Sixty Days to Number Two: The Math That Shouldn't Work
- Patrick Duggan
- Jan 27
- 4 min read
Updated: Apr 25
The Receipts
Let me show you something that shouldn't be possible.
Ranking: #2 All-Time Contributor
Indicators Contributed: 1,000,000+
Pulses Published: 8,396
Subscribers: 73
Time to achieve: ~60 days
Reports Submitted: 155,651
Ranking: #58 All-Time
Time to achieve: ~90 days
Here's why this matters: OTX was founded in 2012. That's fourteen years of contributors—security researchers, government agencies, Fortune 500 SOC teams, and major cybersecurity vendors—building their presence on the platform.
AbuseIPDB has been the gold standard for IP abuse reporting for years. The top contributors are typically organizations running massive honeypot networks, cloud providers with millions of endpoints, and security vendors processing billions of events.
We're a two-person startup running on $75/month of infrastructure.
The Precedent (There Isn't One)
I searched for precedent. I wanted to find another case where someone went from zero to top-five on a major threat intelligence platform in under 100 days.
I couldn't find one.
Security vendors (Palo Alto, CrowdStrike, Fortinet): Years of dedicated threat research teams, millions in R&D budget
Government/academic institutions (CISA, universities): Established programs with institutional backing
Long-term researchers: Individuals who've spent 5-10 years building reputation and infrastructure
The closest parallel I found was Cyble, a threat intelligence startup that was bootstrapped for two years before raising $38.6 million. But even they built their contribution volume over years, not months.
How We Did It
The secret isn't working harder. It's working differently.
Traditional Model 1. Hire analysts ($300K+ fully loaded per analyst) 2. Analysts manually review alerts 3. Analysts create IOC reports 4. Reports get reviewed and published 5. **Output: ~200 actionable items per week** (industry standard for a 14-person SOC)
Our Model 1. Bloom filters detect novelty in O(1) time 2. Oz Decision Engine classifies threats automatically 3. STIX bundles generated in milliseconds 4. OTX pulses created and published programmatically 5. AbuseIPDB reports submitted via API 6. **Output: ~518,000+ automated decisions** (and counting)
Traditional SOC: ~10,400 items/year at $4.2M = $404 per item
Our system: 518,000+ items/year at $900 = $0.002 per item
That's a 200,000x efficiency gain.
What This Actually Means
For the Industry The threat intelligence contribution leaderboards have been dominated by large organizations for a reason: producing quality threat intel at scale requires massive infrastructure and human capital.
Until now.
What we've demonstrated is that a small team with the right architecture can out-produce organizations with 100x the headcount and 1000x the budget.
For Consumers When Microsoft Defender, AT&T Security, SpaceX/Starlink, and CrowdStrike are consuming your threat feed, that's validation. Enterprise security teams don't consume garbage.
Our subscribers include some of the most sophisticated security operations on the planet. They're not subscribing because we're cheap—they're subscribing because the intelligence is accurate, timely, and actionable.
For the "Talent Shortage" There's a persistent narrative in cybersecurity about the "talent shortage"—not enough analysts, not enough researchers, not enough humans to process the flood of threats.
But maybe the problem isn't the shortage of humans. Maybe the problem is the assumption that humans are the bottleneck that needs to be scaled.
Humans blink. Humans get tired. Humans have 3:47 AMs.
The Bloom filter doesn't blink.
The Numbers Today
Real-time from our production system:
Metric | Value |
Oz Decisions | 518,911 |
IOCs Indexed | 116,179 |
Block Events | 266,146 |
OTX Pulses | 8,396 |
Phishing Indicators | 16,935 |
AbuseIPDB Reports | 155,651 |
Human Operators | 2 |
Monthly Infrastructure Cost | ~$75 |
The Point
I'm not writing this to brag. I'm writing this because I want to be on record.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
When people ask "how long does it take to become a top threat intelligence contributor?" the conventional answer has been "years of dedicated work and significant resources."
The new answer is: sixty days, if you build the machine that doesn't sleep.
OTX has 180,000+ participants. We're #2.
AbuseIPDB processes a million reports daily from thousands of contributors. We're #58.
In sixty days.
From two people.
On $75/month.
What's Next
We're not done. The Precursor Signal Aggregator ("Pizza Tracker") just went live—predicting attacks 3-72 hours before they happen by tracking infrastructure activation patterns and consumer behavior signatures.
The Consumer-Attack Correlation Engine is building a dataset that will validate our theory: organizations that consume threat intelligence heavily and then go silent are often about to launch attacks.
Every day the gap widens between what's possible with automation and what's achievable with human analysts alone.
The leaderboard is just the beginning.
Verify It Yourself
OTX Profile: otx.alienvault.com/user/DugganUSA
Live STIX Feed: analytics.dugganusa.com/api/v1/stix-feed
Dashboard: analytics.dugganusa.com/dashboard/
The receipts are public. The feed is free. The math speaks for itself.
"The feather is light. Their hearts are not."
DugganUSA LLC Minneapolis, Minnesota [email protected]
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments