Ten Curls That Make The DugganUSA STIX Feed Pay For Itself. Run These In Your Daily Standup.

The DugganUSA STIX feed gives every registered defender a free-tier key with five hundred queries per day across the iocs, pulses, epstein_files, blog, and content indexes. The free tier is generous. The activation rate on the free tier is not. Three quarters of the keys we have ever issued have never made a first call.

This post is the first call. Ten specific curl commands a defender can run against the public DugganUSA APIs to get useful output today. Each query has a single shape, a single expected output, and a single action you can take with what comes back. Paste, run, act.

Register at analytics.dugganusa.com/stix/register if you have not already. The key takes sixty seconds to issue. Every example below uses Bearer-token authentication via the Authorization header — substitute your key where the examples reference "YOURKEY."

1. Is this single IP already in our corpus

The most common defender question. Your SIEM just alerted on a connection to a foreign IP. You want to know whether DugganUSA has seen it before, what family it was tagged with, and how confident the attribution is. The endpoint is analytics.dugganusa.com/api/v1/search with the q parameter set to the IP and the Authorization header set to your bearer token. The response includes hits, each with value, source, threat_type, malware_family, confidence, and timestamp. If confidence is above seventy and the family is unambiguous, block at your edge today. If the hit is from a Spamhaus drop tagging the /24, escalate to subnet-level review.

2. Cross-correlate an indicator across every index

The single-IP lookup only hits the iocs index. The correlate endpoint walks across iocs, blocked, pulses, blog_hits, and a half-dozen others, surfacing every record we have keyed on that indicator. The endpoint is analytics.dugganusa.com/api/v1/search/correlate with the q parameter. Use this when the basic search returns nothing — the correlate path catches indicators that appeared in pulses or vendor blog snippets but did not become iocs themselves. If you get a hit in pulses but not iocs, the indicator is on the bleeding edge of attribution and the family tag has not stabilized yet.

3. Natural-language ask — what is hot in the supply chain this week

The NLWeb path takes a sentence and parses it into a corpus search. The endpoint is analytics.dugganusa.com/api/v1/search/nl with the q parameter set to a natural-language question. Example: "supply chain compromises in the last seven days." The response includes both the parsed intent and the top hits. If your stack does not include a supply-chain-aware feed, this query is the cheapest way to add one. Pair it with a weekly review of the top three returned indicators against your dependency manifest.

4. Russian-attributed C2 infrastructure active this week

Same NLWeb shape with a more specific phrase. The query "Russian C2s active this week" returns indicators tagged with Russian malware families (Sofacy, APT 29, Turla, Sandworm) within a recent timestamp window. If you operate in finance, energy, or government, this is the weekly query to put on the SOC bulletin board. Use the output to verify your perimeter logs do not show outbound connections to any of the returned IPs.

5. Operator footprint by name

Some vendors publish actor-cluster names. Some publish campaign names. The footprint query unifies them. Use the search endpoint with q set to the cluster name — "ShinyHunters" or "Coinbase Cartel" or "Famous Chollima." Returns the IOCs tagged with that family, the IPs and domains in the cluster's current infrastructure, and the first-seen dates. The first-seen dates are the lead-time receipts. If the breach hit the news today and the indicators show first-seen forty-six days ago, the defender who consumed the feed had forty-six days to harden.

6. Pre-flight check on any MCP server before you install it

This is the dredd path, not the search path. Before adding any MCP server to your Claude Code or Cursor configuration, run a check via the dredd MCP at analytics.dugganusa.com/api/v1/dredd/mcp using a JSON-RPC tools/call invocation against the check_mcp_server tool with the server name as argument. The response includes verdict (BLOCK / ADVISORY / ALLOW), severity, server-level findings, and the dep_graph summary showing whether any directly-declared dependency has a compromise finding in our corpus. The verdict is HMAC-signed so you can prove what Dredd said. Slice two adds transitive dependency walking, which is queued.

7. Recent KEV-tied indicators where we have lead time

CISA's Known Exploited Vulnerabilities catalog tells you what to patch. The DugganUSA STIX feed tells you which of those CVEs we already had infrastructure observations on. Use the search endpoint with q set to a recent CVE identifier from the KEV list. The hits include the github-hunt-cron PoC repos staged before the broader exploitation began. If the CVE landed in KEV less than a week ago and our github-hunt output has fresh PoC repos for it, the exploit window is now and your patching cadence should reflect that. This is also queryable via the dedicated kev-gap endpoint at analytics.dugganusa.com/api/v1/dredd/kev-gap with the cve parameter, which returns CISA dateAdded, our first observation, and the gap in days.

8. Mobile RAT staging in the last seventy-two hours

The github-hunt-cron sweeps daily for fresh malicious-tooling repositories. Use search with q set to "AndroidRAT" combined with a filter for ageHours less than seventy-two. The hits surface repositories that were just staged on GitHub — the left-of-boom precursor signal for mobile-malware campaigns that historically launch two to six weeks after public staging. If your fleet includes managed Android devices, this query is the early warning. We published a prediction post on May 19 calling a mobile-RAT campaign within six weeks based on this exact signal.

9. Tor exit relay surface in the last six hours

The DugganUSA tor_relays index ingests the public Tor consensus document hourly and tracks every relay's IP, fingerprint, country, and flags. Use search against the tor_relays index with a sort on snapshotDate descending. The output is the most recent consensus's relay set. If your stack blocks Tor-exit traffic, this is the live truth source that updates faster than most commercial Tor-blocking feeds. Filter on isExit to narrow to actual exit points. Filter on country to scope the geographies you care about.

10. Bulk lookup with natural language for the standup

Daily SOC standup wants a list of what is hot, not ten separate queries. Use NLWeb with q set to "summarize what is new in the last twenty-four hours across all threat families." The response includes the parsed intent and a small set of top hits across the corpus. Read the parsed intent first — it confirms what the engine thought you asked. Read the hits second — they are the actionable items. The whole query takes one HTTP call and gives you the meeting-opener.

How to scale this

Five hundred queries per day on the free tier covers a single SOC analyst's daily standup, a few alert-response lookups, and a daily Tor-exit refresh with room to spare. If you are running an MSSP or an automated detection pipeline, the starter tier at forty-five dollars per month raises the cap to a level where the API is not the constraint. The MCP-server path through Claude Code or Cursor does not require curl literacy at all — install dredd and jeevesus once, and your agent runs every query above on demand inside the loop you already use.

We will keep extending this list as new query shapes prove themselves in defender workflows. The current ten are the ones that have shown the strongest activation pattern in our own usage and our customers' integrations. Pick three to run tomorrow morning. Block on what comes back. Tell us what worked.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com