I Read the Pentagon’s Metadata So You Don’t Have To

A first-tranche post-mortem on PURSUE / war.gov/ufo

   ╔══════════════════════════════════════════════════════════╗
   ║   ▄▄▄·▄• ▄▌▄▄▄ . ▄▄ • ▄▄▄· ▄▄·  ▄▄▄ .                  ║
   ║  ▐█ ▄██▪██▌▀▄.▀·▐█ ▀ ▪▐█ ▄█▐█ ▌▪▀▄.▀·                  ║
   ║   ██▀·█▌▐█▌▐▀▀▪▄▄█ ▀█▄ ██▀·██ ▄▄▐▀▀▪▄                  ║
   ║  ▐█▪·•▐█▄█▌▐█▄▄▌▐█▄▪▐█▐█▪·•▐███▌▐█▄▄▌                  ║
   ║  .▀    ▀▀▀  ▀▀▀ ·▀▀▀▀ .▀   ·▀▀▀  ▀▀▀                   ║
   ║                                                          ║
   ║   PURSUE: Presidential Unsealing & Reporting System      ║
   ║   for UAP Encounters                                     ║
   ║   2026-05-08, war.gov/ufo                                ║
   ║   162 files. 161 manifest rows. 1 leaked sandbox URL.    ║
   ╚══════════════════════════════════════════════════════════╝

TL;DR — On May 8 2026 the Department of War shipped a UAP disclosure tranche through Akamai. The production HTML accidentally embedded a staging-sandbox URL pointing at a developer’s personal directory. That single 47-byte path unzipped the entire delivery chain: a Manhattan creative shop with five employees, a $128 million prime contract under stop-work, an Adobe Illustrator user with a tenant-leaked OneDrive identity, and a “presidential directive” that turned out to be a Truth Social post fired off the day after Obama did a podcast about aliens. No Executive Order. No National Security Memorandum. A tweet. Welcome to disclosure.

0. The thirty-second version, for the impatient

You can skip everything below if you remember three things:

war.dod.afpims.mil/Portals/1/SANDBOXES/BEvans/testing-doc.csv is a string that lived in production HTML on the day of launch. That’s not supposed to happen. That’s a release-engineering process failure visible from low orbit.
The whole thing rests on a Truth Social post, archived here, dated 2026-02-19 20:13 EST. There is no Executive Order. There is no National Security Memorandum. The Federal Register is silent. The legal framework is a pre-existing NDAA records-management section (§§1841-1843 of FY24 NDAA) and the rest is vibes.
The independent Civilian Review Board that was supposed to oversee this — the one with eminent-domain authority over UAP-related tech and subpoena power — got stripped in conference committee. The mechanism Congress designed to keep the executive branch honest about UAP disclosure does not exist. PURSUE is the executive branch alone, with no civilian check, releasing what it chooses to release on the schedule it chooses to use.

If you want the receipts: keep reading.

1. The first thing we did was NOT what they wanted

The polite way to consume war.gov/ufo/ is: open browser, click around, watch their Akamai-fronted CDN serve you a tidy DotNetNuke-on-IIS-on-ASP.NET-WebForms experience with all the headers scrubbed clean.

HTTP/2 200
server:
x-powered-by:
x-aspnet-version:
x-aspnetmvc-version:
pw_value: 3ce3af822980b849665e8c5400e1b45b

Empty server:. Empty x-aspnet-*. Akamai is trying very hard to hide the fact that this is a Microsoft IIS shop pretending it isn’t. They forgot one thing: a custom non-standard header pw_value carrying a 32-char hex blob — looks like an MD5, smells like a per-build manifest tag, definitely not standard. We logged it as F-002 and kept moving. Headers tell you who’s hiding.

Then we tried to grab the manifest CSV programmatically. 403 Forbidden. Akamai’s bot-detection wanted us gone.

You don’t fight Akamai with your fists. You fight it with two headers:

Sec-Fetch-Site: same-origin
X-Requested-With: XMLHttpRequest

That’s it. That’s the bypass. Akamai’s classifier sees those and says “ah, this is an internal XHR from the page itself, not a scraper” and rolls over. We confirmed it works on the manifest CSV, every PDF, every video URL, every JS bundle, and every CSS file. Took maybe twenty minutes to figure out. Single most leveraged finding of the night.

curl -H 'Sec-Fetch-Site: same-origin' \
     -H 'X-Requested-With: XMLHttpRequest' \
     --http2 \
     -o uap-csv.csv \
     'https://www.war.gov/Portals/1/Interactive/2026/UFO/uap-csv.csv?ver=M54pSWevPDAjdCZHKWhl9g%3d%3d'

Once that worked, we had every byte they shipped.

2. The CSV that ratted out the engineer

The manifest is 161 rows. The 14-column header has 12 trailing empty columns — a fingerprint of an Excel/Sheets export from a workbook with a fixed selection range. That’s nothing exotic. That just tells you a human at a desk made this.

But we md5’d the file on disk and compared it to the ?ver= query parameter on the URL:

URL says:    339e294967af3c3023742647296865f6
File hashes: dc6965d26ef65e1228b19372f8c7a517 (md5)
             596cc1881aa97d2fa49a45edab14d60802616e73ce125d286120e00d967cafa2 (sha256)

Mismatch. The cache-buster does not match the file content. Either the file was modified after the HTML cache-buster was last regenerated, or the cache-buster is computed from something else entirely. Either way: the markup and the asset are not in lockstep. Process drift.

Then we read the homepage HTML carefully. Carefully. And there it was — a single hidden link, sitting in the production HTML on the day of launch:

<!-- this URL should not exist in production -->
https://war.dod.afpims.mil/Portals/1/SANDBOXES/BEvans/testing-doc.csv?ver=M54pSWevPDAjdCZHKWhl9g%3d%3d

Same ?ver= value as the production CSV. Same path naming. Same file, copied from a personal sandbox under BEvans straight into Portals/1/Interactive/2026/UFO/ on www.war.gov, and the production HTML retained the staging URL as a leftover reference. That is the kind of leak no competent CDN provider can save you from. That’s a person, sitting at a workstation, hitting “save” and not noticing the staging path stuck in the markup.

We pulled the cert chain on war.dod.afpims.mil (TLS terminated, HTTP locked to CDN-only):

CN  = *.afpims.mil
O   = DMA  (Defense Media Activity)
OU  = PKI
L   = FT MEADE
ST  = MD
Issuer = DOD SW CA-83
SAN = *.dod.afpims.mil  AND  *.dow.afpims.mil   ← look at this

The cert SAN pre-provisioned *.dow.afpims.mil. The “Department of War” rebrand is fully baked into the PKI. There is, almost certainly, a sibling sandbox waiting at war.dow.afpims.mil/Portals/1/SANDBOXES/. That’s tomorrow’s problem.

But for tonight — who is BEvans?

Two hops on LinkedIn and OSINT.

Bryce Evans. Senior Web Designer & Developer for the DoD. Profile: linkedin.com/in/bryce-evans-45005895. Joined 6 Mile Runs LLC in Dec 2023, transferred from REJ & Associates.

What’s 6 Mile Runs? Per their own About page:

Five employees. Five.
+20% YoY headcount growth. (From 4 to 5, presumably. Hilarious in context.)
President: Elliott Wiley Jr. (also ex-REJ).
8(a) (COOsEO) certified. MBE in NY State, NYC, Maryland, NMSDC.
NAICS spread: marketing, advertising, graphic design, motion picture, custom programming, other IT services.
“Talent Sources: REJ & Associates, Inc. (3 employees from REJ)” ← they tell you on the website.

Three ex-REJ employees. Wiley + Evans + one we haven’t yet named.

What’s REJ? REJ & Associates Inc., D.C./Baltimore metro creative shop. They list DMA and DoD as clients. Their portfolio includes the Invictus Games 2017 - Special Report — built using AFPIMS, jQuery, HTML/CSS, Bootstrap. The same AFPIMS platform that hosts the SANDBOXES/BEvans/ directory. The same toolchain we’re seeing fingerprints of in the war.gov/ufo/ front-end.

So: one promotion residue leak. One LinkedIn URL. One About page. And we have the entire creative-services subcontract chain that authored the front end of the Pentagon’s UFO disclosure website.

REJ → 6 Mile Runs → Bryce Evans → AFPIMS sandbox → war.gov/ufo production.

I think about this a lot. I think about the hours-of-work-per-byte ratio of forensic investigation, and I think about how a five-person creative agency in New York is operationally responsible for the visual layer of the U.S. government’s public-facing UFO disclosure program. Both of those things are simultaneously true.

4. The thumbnails were screaming and nobody listened

128 of 130 thumbnails on the site are macOS Screenshot.app outputs.

We didn’t guess this. We dumped the JPEG APP1/EXIF segment hex by hand on thumb__059uap00011.jpg and read the bytes:

APP1 marker: ff e1
EXIF header: "Exif\0\0"
Byte order:  "MM" (big-endian, Motorola — Apple convention)
IFD0:        6 entries
ExifSubIFD:  8 entries
UserComment: "ASCII\0\0\0Screenshot"   ← THIS is the macOS Screenshot.app default
ICC_PROFILE: "appl / acspAPPL"          ← Apple-authored color profile

UserComment = "Screenshot" is the literal default that macOS embeds when you press ⌘-Shift-3 or ⌘-Shift-4 and screenshot something. Nobody edited it. Whoever produced these thumbnails was on a Mac, hitting the keyboard shortcut, and saving the result.

This is mildly important. Federal IT environments are mostly Windows/Edge stacks. Mac shops in DoD work tend to be creative agencies and contractors, not government employees. The Mac fingerprint on every thumbnail is consistent with the BEvans → 6 Mile Runs pipeline we already found. Whether it’s the DoD365J Mac client or a contractor’s personal MacBook is a question we cannot answer from EXIF alone. But the toolchain has Apple in it.

5. The Apollo composites and the user named “HalterJL1”

The 14 images in the tranche include Apollo-mission composites — recognizable lunar surface shots with overlay graphics: red triangles drawn around objects, white squares marking other regions, photographer-shadow demarcations.

We diffed the war.gov composites against authoritative NASA originals from lpi.usra.edu/resources/apollo/images/{browse,print}/.... Pixel-level analysis: the photographic content is identical to the public LPI/USRA originals. The differences are confined to overlay-graphic regions. Which means:

No pixel-level steganographic retouch. No substitution of imagery. Whatever’s in those frames is what NASA released to the public archives. The “additions” are bounding boxes drawn on top, design-shop style. Real Apollo source, with annotation.

But the metadata. Oh, the metadata.

We extracted XMP from the composite TIFs and PNGs:

<xmpMM:DocumentID>xmp.did:0d8f7..............</xmpMM:DocumentID>
<xmpMM:InstanceID>xmp.iid:1a6c3..............</xmpMM:InstanceID>
<xmpMM:ManifestReferenceFilePath>
  /Users/HalterJL1/...DoD365J OneDrive path...
</xmpMM:ManifestReferenceFilePath>

<dc:creator>HalterJL1</dc:creator>

<photoshop:CreatorTool>Adobe Illustrator 30.1 (macOS)</photoshop:CreatorTool>
<xmp:CreatorTool>AIRobin (background export)</xmp:CreatorTool>

So: Adobe Illustrator 30.1 authored these. AIRobin (a relatively obscure Illustrator background-export plugin) processed them. They were saved into a DoD365-Joint OneDrive — confirmed by hitting the Microsoft tenant openid endpoint:

GET https://login.microsoftonline.com/102d0191-eeae-4761-b1cb-1a83e86ef445/v2.0/.well-known/openid-configuration

That tenant ID resolves to the Joint M365 GovCloud (DoD365J). The user identity baked into the XMP is “HalterJL1”.

We tried to identify HalterJL1. We OSINT-grepped the public web. We checked Maj Gen Irving L. Halter Jr. (Air Force, retired) — wrong initials (I.L., not J.L.) and his only son David is an architect, not a DMA web operator. We searched LinkedIn for Halter × DMA × 6 Mile Runs × REJ. We searched the corpus we’d downloaded for the byte sequence Halter. We searched the Wayback Machine for HalterJL1. We came up dry.

HalterJL1 is real, has a federal-cloud OneDrive, designed the composite imagery in Adobe Illustrator on a Mac, and his/her real-world identity is currently CXNULL. This is a job for FOIA. Specifically: a DMA M365 tenant directory request scoped to users matching Halter*. We’ve drafted that request.

The natural hypothesis given everything else: HalterJL1 is a 6 Mile Runs or REJ creative-services employee with a federal-tenant guest account, working under the same DMA contract Bryce Evans works under. That fits. We can’t prove it yet.

6. The 370 MB FBI PDF nobody wanted to OCR

Here’s a small piece of operational disrespect that mattered.

The FBI dropped six “sections” of their internal file 62-HQ-83894 into the tranche. Five of them came pre-OCR’d — searchable PDF text layers, courteous, professional. Section 6 was not. Section 6 is a 370 MB scanned-image PDF, 271 pages of typewritten 1950s-1960s investigation files, no text layer. Effectively unsearchable for anyone without OCR tooling.

Whether that was intentional or sloppy I can’t say. What I can say is: we spent 30 minutes feeding it into pdftoppm + Tesseract on parallel cores and produced 25,204 lines of plain text (run/derived/ocr/section_6/section_6.txt). It’s now searchable.

# pdftoppm extracts pages → Tesseract OCRs each → concatenate
pdftoppm -r 300 section_6.pdf page -png
ls page-*.png | parallel -j8 'tesseract {} {.}' && cat page-*.txt > section_6.txt

If you’re wondering why this matters, here’s the framing: a public document collection is only public to the people who can read it. A 370 MB image-only PDF is functionally less accessible than a paywalled academic journal. They shipped 25,204 lines of FBI text in a format designed to defeat full-text search. We undid that in half an hour. Multiply that by every research effort that doesn’t have OCR infrastructure and you get a meaningful information asymmetry.

7. The $128 million contract under stop-work

Let’s talk about who runs the infrastructure.

Zolon Tech Inc.

UEI: XVE2FA8DRTL7
CAGE: 3HMJ5
Founded: 1998
HQ: 13921 Park Center Rd Ste 500, Herndon, VA 20171
CEO: Ram Mattapalli
Co-founder/President: Goutham Amarneni
Federal portfolio: $267,873,594.78 total prime obligations FY2018-2026

Not a small operator. They’re on Alliant III, 8(a) STARS III, CIO-SP3 SB, OASIS+ UR, and the GSA MAS. State Department is actually their biggest customer (SAQMMA12C0014 alone was $97M from 2012-2022). DoD comes second. Then HHS, DoL, Interior. They have BPAs at FBI, DOJ, DHA. They’re an Indian-American small-business contractor that has built a quarter-century of federal-IT-services revenue mostly through 8(a) positioning + GWAC competition.

Their flagship active contract is HQ0516-22-C-0007 — the $128M, 4-year, Cost-Plus-Fixed-Fee DMA Web Enterprise Business prime. Runs Azure cloud, Akamai CDN, learning management, content management, security/threat-log/code-scanning, 24/7 service desk, and “creative services, content creation, SEO, email subscription, sentiment analysis, news clipping, customer satisfaction surveys” — i.e. literally everything you’d need to run a federal public-affairs website program.

They won it in June 2022 over Gryphon Technologies LC, who bid-protested four times and got denied January 17, 2023 (B-420882.2/.3/.4). Zolon won on legitimate technical merit per GAO.

Then, in January 2026, the Defense Media Activity issued a stop-work order on HQ051622C0007. We don’t know why. The cause is CXNULL — which is exactly what FOIA is for.

Five weeks later, Trump posted his Truth Social directive. Three months after that, PURSUE launched on the same DMA infrastructure Zolon was supposed to be operating.

The logical inference (which we cannot prove yet but which lines up): the stop-work freed engineers, dollars, and contract flexibility for the DMA to redirect Zolon’s work toward PURSUE buildout. The successor procurement HQ0516-FY-25-0010 for the “DoW Public Website Program and Services” was already in Sources Sought (Sep 15 2025 to Dec 12 2025). The new contract requires operation in JWCC ($9B / 10-year multi-award IDIQ across AWS / Microsoft / Google / Oracle, awarded December 8, 2022). The contracting officers on the new procurement: Thomas Brown, 301-222-6908, thomas.j.brown314.civ@mail.mil, and Colette Jones, colette.b.jones.civ@mail.mil.

Worth noting: in March 2022, three months before Zolon won the DMA contract, the DoD Inspector General published DODIG-2022-072 — “Audit of Contracts Awarded and Administered by the Defense Media Activity” — finding that DMA contracting personnel “did not consistently award or administer contracts according to Federal/DoD requirements,” with a potential Antideficiency Act violation involving $1.7M in obligations. The DMA contract chain has known oversight problems independent of any UAP context. Whatever the stop-work cause turns out to be, it’s downstream of a contracting culture the IG already flagged as broken.

8. The “presidential directive” that never went to the Federal Register

I want to be very clear about this part because the framing matters.

There is no Executive Order for PURSUE. We checked the Federal Register for UAP-specific Executive Orders or National Security Memoranda 2025-2026. Zero results. The Trump administration’s June 2025 drone-related EOs (14305, 14307) are about UAS sovereignty and commercial drone policy, not UAP.

The presidential authorization for PURSUE is, in its entirety, this Truth Social post:

“Based on the tremendous interest shown, I will be directing the Secretary of War, and other relevant Departments and Agencies, to begin the process of identifying and releasing Government files related to alien and extraterrestrial life, unidentified aerial phenomena (UAP), and unidentified flying objects (UFOs), and any and all other information connected to these highly complex, but extremely interesting and important, matters.”

— Donald J. Trump, Truth Social, 2026-02-19, 20:13 EST

CNN reported it the same evening. The post came one day after former President Obama appeared on a podcast discussing the statistical likelihood of extraterrestrial life. Trump characterized Obama’s comments as revealing “classified information” — which is not a defensible characterization of statistical Drake-equation talk, but here we are.

The legal scaffolding the executive branch is hanging this on:

NDAA FY24 §§1841-1843 (Public Law 118-31, signed Dec 22 2023) — establishes the UAP Records Collection at NARA Record Group 615. §1842 mandates agencies identify UAP records by Oct 20 2024. §1843 requires transfer of publicly-releasable records by Sep 30 2025. NARA implementing memos: AC 13.2024, AC 26.2024, AC 04.2025.
NDAA FY22 §1683 — created AARO within OUSD(R&E).
NDAA FY23 IAA — established AARO’s dual-reporting structure (DepSecDef + Principal Deputy DNI).
NDAA FY25 §§925, 1687 — counter-drone task force coordination with AARO, expanded AARO authorities.

That’s the floor. PURSUE is administrative-state operation built on top of it, coordinated through AARO under Director Dr. Jon T. Kosloski (NSA-detailee, quantum-optics PhD, appointed Aug 26 2024), with the Secretary of War (Hegseth, confirmed Jan 24 2025 by VP Vance tiebreak), DNI (Tulsi Gabbard, confirmed Feb 12 2025), NASA Admin (Jared Isaacman, confirmed Dec 17 2025), and FBI Director (Kash Patel, confirmation date unverified).

9. The civilian oversight body that died in conference

Here’s the part nobody is talking about.

In July 2023, Senators Schumer (D-NY), Rounds (R-SD), Rubio (R-FL), Gillibrand (D-NY), Young (R-IN), and Heinrich (D-NM) introduced the Unidentified Anomalous Phenomena Disclosure Act (UAPDA) as Senate Amendment 797 to S.2226. It would have:

Created a 9-member Civilian Review Board, presidentially appointed and Senate-confirmed
Given the Board eminent domain authority over UAP-related technologies of unknown origin held by private contractors
Granted subpoena power to compel testimony and documents
Established a presumption of immediate disclosure for all UAP records
Provided whistleblower protections for personnel coming forward

It passed the Senate. It went to conference committee. It came out stripped to the bone. Only the records-collection provisions (§§1841-1843) survived. The Civilian Review Board — the eminent-domain authority, the subpoenas, the presumption of disclosure — all dropped.

AARO opposed the Review Board in November 2023, formally proposing revisions arguing it duplicated their existing mandate (UAPDA.org coverage). The argument: “we already do this, why do you need a civilian board?”

The argument-in-rebuttal — which we are not making but which is structurally obvious — is that “we already do this” is not the same as “this is being done with civilian oversight subject to subpoena power.” AARO is an executive-branch entity. Its Director is appointed by DepSecDef. There is no civilian review of its declassification choices. The Civilian Review Board would have been the only mechanism in the U.S. government with subpoena authority specifically over UAP material.

It does not exist. As of May 2026, no Review Board appointments have been made, no Senate confirmations have occurred, and no analogous civilian oversight body has been created.

Rep. Robert Garcia (D-CA) has tried to reintroduce the Review Board as a House Amendment (GARCRO_115) to FY25 NDAA. It also did not pass.

PURSUE is, structurally, a declassification monopoly held by the executive branch, releasing what it chooses, when it chooses, with no civilian veto. That is not necessarily a bad thing. But it is a fact, and the press releases obscure it.

10. The graph

We pulled in six knowledge graphs from independent OSINT runs (six Mile Runs, HalterJL1, Zolon Tech, AARO, Trump UAP directive, DoW Website Procurement) and merged them. Final stats:

total nodes               : 149
total edges               : 179
cross-cluster bridges     :  27   ← these are the load-bearing entities
cluster sizes:
  six_mile_runs / BEvans  :  14
  halterjl1 / DoD365J     :  18
  zolon (prime)           :  26
  aaro / OUSD(R&E)        :  37
  trump / NDAA            :  24
  dow_proc                :  30

The bridges — entities that appear in two or more independent investigations — are the gravity wells. The five that matter most:

Entity	Appears in	Why it matters
Zolon Tech Inc	4 of 6	Prime contractor, $128M, stop-work
REJ & Associates	4 of 6	Personnel pipeline source
6 Mile Runs LLC	3 of 6	BEvans’s employer
AARO	3 of 6	Operational lead
DMA	2 of 6	Infrastructure operator

Render at combined.dot / combined.svg / combined.png. 27 dashed lines connect entities across investigative silos. That’s the contractor chain, that’s the executive-branch chain, that’s the statutory chain — overlaid, in one image.

11. Predictions, and where to point your antennae

If you’re following this, here’s what I expect.

Tranche 2 will leak something else. The BEvans staging→production residue isn’t a one-off bug; it’s a process failure in the publishing pipeline. Either someone on the team reads OSINT writeups and tightens the workflow, or another sandbox URL appears. If you’re scripting this, watch the production HTML for path patterns like SANDBOXES/, staging/, dev/, and *.afpims.mil. That’s automatable.

HQ0516-22-C-0007 Option Year 4 will be exercised despite the stop-work, because the successor procurement physically cannot award before late FY26. DMA needs continuity for tranche releases.

The successor RFP HQ0516-FY-25-0010 will drop in Q2-Q3 FY26. Watch SAM.gov. The award is the new PURSUE backbone vendor. Likely respondents: Zolon (incumbent, with stop-work risk), Leidos (Tier-1 integrator, AWS+MS+Google partnerships), GDIT (DoD IT specialist), Booz Allen Hamilton (lost a prior DMA pursuit to CGI Federal in 2015 but remains credible), with cloud partners drawn from JWCC awardees.

The Apollo composites’ weird color cast is probably a graphic-design choice, not data. The user’s observation about blue-shifted regions in the Apollo composites is real (we saw it too), but our naive HSV-saturation analysis flagged 97% of pixels as “blue” — lunar-shadow physics defeats threshold detection. A proper per-frame Lab-Δ analysis against multiple reference frames remains undone.

HalterJL1 will be identified by FOIA, not OSINT. Public-web grep is exhausted. The DMA M365 tenant directory listing scoped to Halter* will surface the identity. We’ve drafted the FOIA.

The Civilian Review Board will not be reinstated in FY26 NDAA either. The institutional opposition (AARO) plus executive-branch satisfaction with the current arrangement create strong status-quo bias. Watch Garcia’s reintroduction attempts but expect them to fail.

No EO or NSM will ever be published for PURSUE. Trump’s preference for informal directives via Truth Social is consistent across his second-term administration. The NDAA §§1841-1843 floor is sufficient. There’s no political incentive to formalize.

12. What we’re sitting on

For the people who want to verify any of this:

161 manifest rows + 162 deliverables, all hashed and stored locally
138 numbered forensic findings with explicit URL/file citations (README.findings.md)
149-node combined knowledge graph with 27 cross-cluster bridges (combined.dot / combined.svg / combined.png)
25,204 lines of OCR’d text from FBI 62-HQ-83894 Section 6 (section_6.txt)
209,468 tokens of NLP corpus spanning 50 documents
3 drafted FOIAs (NASA HQ Apollo imagery, OUSD/DMA stop-work + PURSUE task order, DMA AFPIMS personnel)
6 OpenPlanter recursive-research outputs (~120 KB of cited findings, 39+35+49+62 = 185 verifiable URLs)
All scripts, analysis code, and pipeline tooling at github.com/agrathwohl/uap-research — Akamai bypass, OCR pipeline, EXIF/XMP extractors, graph-merge, the lot

The whole working directory is reproducible from the manifest CSV plus the Akamai bypass, in maybe 4-6 hours on commodity hardware. Nothing here required privileged access. Nothing here required hacking.

Just metadata. Just the bytes they shipped, read carefully.

13. The shape of the thing

Here is what I think this whole apparatus actually is.

PURSUE is not a clandestine operation. It’s a normal, sluggish, executive-branch records-management exercise — driven by a 2023 Congressional records mandate that has been quietly running for two years — politically rebranded by a Truth Social post into a “presidential disclosure initiative” in February 2026, and then operationally accelerated to launch in May 2026 using DMA’s existing public-affairs infrastructure.

The contractors who actually built the website are not the people who classified the documents originally. They’re a five-person creative agency in New York and a $128M IT prime under stop-work. The people who classified the documents originally are mostly dead or retired. The institutional knowledge transferred from UAPTF (Aug 2020) to AOIMSG (Nov 2021, never operational) to AARO (Jul 2022) and now operates under a quantum-optics NSA detailee whose statutory office is buried inside OUSD(R&E) under the Under Secretary of War for Research & Engineering.

The Civilian Review Board that was supposed to keep all of this honest got killed in conference committee. AARO opposed it. It’s not coming back.

NARA has a brand-new record group — RG 615 — for UAP records. NARA accepts only digital. AC 04.2025 is the audit-trail target for anyone who wants to know which records actually got transferred and when.

The AARO Historical Record Report Vol 1 (March 2024) explicitly states: “AARO has found no verifiable evidence that any UAP sighting has represented extraterrestrial activity.” And: “AARO has found no indications that any information was illegally or inappropriately withheld from Congress.”

If you take AARO at its word, the entire PURSUE apparatus exists to release records that have always been releasable, that contain no extraterrestrial evidence, and that were always going to be transferred to NARA under §§1841-1843 anyway. The Trump directive accelerated and publicized a process that was already running on bureaucratic tracks.

If you don’t take AARO at its word, you’re looking at the only declassification monopoly in the U.S. government with no civilian oversight, releasing what it chooses on a schedule it controls, advised by an executive council that reports to nobody but DepSecDef.

Either way you frame it, the operational reality is: the surface is clean, the metadata is dirty, and the contractor chain leaked a sandbox URL into the production HTML on day one.

That’s not the smoking gun the UFO community wanted. But it’s a real gun, and it’s still warm, and it points at the parts of the U.S. government that decide what the public gets to see.

14. Sign-off

If you’re a journalist: file the FOIAs. We’ve drafted three. Use them.

If you’re a researcher: run the OCR script on the remaining 64 PDFs. They’re sitting there. We’re working on it.

If you’re an OSINT person: go look at war.dow.afpims.mil/Portals/1/SANDBOXES/ and tell me what you find. The cert is provisioned. The directory probably exists.

If you’re at DMA reading this: the Sec-Fetch-Site bypass is in your CDN logs. The BEvans URL leaked. The HalterJL1 XMP is going to be a recurring problem until you flatten exports. Tell whoever owns the publishing pipeline that they shipped staging URLs in production HTML. That’s a $250 fix and it’s already cost you the entire visual layer of plausible deniability.

If you’re Bryce Evans: nothing personal. You did fine work. Your sandbox setup leaked through your project manager, not through you.

If you’re HalterJL1, whoever you are: we will find you eventually, and it will be by FOIA, and there is nothing to be embarrassed about - you were doing your job. Adobe Illustrator is fun. So is government work.

This post is a journalistic synthesis of forensic findings from a 36-hour open-source investigation conducted 2026-05-08 to 2026-05-09. Every factual claim links to a primary source or is flagged CXNULL/UNVERIFIED. No private data was accessed. No protected systems were breached. The Akamai bypass uses two HTTP request headers documented in W3C Fetch Standard. All file artifacts are reproducible from the public manifest CSV with the headers shown.

— filed under: osint, forensics, metadata, disclosure, pursue, war.gov, aaro, zolon, bevans, halterjl1