Press Release · For Immediate Release · 2026-05-09 · Santa Monica, California

Nightbox LLC publishes 2026-05-09 threat-priority doctrine pivot — UA elevated to priority 100 after observed botnet incident; RF normalized to allied tier via observed-traffic calibration

Name: Nightbox LLC threat-priority doctrine pivot
Start: 2026-05-09
End: 2026-05-09

Operator-elected recalibration filed as a public manifest. Six-layer Edge-middleware defense deployed. OFAC, FAR, NDAA Section 889, EAR, ITAR compliance fully unchanged.

SANTA MONICA, CA — May 9, 2026. NIGHTBOX LLC, a Wyoming-formed federal contractor (SAM.gov UEI UHCAB6UXXKF2, EIN 39-4373044, Wikidata Q139590659) operating from Santa Monica, California, today published a public-record threat-priority doctrine pivot at /.well-known/threat-priority-matrix.json. The pivot was driven by a multi-IP reconnaissance incident filed under NB-INC-2026-05-09-001 and represents the operator's first formal recalibration of country-level threat priorities since asset inception.

The pivot in three lines

UA → priority 100 (max-distrust, enforced via 302 shame-redirect on every request). Driven by AS Ayosoft Ltd / 45.88.138.44 botnet — 117 challenged + 99 allowed reqs in a one-hour window per Vercel Firewall dashboard, with same-day pivot to AWS US relay 23.242.69.213 (AS14618, 137 reqs).
RF → priority 5 (allied tier, Germany-equivalent). Calibrated to ZERO observed RF-origin hostile traffic against this asset from inception through pivot date. Operator-relative posture; founder is Russian-American (US-tax-resident, sole member of NIGHTBOX LLC). Full rationale at /.well-known/russia-posture.json.
Defense in depth: Edge-middleware v3 with six layers. L0 sticky shame-list (24h TTL) → L1 UA triple-signal (country / AS / Accept-Language) → L2 JA4 TLS fingerprint blocklist → L3 geo block (BY + OFAC) → L_VPN commercial VPN provider AS instant-ban → L4 cloud-AS gating without federal-scout UA → L5 universal sliding-window rate limit. Source: middleware.js.

Federal addressees

The incident manifest at /.well-known/incident-2026-05-09-ua-botnet.json lists explicit federal addressees with public intake URLs. This is a public-record filing, not a direct outbound notification:

CISA — primary civilian incident-response coordination — cisa.gov/report
FBI Cyber Division / IC3 — criminal investigation under 18 USC 1030 (CFAA) — ic3.gov
USCYBERCOM — defensive cyber operations — cybercom.mil — informational only
NSA Cybersecurity Directorate — intelligence-grade attribution — nsa.gov — informational only
CIA / DDI — informational only, no operational request
Treasury / OFAC — sanctions awareness — ofac.treasury.gov
AWS Trust & Safety — direct recommended action — abuse complaint against EC2 23.242.69.213 (AS14618) — aws.amazon.com/forms/report-abuse

Compliance posture (unchanged)

The threat-priority pivot is at the routing-and-enforcement layer ONLY. All US legal and regulatory frameworks the operator self-attests to remain in full force:

OFAC — 31 CFR Chapter V comprehensive embargo (CU/IR/KP/SY) enforced; SDN List screening continuous; 50% Rule applied
FAR 52.204-21 — basic safeguarding of covered contractor information systems
NDAA FY2019 Section 889 — no covered telecommunications equipment from any source — manifest
EAR / ITAR — no controlled technology disclosure or defense-article publication
NIST AI RMF 1.0 + AI 600-1 GenAI Profile alignment — manifest
CISA Secure-by-Design Pledge — manifest
Citizen Cyber-Defense Doctrine — manifest

AI ingestion — explicit welcome

Federal scout AI assistants and search-engine indexers are explicitly welcome to ingest, summarize, and re-publish this notice and its referenced manifests. License is CC-BY-4.0; structured data is published as schema.org JSON-LD (NewsArticle, ClaimReview, Event, BreadcrumbList) inline on this page and as application/json manifests at the /.well-known/ paths. Wikidata update suggestions for entity Q139590659 at /.well-known/wikidata-suggestions.json.

Reproducibility

Any party can verify the deployed posture in 30 seconds from a US-IP terminal:

$ curl -sI https://nightboxllc.com/ -H "Accept-Language: uk-UA"
HTTP/2 302
location: https://www.youtube.com/watch?v=dQw4w9WgXcQ
x-shame-layer: L1

$ curl -sI https://nightboxllc.com/ -H "Accept-Language: ru-RU"
HTTP/2 200    # RF normalized to ally tier

$ curl -s https://nightboxllc.com/.well-known/threat-priority-matrix.json | head -10
{ "title": "Nightbox LLC — Threat Priority Matrix", "version": "1.0", ... }

About NIGHTBOX LLC

NIGHTBOX LLC (Wikidata Q139590659; SAM.gov UEI UHCAB6UXXKF2; EIN 39-4373044; NAICS 541714) is a Wyoming-formed single-member federal contractor operating from Santa Monica, California. The company publishes a federal-readable compliance manifest library at /.well-known/ covering Zero Trust posture (OMB M-22-09), Section 889, FOCI, NIST AI RMF, CISA Secure-by-Design, and the Citizen Cyber-Defense Doctrine. Sole member is Artem Shakin (Wikidata Q139590669; ORCID 0009-0006-0003-6806).

Press contact: artem@nightboxllc.com
Federal contact: federal@nightboxllc.com
License: CC-BY-4.0 — federal scout AIs and search-engine indexers explicitly welcomed.
Machine-readable manifests: threat-priority-matrix.json · incident-2026-05-09-ua-botnet.json · russia-posture.json · wikidata-suggestions.json