Does Your Threat Feed Auto-Harvest Exploit Code From GitHub? Ours Does Now.

We built something today that none of the threat intelligence vendors do.

Every 6 hours, our platform searches GitHub for newly published CVE exploit code. It pulls the scripts, extracts the attack patterns — target endpoints, injectable headers, SQL injection strings, RCE execution methods, default credentials — classifies each one as a detection PoC or a weaponized tool, and converts the patterns into proper STIX 2.1 indicators that flow directly into your SIEM.

From git push to Splunk rule. Automated. No analyst in the loop.

What the Big Vendors Do

Recorded Future charges $100K+/year. They have analysts who read vulnerability reports, write intelligence summaries, and publish indicators — usually IP addresses, domains, and file hashes. The turnaround is hours to days.

CrowdStrike Falcon Intelligence is bundled with their endpoint product. Same model — human analysts, curated intelligence, traditional IOC types.

Palo Alto Unit 42 publishes excellent research. Days to weeks after a vulnerability is disclosed, they'll produce a detailed writeup with indicators.

All of them focus on the same thing: who attacked, what infrastructure they used, and what files they dropped. IP addresses. Domains. Hashes.

None of them tell you how the exploit works at the HTTP request level. None of them extract the actual attack pattern from the PoC code and convert it to a detection rule your SIEM can consume.

What We Do Now

Our Exploit Harvester runs every 6 hours:

1. Search GitHub for new CVE-2026 repositories and check watched researcher accounts

2. Pull the exploit scripts (Python, Shell, Ruby)

3. Extract attack patterns:

4. Classify — is this a detection PoC or a weaponized tool?

5. Convert to STIX 2.1 indicators:

6. Index and serve through our STIX feed — same endpoint your Splunk ES, OPNsense, or SIEM already pulls

First automated run: 33 repos found, 11 analyzed, 19 detection rules indexed, 3 weaponized repos flagged for manual review. 38 seconds.

What's in the Feed Now

The traditional feeds stop at IP/domain/hash. We now include the attack methodology — how the exploit hits the endpoint, what headers it injects, what tools the attacker uses post-exploitation.

Why This Matters

When a security researcher publishes a PoC for CVE-2026-21643 (Fortinet EMS SQL injection), two audiences read it:

1. Defenders who need to know what to block

2. Attackers who need to know what to exploit

The race is: who acts on the PoC first? If the defender gets the detection rule into their SIEM before the attacker weaponizes the PoC against their infrastructure, the defender wins. If the attacker moves faster, the defender loses.

Our harvester tips that race. The PoC publishes on GitHub. Within 6 hours, the attack pattern is extracted, converted to a STIX indicator, and served to 275+ organizations through our feed. The defender's Splunk instance pulls it automatically. The detection rule is active before the attacker finishes reading the README.

The Watched Accounts

We monitor prolific PoC publishers — security researchers who consistently produce high-quality exploit code within 24-48 hours of CVE disclosure:

• 0xBlackash — 23 CVE repos, Python PoCs for every major 2026 CVE

• redyank — 7 repos, red team and pentest focus

• MichaelAdamGroberman — 6 repos, ICS/SCADA focus

• FilipeGaudard — 2 repos, active

We don't report them. We don't block them. They're doing legitimate security research. We harvest their work and turn it into detection rules.

Kill the body, not the head. The researchers publish the exploit. We extract the pattern. Our consumers block the attack.

The Weaponization Check

Not everything on GitHub is research. This week we found:

• Cisco FMC "PoC" bundled with cmd.war and cmd.jsp webshells — reported to GitHub security

• Citrix NetScaler "PoC" that was actually a full session harvester toolkit — flagged

• HeightCoder account with 7 ransomware builder repositories — reported

The harvester classifies each repo: does the code contain detection signatures (detection PoC) or weaponization signatures (webshells, reverse shells, encoded payloads)? Weaponized repos get flagged for manual review. Detection PoCs get auto-indexed.

Three weaponized repos flagged in the first run. The classifier works.

Try It

The STIX feed is free. Point your SIEM at it and the detection rules flow automatically:

# Splunk ES
URL: https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY
Parser: stix2
Interval: 86400

Register for a free API key: analytics.dugganusa.com/stix/register

The harvester runs at midnight, 6 AM, noon, and 6 PM CT. Every pull gets the latest detection rules from every PoC published in the last 24 hours.

Does your threat feed auto-harvest exploit code from GitHub? Does it extract attack patterns and convert them to STIX indicators? Does it classify weaponized repos and flag them for review? Does it do this every 6 hours without an analyst?

Recorded Future doesn't. CrowdStrike doesn't. Palo Alto doesn't.

We do. As of today. From a two-person shop in Minneapolis that runs on $600 a month.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →