← Back to Blog

DC3: The Pentagon's Volunteer Red Team, and the $300 Million Estimate Behind It

· 10 min read DC3: The Pentagon's Volunteer Red Team, and the $300 Million Estimate Behind It

Somewhere in Linthicum, Maryland, a report lands in a Defense Department inbox from a stranger who was never hired, never cleared, and never paid a salary, and it says here is a hole in a military system and here is how to walk through it. Multiply that stranger by more than three thousand of them, scattered across dozens of countries, and you have the odd machine at the center of the DoD Cyber Crime Center, known as DC3. Founded in 1998, DC3 runs the forensics lab that supports courts-martial and counterintelligence cases, trains the Department's cyber workforce, funnels threat intelligence to defense contractors, and operates the government program that invites outside hackers to break into .mil systems on purpose. It is one of the cheaper ideas the Pentagon has funded, and it produces one of the tidiest big numbers in federal cyber, a claim of roughly 300 million dollars in "potential savings" that is worth reading slowly before repeating.

What DC3 is and why it exists

DC3 is a federal cyber center, not a service command and not a glamorous one. It sits inside the Department of the Air Force and does four fairly distinct jobs under one roof. The first is a Cyber Forensics Laboratory that pulls evidence off phones, drives, and mangled media for criminal, counterintelligence, and courts-martial cases. The second is a Cyber Training Academy that runs the Department's digital forensics and cyber investigation courses. The third is the DoD Defense Industrial Base Collaborative Information Sharing Environment, mercifully shortened to DCISE, which acts as a voluntary threat-sharing hub for defense contractors. The fourth, and the one that has made DC3 modestly famous, is the Vulnerability Disclosure Program, the front door through which vetted outside researchers can report flaws in military systems without being treated as intruders.

The reason all of this lives together is old and practical. Before a center like this existed, each service and each investigative shop was on its own for digital evidence, and the rules for handling a hacked hard drive were as good as whoever happened to be handling it. Consolidating the forensic lab, the training pipeline, the contractor sharing, and the bug-reporting program under a single organization was meant to give the whole Department one accredited place to send hard digital problems, rather than fourteen improvised ones.

The mechanism and who pays for it

DC3 has an owner, and the owner is the Air Force. Under the DoD Executive Agent system, the Secretary of the Air Force is designated as the Executive Agent for DC3, which in plain terms means the Air Force is responsible for funding and staffing the center and does so in coordination with the DoD Chief Information Officer and DC3's own Executive Director. That designation is not folklore. It is recorded in the DoD Executive Agent registry, and the designating issuance is DoD Directive 5505.13E, "DoD Executive Agent for the DoD Cyber Crime Center (DC3)," dated March 1, 2010, later carried forward with an administrative change in 2017.

The workforce is a mix. Public descriptions put DC3 at roughly 430 people, a blend of Air Force civilians, Air Force and Navy military members, and contractors, though that exact headcount is not something I could pin to a clean primary document, so treat it as an approximate figure rather than a certified one. What matters more for understanding the money is the funding structure. DC3 does not appear in the budget as a single tidy line item with its own topline. It is funded inside Air Force accounts, which is why you will not find a crisp "DC3 costs X per year" figure in the public record, and why the "revenue" numbers that show up on corporate data-broker sites, whether 21.7 million dollars or a laughable 5.8 billion dollars, are scraped estimates with no relationship to actual budget authority. Ignore them.

The money, and the number to read slowly

Because the dollars are buried inside Air Force accounts, the honest way to size DC3 is by what it processes, and there the numbers are real and documented. The DoD Vulnerability Disclosure Program, launched in November 2016, announced that it had processed its fifty-thousandth vulnerability report. That is an actual cumulative count of reports handled, not an estimate. DC3 has separately published, at an earlier five-year milestone of about 36,000 reports, that its researcher community spanned more than 3,000 people across 45 countries with roughly 70 percent of submissions validated as actionable. Those cohort figures are worth citing, but they belong to that earlier milestone, so pairing them loosely with the newer 50,000 total mixes a current running count with older snapshot statistics. They are true in kind and slightly stale.

Then there is the newer program aimed at industry, the Defense Industrial Base Vulnerability Disclosure Program, or DIB-VDP. In October 2024, DC3 reported that in the first six months of full operation it had closed out roughly 62 vulnerabilities, with about 160 more in the queue, and that this represented a "potential" savings of about 300 million dollars. This is the load-bearing figure, the one most likely to be repeated on a slide with the word "potential" quietly dropped. Here is how it is actually built. DC3's Terry Kalka derived it by taking each fixed vulnerability and multiplying by an average breach-cost-avoided figure of about 4.8 million dollars per flaw, a number that tracks IBM's 2024 global average cost of a data breach of 4.88 million dollars. Sixty-two vulnerabilities multiplied by roughly 4.8 to 4.88 million dollars lands you near 300 million dollars. The same method produced an earlier estimate of about 61 million dollars in taxpayer savings from the 2021 DIB-VDP pilot, which ran from April 2021 to April 2022 and processed 1,019 reports.

Keep two columns in your head. In the first column are the actuals: 50,000 reports processed since 2016, 1,019 in the pilot, 62 closed in the first six months of the DIB program. In the second column are the estimates: 300 million dollars and 61 million dollars in "savings." The first column is counting. The second column is modeling, and the model rests entirely on the assumption that every closed vulnerability would otherwise have caused a full-blown breach.

The honest efficiency critique

Two problems deserve to be said plainly. The first is that the savings figures are derived, not measured. Multiplying a fixed vulnerability by the average cost of a data breach assumes that each of those flaws was a loaded gun that would have gone off, and that it would have caused a breach of full average severity. In reality many reported vulnerabilities are low severity, some are duplicates, and some would never have been exploited at all. So the 300 million dollar and 61 million dollar numbers are best understood as marketing math, a way to convert engineering work into a headline, not as dollars that anyone recovered or that any auditor blessed. That does not make them dishonest, because DC3 does label them "potential" and "estimated." It makes them soft, and soft numbers have a way of hardening every time they are quoted.

The second problem is bigger and comes from an outside referee. In November 2022, the Government Accountability Office published GAO-23-105084, and it found that the mandatory cyber incident reports defense contractors filed with DC3 from 2015 through 2021 were not always comprehensive or timely. It found that DoD's wider body of incident data, covering more than 12,000 incidents since 2015, was often incomplete, and, most pointedly, that no organization had been assigned clear responsibility for making sure the reporting happened properly or for sharing incidents detected by cyber security service providers. GAO issued six recommendations, DoD concurred with them, and several stayed open with completion targets stretching toward 2027. Read carefully, this critique does not accuse DC3 of wasting money. It says the mandatory reporting stream that DC3 sits on top of has been leaky and under-governed, which is a real problem for the intelligence value of the whole enterprise even when the center itself is doing its job.

The honest public-good defense

Now the other side of the ledger, which is genuinely strong. The Vulnerability Disclosure Program is one of the best deals in federal cybersecurity. It converts volunteer white-hat researchers into a standing red team that has surfaced tens of thousands of real, validated flaws in military systems at a small fraction of what the equivalent paid penetration testing would cost. When roughly 70 percent of what those volunteers send is judged actionable, you are not looking at noise, you are looking at free labor finding real holes. The forensic side is equally serious. DC3's Cyber Forensics Laboratory is accredited to the ISO 17025 standard, the same accreditation regime courts expect from a real crime lab, and it supports actual prosecutions rather than PowerPoint. DCISE gives a very large population of mostly small and medium defense contractors, on the order of 200,000 companies, a voluntary channel to receive and share threat information they could never generate on their own. And putting the lab, the academy, the sharing hub, and the bug program under one Air Force Executive Agent is exactly the kind of consolidation that avoids each service standing up its own duplicate forensic lab and training pipeline. The structural logic is sound, and the flagship program earns its keep even before you touch the estimated-savings math.

Reading the ledger

Here is what the two columns say when you set them next to each other. DC3 is a real, accredited, useful institution that runs a genuinely clever program, one that turns strangers with keyboards into an unpaid red team and has the validated reports to prove it. The 50,000 processed reports are counting, and they are impressive. At the same time, the marquee dollar figure, the 300 million dollars in "potential savings," is a modeled estimate built on the assumption that every fixed flaw was a breach avoided, and the reporting stream that feeds part of DC3's mission has been flagged by GAO as incomplete and under-owned, with fixes still open. Neither verdict cancels the other. You can believe that DC3 is one of the better-run and better-value shops in defense cyber and still refuse to let its savings estimate be quoted as if it were money in a vault. The counting is trustworthy. The savings math is a story about money that might have been lost, told convincingly, which is not the same thing as money saved.

Related reading

Fact-check notes and sources

  • The Air Force is the DoD Executive Agent for DC3, with the Secretary of the Air Force responsible for funding and staffing the center in coordination with the DoD CIO and the DC3 Executive Director. The designation is recorded in the DoD Executive Agent registry, and the designating issuance is DoD Directive 5505.13E, "DoD Executive Agent for the DoD Cyber Crime Center (DC3)" (March 1, 2010, administrative change 2017). DoD Executive Agent registry, DC3 entry; DC3 Capabilities and Services.
  • The load-bearing figure, roughly 300 million dollars in "potential savings" from the DIB-VDP in its first six months of full operation (reported October 2024), is a derived estimate, not audited money. It comes from closing about 62 vulnerabilities and multiplying by an average breach-cost figure of about 4.8 million dollars per flaw (in line with IBM's 2024 global average of 4.88 million dollars), with about 160 more vulnerabilities in the queue. Treat it as "potential," as DC3 itself labels it. DefenseScoop, DC3 DIB Vulnerability Disclosure Program (Oct 30, 2024).
  • The DoD Vulnerability Disclosure Program, launched November 2016, has processed more than 50,000 vulnerability reports, an actual cumulative count. The related community figures (more than 3,000 researchers across 45 countries, about 70 percent validated as actionable) are DC3 figures from an earlier roughly 36,000-report milestone, so they are slightly stale relative to the 50,000 total. The 2021 DIB-VDP pilot (April 2021 to April 2022) processed 1,019 reports for an estimated 61 million dollars in savings, again a derived estimate. HackerOne, DC3's 50,000 Vulnerability Reports.
  • GAO found in November 2022 that defense contractors' mandatory cyber incident reports to DC3 from 2015 through 2021 were not always comprehensive or timely, that DoD's broader incident data (more than 12,000 incidents since 2015) was often incomplete, and that no organization had been assigned clear responsibility for ensuring proper reporting or sharing. GAO made six recommendations; DoD concurred; several remained open with completion dates stretching toward 2027. GAO-23-105084 (Nov 14, 2022).
  • DC3's total budget is not cleanly broken out in public documents because it is funded inside Air Force accounts. The roughly 430-person headcount is an approximate public figure that could not be tied to a primary source in this review, and the "revenue" numbers on data-broker sites (for example 21.7 million dollars or 5.8 billion dollars) are unreliable scraped estimates and are not used here. DC3 Capabilities and Services.

This post is informational and journalistic, drawn from public records, and is not legal, financial, or policy advice; all figures are attributed to their fiscal year or reporting date as cited.

← Back to Blog

Accessibility Options

Text Size
High Contrast
Reduce Motion
Reading Guide
Link Highlighting
Accessibility Statement

J.A. Watte is committed to ensuring digital accessibility for people with disabilities. This site conforms to WCAG 2.1 and 2.2 Level AA guidelines.

Measures Taken

  • Semantic HTML with proper heading hierarchy
  • ARIA labels and roles for interactive components
  • Color contrast ratios meeting WCAG AA (4.5:1)
  • Full keyboard navigation support
  • Skip navigation link
  • Visible focus indicators (3:1 contrast)
  • 44px minimum touch/click targets
  • Dark/light theme with system preference detection
  • Responsive design for all devices
  • Reduced motion support (CSS + toggle)
  • Text size customization (14px–20px)
  • Print stylesheet

Feedback

Contact: jwatte.com/contact

Full Accessibility StatementPrivacy Policy

Last updated: April 2026