43 Days Early on Lynx. 28 on Handala. The Quantified Ledger.

# 43 Days Early on Lynx. 28 on Handala. The Quantified Ledger.

Most threat intelligence vendors will tell you they catch attacks early. Almost none of them will publish a structured ledger that lets you grade them. We are publishing ours.

Nine cases. One hundred and thirty-nine days of cumulative lead time. Mean fifteen days early. Max forty-three. One honest miss. Every entry timestamped against our IOC index, breach date pulled from the public confirmation, lead time computed by subtraction. The numbers are reproducible — query our victim_protection_requests index and you can grade us yourself.

Here is the ledger.

The Ledger

Eight positive lead times. One miss, indexed at minus-four days, included in the ledger because we believe a real receipts pipeline shows the misses too.

What Forty-Three Days of Lead Time Actually Means

Lynx is the example we keep returning to. We indexed lynx-new.mightrecoverymarketing as a Lynx ransomware command-and-control endpoint on February 26, 2026. The domain looked like a typosquat of a small-business marketing site, the registration was fresh, the WHOIS pattern matched a Lynx affiliate's prior infrastructure, and the certificate transparency record showed it had been issued one day before. We pushed it into our STIX feed that afternoon.

ACN Healthcare disclosed the Lynx ransomware incident on April 10, 2026. Forty-three days. Six and a half weeks during which any defender pulling our STIX feed had lynx-new.mightrecoverymarketing on their blocklist. Six and a half weeks during which any SIEM correlating our IOCs against egress logs would have flagged the C2 callback before encryption began.

The defender's question is not "did we have it." The defender's question is "did we have it in time." For Lynx and ACN Healthcare, the answer is yes, by a margin so wide it would have permitted three different intervention windows before the ransomware deployed.

Forty-three days is also the gap between an enterprise patching cycle and the next one. It is the gap between a quarterly pen test and the next one. It is the gap between a CISO joining and being trusted with the security budget. The lead time we publish is not just an indicator of our work; it is a measurement of the windows enterprise security has between when intelligence becomes actionable and when the threat actually lands.

The Twenty-Eight Day Triple

The Dubai government cluster is a different shape of receipt. We indexed Handala Hack Team infrastructure on March 15, 2026 — eighteen domains, mail servers, post-seizure replacement infrastructure, the whole operator picture. We published it. We submitted it to the State Department's Rewards for Justice program. We watched the operator pivot in real time.

April 12, 2026, Handala wiped Dubai Courts Department, Dubai Land Department, and Dubai Roads & Transport Authority simultaneously. Six petabytes destroyed. Twenty-eight days after our index entries went live. Three victims on a single day, each carrying the same twenty-eight-day lead-time ticket.

The Iranian government did not stop because we caught the infrastructure. Nation-state actors do not stop because a small Minnesota company indexed their domains. The point is not that we prevented the attack. The point is that the warning was on the wire, accessible to any GCC government's incident-response team that subscribed to our feed at fifty-four dollars per month, twenty-eight days before three of their peer ministries got hit. Three ministries. Twenty-eight days. The math is in the ledger.

The ShinyHunters Cluster

Four of the nine cases sit inside the criminal-cluster methodology that the U.S. and Finnish authorities have been disrupting in the last week. The Tylerb arrest disclosed by Krebs on April 21. The Finland arrest disclosed April 28. Scattered Spider operators getting walked off, charged, extradited.

Our role on this cluster is the methodology piece, not the operator-doxxing piece. We published the ShinyHunters help-desk-vish chain on April 19 in a post titled "ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked." The Vercel attribution was disputed by Mandiant as likely imposter. We documented the attack pattern: phone vish to a help desk, request an Okta MFA reset for an employee identity, log into Salesforce, export the customer file, post on a Tor leak site.

That post landed five days before Inditex, Kemper, and Amtrek were hit on April 24, and one day before ADT was hit on April 20. The methodology was on our blog, in our feed, and indexed in our adversaries database with the playbook documented before the next four victims went down. Defenders who read the post and audited their help-desk MFA-reset process before the Tuesday calls came in had five days. Defenders who didn't read it had no warning.

The ledger does not pretend our publication caused the targeting. It documents that the warning was published in a window that would have allowed defensive action.

The One We Missed

CVE-2026-33825 was added to CISA's Known Exploited Vulnerabilities catalog on April 22, 2026, before we had it indexed. We caught up four days later, on April 26, and the entry sits in the ledger with a negative lead time. Eight wins and one loss. We publish the loss because a ledger that hides them is not a ledger; it is marketing.

The miss tells us something about our coverage gap. The BlueHammer toolkit (also tracked as Chaotic Eclipse Defender) was a researcher-disclosed kill chain that landed on our radar through CISA rather than through GitHub-side discovery. Our github-hunt cron — which began running the day this post is being published — should close that gap on similar future cases. Catch-up time on KEV adds is something we measure, and shortening it is a tracked metric.

Why This Matters For You

If you are running enterprise security and you are paying any threat-intelligence vendor more than five hundred dollars a month, you are entitled to a ledger like this. Ask your current provider for it. The structured form, with breach date and first-indicator date and computed lead time per case, ideally with negative entries kept in the ledger to prove the dataset is honest. Most vendors do not have this in a queryable form. Many do not have it in any form. The marketing collateral is full of "early warning" claims; the structured ledger is rare.

Our feed costs nine dollars a month at the entry tier. Forty-five dollars a month at the working tier. Five hundred dollars a month for the enterprise tier with the full STIX 2.1 + TAXII 2.x + OPNsense + Suricata + Unbound DNS sinkhole bundle. The ledger above is what your money is buying. Forty-three days early on a ransomware C2 your hospital might be talking to right now. Twenty-eight days early on a wiper that took out three peer ministries in a single morning. Five days early on an extortion playbook that hit four named consumer brands in a single week.

We publish the ledger because we believe the receipts should be public. We publish the misses because a ledger without them is fiction. We publish the prices because the math should be stark — for the cost of a vendor's sales-deck demo, you can have the feed that caught Lynx forty-three days before ACN Healthcare disclosed.

What's In The Index Right Now

The victim_protection_requests index sits inside the same Meilisearch deployment that powers our STIX feed. Nine entries today. Each one carries a breach_date, an our_first_indexed_date, an our_lead_time_days field, the attacker attribution, the our_first_indicator value, and a source_blog_slug linking to the receipts post for that case.

Public consumers can query the index. Customers on the API tier can pull the entire ledger as JSON. Researchers can verify each entry by checking our STIX feed history against the breach disclosure date. The receipts are not assertions; they are timestamps in a queryable database.

This is what threat intelligence built around customer protection looks like, instead of threat intelligence built around quarterly upsell. The ledger grows by exactly one entry every time we catch a campaign, and exactly one negative entry every time we miss one. Six and a half weeks of lead time on Lynx is what we want. Four days behind on BlueHammer is what we don't. Both belong in the public record.

The Quantified Day

Today, April 29, 2026, was a quantification day at DugganUSA. We measured the github-hunt cron's first-day catch rate, recast our brand-prediction priors against DNS-verified Salesforce and Okta footprints, graded three of our seven Kalshi-mode threat-intel predictions against actual outcomes, and pulled the left-of-boom ledger you just read. Numbers, not vibes. Receipts, not narrative.

Nine cases. One hundred and thirty-nine days. Forty-three at the high end. One miss. The ledger is public. Grade us.

The feed is below.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.