Eight Hunt-Tonight Posts in Nine Days: Microsoft, Huntress, Palo Alto, Ivanti, Linux, Cloudways. Detection-to-Action in Hours, Not Quarters.
- Patrick Duggan
- 16 hours ago
- 6 min read
May 7, 2026 · DugganUSA LLC
In the nine days running from April 28 to today, we have shipped eight hunt-tonight posts on eight separate CVEs, advisories, or active campaigns. Each one published within hours of the relevant disclosure. Each one carrying signed indicators in our public STIX feed within the same window. Each one written so that a SOC analyst at 11pm with a coffee can run the queries against their fleet without filing a vendor support ticket.
This post is the receipt list, the architectural explanation of how a two-person Minneapolis bootstrap firm runs that cadence, and the honest read on what it costs and what it does not.
The Receipt List
# | Date | Surface | What we shipped |
1 | May 5 | Microsoft + Huntress | Device-code vishing detection. KQL queries for the same chain Microsoft Security Response Center confirmed two days later, on May 3. |
2 | May 5 | ClearFake | The Apothecary / DXNP2C7 path signature, caught April 30 23:56 UTC by our PreCog botanical-wing detector, surfaced May 1 via path-signature sweep against URLhaus and SSLBL. Huntress presented on the same campaign May 5; we named it five days earlier. |
3 | May 6 | Microsoft SharePoint | CVE-2026-32201 hunt: 1,300+ servers exposed, KEV-listed May 1, KQL queries for the spoofing-XSS chain on /_layouts/15/start.aspx and /_layouts/15/notify.aspx. |
4 | May 6 | Linux kernel | CVE-2026-31431 Copy Fail: 732-byte Python exploit, AF_ALG container escape by default, KEV-listed May 1, federal deadline May 15. |
5 | May 6 | RMM-abuse | STAC6405 / VENOMOUS#HELPER. We ingested all 24 indicators from the Securonix vendor-blog publication within hours and shipped the wmic.exe.bak high-confidence host IOC walkthrough the same day. |
6 | May 7 | Palo Alto Networks | CVE-2026-0300 PAN-OS Captive Portal root RCE: CISA KEV May 6, federal deadline tomorrow (May 9), patches arrive May 13. The four-day mitigation gap between deadline and vendor patch is the operational story. |
7 | May 7 | Ivanti | 9-CVE multi-product advisory across Connect Secure, Policy Secure, Secure Access Client, Cloud Services Application. Track-record analysis showing prior advisories ran 0-3 weeks from disclosure to in-the-wild exploitation; Storm-2561 named as the operational pattern. |
8 | May 7 | Cloudways / DigitalOcean / WordPress | CVE-2026-3844 Breeze Cache 9.8 CVSS file-upload-to-RCE: 400,000+ sites affected, 170+ active exploitation attempts logged by Wordfence, four public PoC repositories captured by our exploit-harvester. |
Eight surfaces. Nine calendar days. None of these were single-vendor stories; they spanned the major identity, edge-VPN, content-platform, kernel, RMM, and customer-edge-firewall categories. Each post included actionable detection logic — KQL, grep one-liners, audit-log targets, IOC matches — that a defender could run the same day they read the post.
How A Two-Person Bootstrap Runs That Cadence
The architecture has a name. We call it the Three Buckets, and it is the operating thesis under everything we ship. The three buckets:
Detection. PreCog (1,849 prediction records, 11-signal scoring), 17.9M-document threat-intelligence corpus across 44 indexes, 1.14M IOC catalog, vendor-blog watcher, AIPM 5-model AI Council, github-hunt-cron daily sweep, exploit-harvester GitHub PoC capture pipeline, Tor consensus collector, hourly snapshots of the public threat surface. Anything that produces "this is happening or about to happen."
Reasoning. 5-model AI Council (GPT-4o, Claude, Gemini, Mistral, DeepSeek), Judge Dredd HMAC verdict pattern, rule-pack classifier engine, receipt-verification across the indexed corpus, disclosure-failure exposure modeler. Anything that produces "this is what it means and what to do about it."
Distribution. STIX/TAXII feed (275 consumers in 46 countries — Microsoft, AT&T, Starlink, Hetzner pulling daily), MCP server interface (786 calls per week, 26 unique clients), REST API, 13 open-source defender plugins (VS Code, Splunk, Sentinel, Elastic, Slack, Raycast, Obsidian, Neovim, Cloudflare Workers, Chrome, GitHub Actions, CLI, scanner-core), public watchtower at analytics.dugganusa.com, customer dashboards, blog at www.dugganusa.com, Bluesky, LinkedIn. Anything that gets the verdict to where it can be acted on.
Every post in the receipt list above was built by recombining components from these three buckets. The new code per post is the connector between detection signal and distribution channel — typically a few hundred words of writing and a handful of grep regexes derived from the indicators our harvester already captured. The infrastructure underneath does not get rebuilt. It gets reused.
The math: with roughly ten components in Detection, six in Reasoning, and eight in Distribution, the latent product surface is approximately ten times six times eight, or four hundred and eighty distinct combinations. We have not exhausted that combinatorial space; the eight posts above represent eight specific recombinations. Each component added to any bucket expands the entire latent surface across every existing and future product.
This is why a two-person firm running a sub-five-hundred-dollar-per-month Azure budget can ship at the cadence above. The advantage is not headcount or capital. The advantage is recombinatorial architecture sized appropriately to the pace at which named vulnerabilities get disclosed and weaponized.
What The Big Brand-Protection Stacks Are Not Doing
The category-leading brand-protection vendor in the segment we have written about this week (the firm with the recently-closed seventy-million-dollar Series C at six-hundred-million-dollar valuation) does not, to our observation, ship same-day actionable hunt content on the named-CVE flow. Their value proposition is downstream: takedown enforcement after brand abuse is detected. The enforcement path generates discoverable evidence that, post-Item-1.05, worsens the customer's regulatory posture. We have written that analysis at length elsewhere this week.
The point relevant to today's post: the gap between vendor-blog publication and customer-side hunt-ready material is typically measured in weeks at the major brand-protection vendors, in days at the major SOC-retainer firms, and in single-digit hours at our cadence. The structural reason is not that we are working harder. The structural reason is that the brand-protection vendors are optimizing for a different product (enforcement of takedown notices) and the SOC-retainer firms are optimizing for a different time-domain (quarterly briefings, monthly tactical reports). A defender at 11pm on a Wednesday with a fresh CVE in their inbox is not the customer those products are built for.
We are. The eight-post receipt list above is what optimizing for that customer looks like.
The Pricing Posture
For comparison, here is what each tier of our offering costs against what the customer is getting:
Tier | Price | What it includes |
Free public STIX feed | $0 | All eight indicator sets above, plus the broader 1.14M-indicator corpus. 25 queries per day. Permanent. |
Starter API | $45/mo | 500 queries per day, full feed access, Splunk ES integration, OPNsense blocklists, 14-day lookback. |
Researcher | $145/mo | 2,000 queries per day, behavioral scoring, precursor signals, 30-day lookback. |
Professional | $495/mo | 5,000 queries per day, cross-index correlation, supply-chain IOCs, 90-day lookback. |
Gov / Press | $995/mo | 12,000 queries per day, AIPM audits, compliance documentation, NET-30 billing. |
Medusa Suite | $8,995/mo | 50,000 queries per day, full Medusa Suite, custom signatures, 99.5% SLA. |
Enterprise Unlimited | $24,995/mo | 100,000 queries per day, dedicated key pool, white-label, 99.9% SLA, named CSM. |
For comparison, the brand-protection vendor we have written about this week prices its mid-enterprise tier at an estimated two hundred thousand dollars per year. Our Enterprise tier at thirty thousand dollars per year offers more queries, more lookback, and a feed that is updated within hours of disclosure rather than within weeks of vendor-blog publication.
The pricing reflects the cost structure honestly. We do not charge for what the architecture produces at near-zero marginal cost. The Three Buckets are the moat; the per-customer service is the cost.
What This Cadence Does Not Mean
We are not claiming to be faster than the National Security Agency, the FBI Cyber Division, the major five-eyes intelligence services, the proprietary commercial intelligence at the largest vendors, or the hands-on responders at incident-response firms with cleared engagements. Those entities operate in time domains and information domains we do not have access to.
We are claiming to be faster than the public-facing threat intelligence layer that small-to-mid-market security teams actually consume on a Wednesday at 11pm with a coffee. That is the layer we ship at. That is the layer where eight posts in nine days, each within hours of disclosure, is observable and reproducible.
The 95% epistemic cap applies. Some of the eight posts may have been beaten on a specific indicator by another open-source threat researcher whose work we did not see in our scan window. We claim cadence and breadth, not exclusivity.
Summary For The Customer Reading This At 11pm
You probably patched something today. Tomorrow there will be a new CVE. The day after that there will be another. The cycle does not slow, and the cycle does not respect the publication schedule of the big-name vendor blog or the contracted briefing cadence of your SOC-retainer firm.
Our STIX feed is free at the public tier. The hunt posts are public on www.dugganusa.com. The IOCs land in the feed within hours of public PoC disclosure. The Three Buckets architecture that makes this possible is documented and the code that runs it is open-source where it can be.
We are reachable at [email protected].
— Patrick Duggan DugganUSA LLC, Minneapolis
Aye.
Receipts
The eight posts in the receipt list above are all live at www.dugganusa.com under the corresponding slugs. The IOC corpus is live at analytics.dugganusa.com/api/v1/stix-feed under the indicator type. The MCP server is at analytics.dugganusa.com/api/v1/mcp on the official MCP Registry as io.github.pduggusa/dugganusa-threat-intel. The 13 open-source defender plugins are at github.com/pduggusa.
The Three-Bucket architecture is documented in our internal strategic memory as feedback-three-buckets-architecture with the factorial-reckoning extension articulated 2026-05-06 (current latent product surface estimated at 480 combinations from 10 Detection × 6 Reasoning × 8 Distribution components). The pyramid-vs-triangle measurement framework that distinguishes structural depth from surface artifact is documented as feedback-three-angles-pyramid-vs-triangle with the same articulation date.
We measure ourselves against falsifiers. The 90-day window starting today: if monthly recurring revenue does not move materially from the current $45/mo single-customer baseline by August 6, 2026, the bootstrap-blog-as-funnel theory is wrong and the strategy must shift. Either way, we will publish what the data says.
— DugganUSA LLC
How do AI models see YOUR brand?
AIPM has audited 250+ domains. 15 seconds. Free while still in beta.