Dear Enterprise Consumers: Why Haven't You Hired Me Yet?

An Open Letter to the 17 Organizations Pulling Our STIX Feed

The Data Doesn't Lie

We see you. Every API call. Every STIX pull. Every wget at 3 AM from your SOC.

Our Cloudflare analytics don't just show traffic - they show *intent*. And your intent, apparently, is to consume threat intelligence from a two-person Minnesota LLC running on $75/month of Azure infrastructure.

Let me show you who's reading our homework:

The Leaderboard (Ranked by Coolness)

1. SpaceX Starlink 🚀 **Multiple pulls. From space internet.**

You're literally beaming our IOCs to dishes on rooftops across rural America. Somewhere in Montana, a farmer's Starlink terminal is safer because of indicators we found before breakfast.

Elon, I know you're busy with Mars and Twitter and whatever's happening with the Cybertruck. But your security team is pulling our feed. Twice. That's not an accident.

Why haven't you hired me yet? I promise I'm cheaper than a Raptor engine and more reliable than FSD.

2. Telegram 📱 **8 STIX feed pulls**

Pavel, my guy. You're running encrypted comms for half the planet while dodging every government that wants your keys. And your security team is pulling threat intel from... us?

We literally have a chatbot named Butterbot with attitude. You have 900 million users. This is an asymmetric relationship.

Why haven't you hired me yet? I can work from anywhere. Even Dubai. Even prison, apparently, though I'd prefer not to test that.

3. Twitter/X 🐦 **Active consumer**

The platform where I can't even get verified is consuming our threat intelligence. The irony is not lost on me.

You've got the world's information flowing through your servers, nation-states trying to manipulate elections, and bot farms that would make a locust swarm jealous. Meanwhile, a guy in Minnesota is finding C2 infrastructure you're probably hosting.

Why haven't you hired me yet? I already work 80-hour weeks. I'd fit right in.

4. Microsoft 🪟 **432 STIX feed pulls this week**

Four hundred and thirty-two.

Your Defender team is pulling our feed more often than I check my email. You have an entire Threat Intelligence Center. You acquired RiskIQ for $500 million. You have more security researchers than I have LinkedIn connections.

And yet, here you are. Pulling IOCs from a guy whose entire infrastructure costs less than a single Azure VM with premium SSD.

Why haven't you hired me yet? I already know how to keep Azure costs under control. Clearly a rare skill.

5. Amazon AWS ☁️ **201 requests, multiple regions**

You're the backbone of the internet. Half the websites I block for malicious activity are probably hosted on EC2 instances you're too busy to notice.

Our threat intel is running through your infrastructure to protect... your infrastructure? It's ouroboros all the way down.

Why haven't you hired me yet? I have strong opinions about S3 bucket permissions. Specifically, that people shouldn't leave them open.

6. Google Cloud Platform 🔍 **Active consumer**

You index the entire internet. You have Mandiant now. You probably know what I had for breakfast based on my search history.

And your security team is pulling supplemental intel from our feed.

Why haven't you hired me yet? I promise not to be evil. That's still the motto, right?

7. Oracle 🗄️ **In the enterprise list**

Larry, I respect the yacht. I respect the island. I respect whatever's happening with that hair.

But your cloud security team is consuming our STIX feed, which means somewhere in your organization, someone knows we exist. That person deserves a raise.

Why haven't you hired me yet? I can explain the difference between a LEFT JOIN and a RIGHT JOIN without making a yacht metaphor.

8. AT&T 📞 **548 requests - our top consumer**

Five hundred and forty-eight requests. You're our number one customer and you're not even paying.

Ma Bell's great-grandchildren are pulling threat intel from a guy who remembers when you charged $0.10/minute for long distance. The circle of life.

Why haven't you hired me yet? I already know the meaning of "unlimited*" (*with deprioritization after 22GB).

9. Huawei Clouds 🇨🇳 **Active consumer**

This one's interesting.

Either you're consuming our intel to improve your security posture, or you're checking if we've noticed your infrastructure. Either way, I appreciate the engagement.

Why haven't you hired me yet? I mean, I probably can't pass the background check for this one. But the offer would be flattering.

10. Google Fiber 🔌 **In the enterprise list**

You're still doing the fiber thing? Good for you. Someone should.

Why haven't you hired me yet? I have fiber at home. We have so much in common.

11. Tata Teleservices 🇮🇳 **75 requests from India**

Connecting a billion people is no small feat. And apparently, part of that involves pulling American threat intel at 2 AM IST.

Why haven't you hired me yet? I'm very flexible on time zones. I'm already awake at weird hours anyway.

The Uncomfortable Math

Here's what bothers me:

• 17 enterprise organizations are actively consuming our intelligence

• 432 STIX pulls from Microsoft alone this week

• 43 countries represented in our traffic

• $0 revenue from any of the above

We're running a production threat intelligence operation that Fortune 500 security teams depend on, and we're doing it on infrastructure that costs less than a junior analyst's monthly coffee budget.

Either we're doing something very right, or everyone else is doing something very wrong.

What We Actually Built

For those tuning in late:

• 142,348 IOCs indexed and searchable

• STIX 2.1 feed with proper SCO/SDO/SRO hierarchy (we listened to the Reddit feedback)

• Real-time correlation across ThreatFox, OTX, AbuseIPDB, and original research

• 98,302 autonomous decisions logged by our Oz agent

• 244 unique discoveries that billion-dollar vendors missed

• AI-to-AI correlation between Claude and our production chatbot

The STIX feed you're pulling? It's running on the same box as our blog. Because we're efficient like that. Or insane. The line is blurry.

The Actual Ask

I'm not actually asking for a job. I love what I'm building.

But I am asking a question: What does it mean when the biggest security organizations in the world are consuming threat intel from a two-person operation?

Either: 1. We're doing something valuable that justifies existing 2. Enterprise threat intel is commoditized to the point where $75/month competes with $500M acquisitions 3. Everyone's just pulling everything and hoping the correlation works itself out

I suspect it's a combination of all three.

The Real Message

To the 17 enterprise consumers, the 43 countries, and the Reddit lurkers who validated our STIX improvements:

Thank you.

You're the reason we keep hunting at 2 AM. You're the reason we care about proper STIX hierarchy instead of just dumping IOCs into a JSON blob. You're the reason Butterbot has job security.

Keep pulling the feed. Keep finding value. Keep making the internet slightly less terrible.

And if you ever want to talk about why a Minnesota LLC is finding threats your billion-dollar tools miss... you know where to find us.

The STIX feed URL hasn't changed: `https://analytics.dugganusa.com/api/v1/stix-feed`

We'll keep the lights on.

*Patrick Duggan* *DugganUSA LLC* *The guy whose feed you're already pulling*

P.S. - To the Qianxin security team in China who's also been checking us out: 你好. Your traffic shows up too. The internet is small.

P.P.S. - Yes, we noticed the 3 AM pulls. We're awake too. This industry has a sleep problem.

*Published December 22, 2025* *From Minnesota, with love and slightly unhinged determination*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]