at AIG and then founded Hubble Technology, which was acquired by NetSPI/KKR in 2024.
As of early 2026, both Parker and Harvey work in IBM’s cybersecurity division.
The reporting that follows — on the Blavatnik-funded institution at the center of Devost’s public image, the WINTERMUTE patents, and the months I spent at Accenture’s FusionX before being terminated by mail — is available to paid subscribers.
Hacking, but Legal has no access to protect. Only readers. Paid subscribers are the reason this piece exists, and the reason the next one will.