top of page
Search

244+ Free Threat Intel Discoveries (With Code to Actually Use Them)

  • Writer: Patrick Duggan
    Patrick Duggan
  • Nov 13, 2025
  • 8 min read

Published: November 13, 2025 Feed: https://analytics.dugganusa.com/api/v1/stix-feed License: CC0-1.0 (Public Domain)




The Hook


We just published 244+ novel threat intelligence discoveries for free. Most vendors charge $50,000-$200,000/year for threat feeds with 30-40% unique discovery rates. Ours has a 63% unique discovery rate, full STIX 2.1 attribution, and vendor integration guides for CrowdStrike, Microsoft Sentinel, Palo Alto Cortex XDR, Splunk, and Wiz.


Why give it away? Because we're confident enough to invite scrutiny. Try the feed. If it works, subscribe for real-time streaming ($49-$149/month). If it doesn't, you got free intel and we proved we're full of shit.


Here's the code to actually use it.




Quick Start (3 Commands)


1. Fetch the STIX 2.1 Feed



curl -s https://analytics.dugganusa.com/api/v1/stix-feed | jq . > dugganusa-threats.json


Filter by confidence (90%+ only): ```bash curl -s "https://analytics.dugganusa.com/api/v1/stix-feed?min_confidence=90" | jq . > high-confidence-threats.json ```


Last 7 days only: ```bash curl -s "https://analytics.dugganusa.com/api/v1/stix-feed?days=7" | jq . > recent-threats.json ```


Unique discoveries only (threats we found that major vendors missed): ```bash curl -s "https://analytics.dugganusa.com/api/v1/stix-feed?unique_only=true" | jq . > dugganusa-unique-discoveries.json ```


2. Extract Malicious IPs



curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern' | \
  grep -oP "(?<=ipv4-addr:value = ')[^']+(?=')" | \
  sort -u > malicious-ips.txt


Output: A clean list of IPs, one per line: ``` 78.153.140.222 207.154.197.113 157.230.19.140 185.177.72.111 139.59.136.184 ```


3. Search Your Logs


Apache/Nginx access logs: ```bash while read ip; do echo "=== Checking $ip ===" grep "$ip" /var/log/nginx/access.log | tail -5 done < malicious-ips.txt ```


With attack severity context: ```bash curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \ jq -r '.objects[] | select(.type=="indicator") | "\(.pattern | match("ipv4-addr:value = '\''([^'\'']+)'\''") | .captures[0].string)\t\(.x_dugganusa_threat_intel.confidence)\t\(.x_dugganusa_threat_intel.severity)"' | \ while IFS=$'\t' read ip confidence severity; do if grep -q "$ip" /var/log/nginx/access.log 2>/dev/null; then echo "🚨 THREAT DETECTED: $ip (Confidence: $confidence%, Severity: $severity)" grep "$ip" /var/log/nginx/access.log | tail -3 fi done ```




Real-World Log Correlation Examples


Example 1: SSH Brute Force Detection


Search auth logs for known attackers: ```bash curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \ jq -r '.objects[] | select(.type=="indicator" and .labels[]=="brute-force") | .pattern | match("ipv4-addr:value = '\''([^'\'']+)'\''") | .captures[0].string' > ssh-attackers.txt


grep -Ff ssh-attackers.txt /var/log/auth.log | \ grep "Failed password" | \ awk '{print $1, $2, $3, $11}' | \ sort | uniq -c | sort -rn ```


Output: ``` 127 Nov 13 09:23:15 78.153.140.222 89 Nov 13 10:41:02 207.154.197.113 56 Nov 13 11:15:33 157.230.19.140 ```


Example 2: Firewall Log Analysis


Check iptables logs for blocked attacks: ```bash curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \ jq -r '.objects[] | select(.type=="indicator") | .pattern' | \ grep -oP "(?<=ipv4-addr:value = ')[^']+(?=')" | \ while read ip; do count=$(grep "SRC=$ip" /var/log/kern.log | grep "DPT=" | wc -l) if [ "$count" -gt 0 ]; then echo "$count attempts from $ip" grep "SRC=$ip" /var/log/kern.log | head -2 fi done ```


Example 3: Docker Container Log Scanning


Check Docker logs for suspicious access: ```bash # Get all running containers docker ps --format "{{.Names}}" | while read container; do echo "=== Scanning container: $container ==="


Example 4: Multi-Log Time Correlation


Find IPs attacking multiple services within 5 minutes: ```bash #!/bin/bash


THREAT_IPS=$(curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \ jq -r '.objects[] | select(.type=="indicator") | .pattern' | \ grep -oP "(?<=ipv4-addr:value = ')[^']+(?=')")


for ip in $THREAT_IPS; do # Search Apache apache_hits=$(grep "$ip" /var/log/apache2/access.log 2>/dev/null | wc -l)


total=$((apache_hits + ssh_hits + fw_hits))


if [ "$total" -gt 10 ]; then echo "⚠️ $ip: $apache_hits web, $ssh_hits SSH, $fw_hits firewall (TOTAL: $total)" fi done ```




Advanced: Python Script for Automated Threat Hunting


Save as `stix_threat_hunter.py`:



python
#!/usr/bin/env python3
"""
DugganUSA STIX Feed Threat Hunter
Searches logs for known malicious IPs with MITRE ATT&CK mapping
"""


import requests import re import json from collections import defaultdict


def fetch_stix_feed(min_confidence=80): """Fetch STIX 2.1 feed from DugganUSA""" url = f"https://analytics.dugganusa.com/api/v1/stix-feed?min_confidence={min_confidence}" response = requests.get(url) return response.json()


def extract_indicators(stix_bundle): """Extract IP indicators with metadata""" indicators = []


for obj in stix_bundle.get('objects', []): if obj.get('type') == 'indicator': # Extract IP from pattern match = re.search(r"ipv4-addr:value = '([^']+)'", obj.get('pattern', '')) if match: ip = match.group(1) indicators.append({ 'ip': ip, 'confidence': obj.get('x_dugganusa_threat_intel', {}).get('confidence', 0), 'severity': obj.get('x_dugganusa_threat_intel', {}).get('severity', 'unknown'), 'mitre_tactics': obj.get('kill_chain_phases', []), 'description': obj.get('description', 'No description'), 'labels': obj.get('labels', []) })


return indicators


def search_log_file(log_file, indicators): """Search log file for malicious IPs""" results = defaultdict(list)


try: with open(log_file, 'r') as f: for line_num, line in enumerate(f, 1): for indicator in indicators: if indicator['ip'] in line: results[indicator['ip']].append({ 'line_num': line_num, 'content': line.strip(), 'confidence': indicator['confidence'], 'severity': indicator['severity'], 'tactics': indicator['mitre_tactics'] }) except FileNotFoundError: print(f"⚠️ Log file not found: {log_file}")


return results


def main(): print("🔍 DugganUSA STIX Feed Threat Hunter") print("=" * 50)


indicators = extract_indicators(stix_bundle) print(f"✅ Loaded {len(indicators)} threat indicators")


total_detections = 0


for log_file in log_files: print(f"\n🔎 Scanning {log_file}...") results = search_log_file(log_file, indicators)


if results: print(f"🚨 THREATS DETECTED in {log_file}:") for ip, detections in results.items(): print(f"\n IP: {ip}") print(f" Confidence: {detections[0]['confidence']}%") print(f" Severity: {detections[0]['severity']}") print(f" Occurrences: {len(detections)}") print(f" MITRE Tactics: {', '.join([t['phase_name'] for t in detections[0]['tactics']])}") print(f" Sample log line: {detections[0]['content'][:100]}...") total_detections += len(detections)


print(f"\n{'=' * 50}") print(f"📊 Total detections: {total_detections}") print(f"🛡️ Powered by DugganUSA LLC FREE STIX Feed")


if __name__ == '__main__': main() ```


Run it: ```bash chmod +x stix_threat_hunter.py sudo python3 stix_threat_hunter.py ```




Vendor Integration Examples


CrowdStrike Falcon (FQL - Falcon Query Language)


Search endpoint logs for DugganUSA threat indicators:



// Step 1: Import STIX feed (one-time setup)
// Upload dugganusa-threats.json to Custom IOC Management


// Step 2: Hunt across endpoints event_platform=Lin OR event_platform=Win | search RemoteAddressIP4 IN [ "78.153.140.222", "207.154.197.113", "157.230.19.140", "185.177.72.111", "139.59.136.184" ] | stats count() by RemoteAddressIP4, ComputerName, UserName | sort -count() ```


Correlate with process execution: ```javascript event_simpleName=ProcessRollup2 | search LocalAddressIP4!=RemoteAddressIP4 | eval ioc_match=mvfind(RemoteAddressIP4, "78.153.140.222|207.154.197.113|157.230.19.140") | where ioc_match >= 0 | table _time, ComputerName, FileName, CommandLine, RemoteAddressIP4, RemotePort ```


Microsoft Sentinel (KQL - Kusto Query Language)


Correlation search across CommonSecurityLog:



kql
// DugganUSA Threat Intel Correlation
let DugganUSA_IPs = dynamic([
    "78.153.140.222", "207.154.197.113", "157.230.19.140",
    "185.177.72.111", "139.59.136.184"
]);
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where SourceIP in (DugganUSA_IPs) or DestinationIP in (DugganUSA_IPs)
| extend ThreatIP = iff(SourceIP in (DugganUSA_IPs), SourceIP, DestinationIP)
| summarize
    TotalEvents=count(),
    UniqueDestinations=dcount(DestinationIP),
    UniquePorts=dcount(DestinationPort),
    FirstSeen=min(TimeGenerated),
    LastSeen=max(TimeGenerated)
    by ThreatIP, DeviceVendor, DeviceAction
| order by TotalEvents desc


Join with Azure AD Sign-ins: ```kql let DugganUSA_IPs = externaldata(ip:string) [@"https://analytics.dugganusa.com/api/v1/stix-feed/ips.txt"] with (format="txt"); SigninLogs | where TimeGenerated > ago(30d) | where IPAddress in (DugganUSA_IPs) | project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType, AppDisplayName, DeviceDetail | join kind=inner ( DugganUSA_IPs ) on $left.IPAddress == $right.ip ```


Splunk (SPL - Search Processing Language)


Basic threat hunt: ```spl index=* sourcetype=access_combined [| inputlookup dugganusa_threat_feed.csv | fields src_ip | format] | stats count, values(uri) as URIs, values(status) as Statuses by src_ip, dest | where count > 10 | sort -count ```


Advanced: Multi-source correlation with MITRE ATT&CK: ```spl index=network OR index=endpoint OR index=web | lookup dugganusa_stix_feed.csv indicator_value as src_ip OUTPUT confidence, severity, mitre_tactics | where confidence > 80 | stats count as event_count, dc(dest) as unique_targets, values(mitre_tactics) as tactics, values(severity) as severity, earliest(_time) as first_seen, latest(_time) as last_seen by src_ip | convert ctime(first_seen) ctime(last_seen) | sort -event_count | eval risk_score = (event_count * confidence) / 100 ```


Palo Alto Cortex XDR


XQL Query for threat hunting: ```sql -- Search network connections to DugganUSA threat indicators dataset = xdr_data | filter action_local_ip != action_remote_ip | filter action_remote_ip in ( "78.153.140.222", "207.154.197.113", "157.230.19.140", "185.177.72.111", "139.59.136.184" ) | fields _time, agent_hostname, actor_process_image_name, action_remote_ip, action_remote_port, action_network_protocol | alter threat_source = "DugganUSA STIX Feed" | comp count() as connection_count by action_remote_ip, agent_hostname ```


Wiz Cloud Security


WQL (Wiz Query Language) for cloud resource scanning:



graphql
query DugganUSAThreatHunt {
  cloudResources(
    where: {
      hasNetworkInterface: {
        hasNetworkSecurityGroup: {
          hasRule: {
            sourceAddress: {
              in: [
                "78.153.140.222",
                "207.154.197.113",
                "157.230.19.140"
              ]
            }
          }
        }
      }
    }
  ) {
    nodes {
      id
      name
      type
      subscription {
        name
      }
      networkInterfaces {
        publicIpAddress
        securityGroups {
          rules {
            name
            sourceAddress
            destinationPort
            action
          }
        }
      }
    }
  }
}




The Stats Behind the Feed


What Makes These "Novel Discoveries"?


We ran 623 total threats from our Hall of Shame corpus through a multi-source verification process:



• 343 threats (55%) where AbuseIPDB scored ZERO

• 268 threats (43%) where VirusTotal scored ZERO

• 623 threats (100%) where ThreatFox scored ZERO

• 120 threats (19.3%) missed by ALL THREE vendors


Our definition of "unique discovery": 1. DugganUSA confidence score >70% 2. At least one major vendor (AbuseIPDB, VirusTotal, ThreatFox) scored it as ZERO 3. Detected through production infrastructure (real attack traffic, not curated feeds) 4. Multi-source correlation (5 simultaneous sources)


Result: 244+ unique discoveries (63% unique discovery rate)


The 5-Source Correlation Methodology


Every threat in the STIX feed is correlated across:


1. AbuseIPDB - Community abuse reports 2. VirusTotal - Malware/phishing analysis 3. ThreatFox - C2 infrastructure tracking 4. Production Logs - Real attack traffic against DugganUSA infrastructure 5. OSINT Analysis - WHOIS verification, certificate transparency, behavioral patterns


Custom STIX Properties: ```json { "x_dugganusa_discovery": { "primary_source": true, "unique_detection": true, "sources_with_zero_score": ["AbuseIPDB", "VirusTotal", "ThreatFox"], "value_add": 95, "detection_date": "2025-11-01T20:44:00Z" } } ```




The Democratic Sharing Philosophy


Why give this away for free?


Because digital goods have zero marginal cost. Copying a threat indicator costs $0. Hoarding it helps nobody. Sharing it proves we're confident enough to invite scrutiny.



• 99.5% public sharing (4,780 files tracked, only secrets/keys excluded)

• 7.1x evidence-to-claims ratio (show receipts, not marketing)

• Zero hoarding (all threat intel public under CC0-1.0)

• Attribution tracking (`/api/v1/stix-feed/analytics` monitors reciprocity)


The Krebs Philosophy:


Brian Krebs investigates cybercrime by publishing findings publicly. Criminals know he's watching. Victims get warned. The internet gets safer. We apply the same logic to threat intelligence.


If our discoveries are wrong, someone will prove it. If they're right, everyone benefits. Either outcome is better than hoarding intelligence in a proprietary feed that costs $150K/year.




The Business Model



• STIX 2.1 feed (updated every 15 minutes)

• 244+ unique discoveries

• CC0-1.0 license (no restrictions)

• Community support



• Real-time WebSocket streaming

• 99.9% uptime SLA

• Email support (24-hour response)

• Custom confidence thresholds



• Everything in Conservative

• API key with 1M requests/month

• Slack/Teams webhook integration

• Multi-tenant RBAC



• Everything in Standard

• Unlimited API requests

• Custom STIX extensions

• Dedicated Slack channel

• Phone support



• Custom integrations (SIEM, SOAR, EDR)

• On-premise deployment

• SLA guarantees (99.99%)

• Professional services

• Contact: [email protected]




Try It Right Now


Step 1: Fetch the feed ```bash curl -s https://analytics.dugganusa.com/api/v1/stix-feed?min_confidence=90 | jq . | head -50 ```


Step 2: Extract IPs ```bash curl -s https://analytics.dugganusa.com/api/v1/stix-feed | \ jq -r '.objects[] | select(.type=="indicator") | .pattern' | \ grep -oP "(?<=ipv4-addr:value = ')[^']+(?=')" > threats.txt ```


Step 3: Search your logs ```bash grep -Ff threats.txt /var/log/nginx/access.log ```


If it works: Subscribe at https://analytics.dugganusa.com (launching Q1 2026)


If it doesn't: Email [email protected] and tell us why. We want to know.




Seed Funding Opportunity


Target: $500,000 Equity: 10-15% Pre-money Valuation: $3M-$5M Unit Economics: Break-even at 2 customers, capacity for ~300 on current infrastructure Revenue at Capacity: $14.7K-$44.7K/month


What makes this different:


1. Free tier proves product-market fit (you can test it right now) 2. 63% unique discovery rate (vs 30-40% industry standard) 3. $75/month infrastructure cost (vs $5K/month typical enterprise) 4. Pattern #30 architecture (Drone → Brain cost optimization scales to $0 marginal cost) 5. Democratic Sharing (7.1x evidence-to-claims ratio, invite scrutiny)





Technical Specifications


Feed Endpoint: `https://analytics.dugganusa.com/api/v1/stix-feed`


Format: STIX 2.1 JSON Bundle


Update Frequency: Every 15 minutes


CDN: Cloudflare global edge caching


Rate Limits: None (reasonable use expected)


Uptime: 99.9% target (monitored at status.dugganusa.com)



Documentation: https://analytics.dugganusa.com/docs/stix-feed


License: CC0-1.0 (Public Domain)




Attribution


Publisher: DugganUSA LLC Location: Minnesota, USA STIX Identity: `identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d` Contact: [email protected] Website: https://www.dugganusa.com Status Page: https://status.dugganusa.com


Democratic Sharing Reciprocity:


We track attribution via `/api/v1/stix-feed/analytics`. If you use this feed and find it valuable, attribution helps us prove value to investors:



• Blog posts mentioning "DugganUSA STIX Feed"

• GitHub repos with feed integration examples

• Conference talks citing our discoveries

• Social media shoutouts (@dugganusa)


Zero obligation. Just helps us measure impact.




Conclusion


244+ novel threat discoveries. Free STIX 2.1 feed. Real code examples. Vendor integration guides. Zero hoarding.


Try it. Break it. Tell us what's wrong. Subscribe if it works.


That's confidence.




🛡️ Powered by DugganUSA LLC 📡 Free STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed 📧 Contact: [email protected] 📊 Status: https://status.dugganusa.com 📚 Docs: https://analytics.dugganusa.com/docs/stix-feed


*"Most vendors charge $150K/year for threat feeds. We publish ours for free because we're confident enough to invite scrutiny."*


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page