Organization · Recon Complete · 04020003

In-Q-Tel

Independent American not-for-profit venture capital firm that identifies and partners with companies developing advanced technologies for US national security.

Primary URL: iqt.org
Completed: 2026-05-27 17:02 UTC
Duration: 105m 0s

147

Entities

Relationships

Evidence

Judgments

Timeline

Geo

Bottom Line Up Front

In-Q-Tel (IQT) is an independent 501(c)(3) venture capital firm founded in 1999 to invest in commercial technology on behalf of the US Intelligence Community, operating from 1800 Tysons Blvd (McLean VA) with a secondary office at 2107 Wilson Blvd (Colonial Place III, Arlington VA). Recon mapped 147 entities — including a current C-suite (CEO sbowsher@iqt.org, CISO dgeer@iqt.org, board chair Michael Crow), 43 subdomains exposing a self-hosted internal stack (gitlab, mattermost, bitwarden, internal PKI, Q Nexus) behind Cisco Duo zero-trust portals, and a deep portfolio bench (Palantir, MongoDB, Mapbox, Rigetti, D-Wave, Nauticus, Exyn). Email security posture is very likely mature (DMARC p=reject, narrow SPF, OnDMARC forensic reporting); internal services are not directly internet-reachable. The principal external risks are workforce-targeting (Hunter pattern {f}{last}@iqt.org resolves ten named senior personnel, 9 of 10 mailboxes appear in commercial breach corpora, and one plaintext credential linda@iqt.org:2483000q surfaces in the ProxyNova COMB), a complete WHOIS leak of NOC operator George Lewis via Identity Digital's non-redacting .ai registration, and the indirect adversary-attention effect of Palantir's current DOGE involvement. IQT also very likely functions as a multi-IC investment vehicle rather than a CIA-exclusive arm — NGA explicitly co-funded the Keyhole / Google Earth deal, and Senate / NTIA / FCC documents cite IQT across four jurisdictions in 2024-2025.

§ 01

Key Judgments

5 · graded per ICD 203

KJ-01

Target identity is firmly the public IQT, not a name-collision

High Confidence

Identity-attribution is the load-bearing assumption of every downstream judgment, and the evidence base here is unusually strong. RDAP, ARIN's AS393900 'IQT1' registration, Wikidata, OpenAlex/ROR, and SEC EDGAR all cross-confirm the same canonical entity. The KAC identity-collision risk (a different IQT, a divested subsidiary, a stale registration) is very unlikely here — the entity is named in 17 S-1/A filings across four publicly-traded portfolio companies and 108 GovInfo documents in active circulation.

KJ-02

Mail posture is mature — DMARC `p=reject`, OnDMARC reporting, narrow SPF

High Confidence

Both iqt.org and bnext.org publish DMARC p=reject; pct=100 with fo=1 forensic reporting to the same c494f449@inbox.ondmarc.com Red Sift endpoint. SPF is restricted (no overly-permissive +all or ~all fallback) and the IPv4 allow-list is auditable. From-self spoofing is very unlikely to bypass receiving gateways; the residual mail-vector risk is lookalike domains and display-name anomalies (see r_02).

KJ-03

Broad workforce-targeting surface — pattern + breach corpus + one plaintext leak

Moderate Confidence

Hunter enumerates 105 IQT mailboxes and the {f}{last}@iqt.org pattern; ten C-suite-and-adjacent staff are individually surfaced. Breach hits on sbowsher@iqt.org (9 corpora), kbojack@iqt.org (5), imyauo@iqt.org (4), mchadwick@iqt.org (5), bsmith@iqt.org (5), glewis@iqt.org (5), and one plaintext pair linda@iqt.org:2483000q from ProxyNova COMB. Confidence is moderate (not high) because the exploitability of these against IQT's own Duo-gated SSO is likely low — the realistic attacker path is third-party SaaS reuse and tailored spear-phishing, not direct stuffing.

KJ-04

Internal tooling sits behind Duo zero-trust — not on the public edge

High Confidence

CT-log enumeration surfaces the full internal toolchain by hostname (gitlab.iqt.org, mattermost.iqt.org, bitwarden.iqt.org, docker-registry.iqt.org, pki.iqt.org, qnexus.iqt.org, controller.ztt.iqt.org) but DNS now resolves these to AWS-internal RFC1918 ELBs. The entry-point gateway.iqt.org with subdomains ssh.a/b.gateway, rdp.a/b.gateway matches Cisco Duo Network Gateway's reference architecture. The hostnames remain a fingerprinting signal but are very unlikely to be the direct foothold.

KJ-05

Multi-IC investment vehicle — NGA, CIA, NTIA, FCC, DOD all cite IQT

High Confidence

Wikipedia's NGA article is explicit: NGA co-funded the Keyhole investment that became Google Earth, contributing ~25% of the deal. GovInfo returns 108 documents citing IQT (Senate Intel Authorization Act FY2025, DOD Authorization FY2026, Defense Innovation hearings); Federal Register adds NTIA and FCC. This pooling-and-policy pattern is very likely the correct framing — IQT is the IC's shared commercial-investment channel, with the CIA as the anchor sponsor but not the sole consumer.

KJ-06

Palantir → DOGE linkage materially raises IQT's adversary-attention profile

Moderate Confidence

Per Wikipedia: 'In its early years, Palantir maintained founder control by declining to offer board seats to investors, including In-Q-Tel.' Per Wired (cited in the Palantir Wikipedia article), Palantir is actively contributing to DOGE. The IQT-Palantir relationship is 23 years old and structurally minimal, but the lineage is public and likely draws targeting attention from state-sponsored adversaries to whom Palantir-adjacent entities are now politically salient.

KJ-07

Legacy prefix ambiguity — stale declaration or quiet route?

Low Confidence

192.132.59.0/24 was used operationally in 2019 (urlscan archive) but RIPEstat now reports announced=false; asns=[]. 2001:668:112::/47 is declared on Wikidata but produces no live BGP record. The roughly even chance framing acknowledges that legacy declarations frequently linger in registries after operational migration, but also that the passive evidence cannot distinguish stale-declared-and-abandoned from quietly-routed-via-upstream. A premortem-style failure mode here would be: IQT retains a non-publicly-announced route into the prefix for legacy DR purposes.