Iran Just Published Satellite Photos of OpenAI's Hidden Data Center. We Can't Stop Missiles. We Can Stop Everything Else.

On Saturday, Iran's Islamic Revolutionary Guard Corps released a video featuring satellite imagery of OpenAI's $30 billion Stargate AI datacenter in Abu Dhabi. The facility was hidden on Google Maps. The IRGC found it anyway, published its exact coordinates, displayed photos of the CEOs behind the project — OpenAI, Nvidia, Microsoft, Goldman Sachs — and promised "complete and utter annihilation."

This is not a threat. This is a targeting package.

The Scoreboard

Five data center incidents in 36 days. Three facilities physically struck. One hit twice. One publishing its own recon video for the next target.

Iran is running a bombing campaign against cloud infrastructure. With $20,000 drones against $30 billion facilities.

What We Can't Do

We can't stop missiles. We're a two-person threat intelligence company in Minneapolis. We don't have Iron Dome. We don't have Patriot batteries. We don't have THAAD. If a Shahed drone is inbound to your data center, you need the Department of Defense, not a STIX feed.

Let's be honest about that.

What We Can Do

Everything else.

The kinetic attacks are the headline. But every kinetic campaign has a cyber component — and that's where organizations are exposed right now with no coverage.

Before the missile, there's reconnaissance. The IRGC didn't find Stargate's location by accident. They conducted OSINT, satellite acquisition, network mapping, and infrastructure enumeration. The same techniques that located a hidden data center are being used right now to map your network topology, your failover routes, your VPN endpoints, and your employee directory.

We track that reconnaissance. Our STIX feed carries 1,046,000+ IOCs including Iranian infrastructure. Our behavioral detection has logged 6 million autonomous threat decisions. When Iranian-linked scanners probe your perimeter, we see it.

After the missile, there's cyber exploitation. When AWS went down in Bahrain, banking apps failed, payment systems crashed, and enterprise software went offline across the region. In that chaos — while IT teams are scrambling to restore services — is exactly when the secondary cyber attack lands. Phishing campaigns targeting employees. Credential stuffing against failover systems that were hastily brought online. Supply chain attacks against DR providers who suddenly have 10x the traffic.

We track that exploitation. Our exploit harvester runs every 6 hours, pulling fresh CVE proof-of-concept code from GitHub and converting it to detection rules. When the Fortinet EMS zero-day dropped on Good Friday — while everyone was on Easter skeleton crew — our harvester grabbed the attack patterns and pushed them to 275+ organizations automatically.

Between the missiles, there's infrastructure targeting. The IRGC published their target list: 18 American technology companies. Cisco, HP, Intel, Oracle, Microsoft, Apple, Google, Meta, IBM, Dell, Palantir, Nvidia, JPMorgan, Tesla, GE, Boeing, plus G42 and Spire Solutions. Every one of those companies has thousands of employees, vendors, and partners who are now at elevated risk.

We track those companies. We've published threat research on Cisco's worst week in cybersecurity history. We've analyzed the Fortinet vulnerabilities being actively exploited. We've mapped the supply chain attacks cascading from Trivy to Axios to the European Commission. The same threat actors who are launching missiles are simultaneously running cyber operations against the same targets.

The Convergence Problem

The Gulf states bet $2 trillion on becoming the world's AI compute hub. Data sovereignty laws require sensitive data to stay in-country. That means you can't failover to Virginia when Abu Dhabi goes dark.

Iran weaponized data sovereignty. The same laws that were supposed to protect Gulf state data now concentrate it in targetable facilities. You can't distribute what you legally must concentrate.

This creates a three-layer problem:

• Kinetic — drones and missiles hit the facility

• Cyber — exploitation follows the chaos

• Legal — data sovereignty laws prevent geographic failover

We can't help with layer 1. We own layers 2 and 3.

What Your SOC Should Do This Week

Today:

• Audit your Gulf region infrastructure dependencies. If you have anything in AWS me-south-1 (Bahrain), Azure UAE North, or Oracle Dubai — you are in the blast radius.

• Check your DR plan. Does it assume the primary region is available for graceful failover? Because "graceful" doesn't describe a drone strike.

• Pull our STIX feed. The Iranian IOCs are current. The FortiClient EMS detection rules are in there. The scanner IPs from our honeypots are in there.

This week:

• Patch CVE-2026-35616 (FortiClient EMS) if you haven't. Six days of pre-patch exploitation. Active in the wild.

• Patch CVE-2026-20131 (Cisco FMC, CVSS 10.0). CISA mandatory remediation for federal agencies.

• Review your supply chain exposure to the 18 IRGC-named companies. If you're a vendor, partner, or customer of any of them, your attack surface just expanded.

This quarter:

• Rethink data residency. "Store it where the law says" worked when the threat was cyber. It doesn't work when the threat is ballistic.

• Multi-cloud with geographic diversity. Not just multi-region — multi-continent. Poland and Central Europe are positioning as alternatives.

• Automate your threat detection. The holiday skeleton crew problem and the missile chaos problem are the same problem: humans aren't at the dashboard when the attack comes. Automation is.

The Feed

Our STIX feed didn't take Easter off. It won't take a missile strike off either. Automated. 275+ organizations. 46 countries. Updated every 6 hours with fresh exploit detection rules.

We can't stop the drones. We can make sure that when they hit, the cyber exploitation that follows lands on a defended network instead of a blind one.

Point your SIEM at analytics.dugganusa.com/api/v1/stix-feed — the Iranian IOCs, FortiClient EMS detection rules, and honeypot scanner IPs are all flowing automatically.

Free tier: analytics.dugganusa.com/stix/register

Iran published satellite imagery of a data center that was hidden on Google Maps. They've already hit four facilities. They're promising to destroy a fifth.

We can't stop missiles. Nobody with a STIX feed can. But the missile is 10% of the attack. The other 90% — the reconnaissance, the exploitation, the supply chain compromise, the chaos-driven phishing — that's our lane.

Your SOC can't shoot down drones. It can block the cyber campaign that follows.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →