The Block Is Free: Why the $300K Threat Intel Model Is Backwards

A Palo Alto PA-220 blocks a port in 3 milliseconds. A Cisco ASA does it in 5. A free pfSense box does it in 8.

Any network admin with a CLI and a list can harden a perimeter in an afternoon. The block is the easiest part of the entire security stack. It's been solved for 20 years.

So what are enterprises paying $300K a year for?

Not the block. The list.

The List Problem

Yesterday we published research on CL-UNK-1068 — a Chinese espionage cluster that Palo Alto's Unit 42 identified. Active since 2020. Targeting aviation, energy, government, pharma, and telecom across South and Southeast Asia.

Seven C2 IPs. Six years of active espionage operations.

**Zero AbuseIPDB reports on any of them.**

The community detection model — the one that powers half the threat feeds enterprises pay six figures for — had nothing. Zero. Not low confidence. Not a few scattered reports. Zero reports across seven confirmed command-and-control servers used by a nation-state espionage group for six years.

We enriched all seven through six intelligence sources simultaneously. VirusTotal had 3-7 out of 94 engines detecting them. Shodan showed a FortiOS device in Bulgaria running on hijacked IP space. Our own index showed 49,227 hits for the hosting provider — PEG TECH INC, the same ASN linked to the Anthem breach that exposed 80 million health records.

We published 22 STIX objects within hours. 275 consumers in 46 countries had the indicators before most commercial feeds finished their editorial review cycle.

The block took milliseconds. Finding what to block took the research.

The $300K Question

Here's what the enterprise threat intelligence market actually sells:

| Vendor | Annual Cost | What You Get |

|--------|------------|--------------|

| CrowdStrike Falcon | $300K+ | Managed detection, their analysts, their list |

| Recorded Future | $100K+ | Intelligence platform, curated feeds |

| Mandiant Advantage | $100K+ | Threat intel, incident response retainer |

| Refinitiv World-Check | $200K+ | Curated adverse media scores |

Here's what they're actually charging for: **editorial judgment about what belongs on the list.**

Someone at each of those companies decides which IOCs make it into the feed. Someone reviews the research. Someone writes the report. Someone schedules the publication. By the time the indicator reaches your firewall, the attacker has had days — sometimes weeks — of operational freedom.

CL-UNK-1068 had six years.

The Architecture Is Backwards

The traditional model:

Time from discovery to block: days to weeks.

Our model:

Time from discovery to block: hours.

The difference isn't speed for speed's sake. The difference is that we removed the editorial bottleneck. We don't curate. We don't score. We don't decide what's relevant for you. We enrich, correlate, publish, and let your existing infrastructure do what it already knows how to do.

Your PA-220 doesn't need a curated feed. It needs an accurate one, fast.

What Cross-Correlation Actually Looks Like

Unit 42 published seven IPs. Good research. Accurate IOCs.

We published seven IPs plus:

- **PEG TECH INC** hosts three of them — same ASN as the Anthem breach. 49,227 hits in our index. Vidar stealer C2 running on the same /16. If you only block the three IPs, you miss the infrastructure pattern. Block the ASN and you catch the next campaign before it starts.

- **79.141.169.123** is a FortiOS device registered under a fake Bulgarian name on Spamhaus-listed hijacked IP space. Running SMB on eight ports. Nine OTX pulses. That's not an indicator — it's an infrastructure profile that tells you this entire network range is hostile.

- **43.255.189.67** hides behind "smartcoveragechoice.com" on a bulletproof hosting reseller. Seven VirusTotal detections — the highest of all seven. When PEG TECH gets too hot, the operations move here. Block the IP and you play whack-a-mole. Map the hosting provider and you play chess.

The IOC is what happened. The infrastructure map is what's about to happen.

Your firewall can block both. But only if someone tells it to.

Why It Costs $499 Instead of $300K

Because the block is free.

Your organization already owns firewalls, switches, IDS/IPS, and endpoint agents. You already have the infrastructure to act on threat intelligence in milliseconds. The hardware was the capital expense. The block is the operating expense. And it's effectively zero.

What you're paying for — what you've always been paying for — is knowing what to block. The list. The context. The infrastructure map.

We built a system that generates that list faster and with more context than editorial teams can produce manually:

- **11 million documents** cross-referenced on every query

- **6 enrichment sources** hit simultaneously per indicator

- **37 indexes** searched in one API call

- **STIX 2.1 feed** consumed directly by your existing TAXII-compatible tools

- **No editorial delay** — indicators publish as fast as we can enrich them

| Tier | Monthly | What You Get |

|------|---------|-------------|

| Free | $0 | 50 searches/day, basic IOC lookup |

| Pro | $49 | 500 searches/day, STIX feed, full index access |

| Enterprise | $499 | Full Medusa Suite, bulk screening, NET-30 |

The $300K vendors sell you a managed service that does what your existing tools already do, plus a list they curate on their schedule. We sell you a better list, faster, for 1/50th the price. Your firewalls and switches handle the rest.

The 95% Promise

We never claim 100% on anything. O'Toole's Axiom: Murphy was an optimist.

CL-UNK-1068 had seven known C2 IPs. There are probably more. The 79.141.x range on Spamhaus DROP suggests the infrastructure extends beyond what Unit 42 documented. PEG TECH almost certainly hosts other clusters we haven't mapped yet.

We guarantee 5% bullshit exists in any dataset, any analysis, any conclusion. But here's the difference between our 95% and their 95%: ours comes with the raw documents, the enrichment data, and the infrastructure map. Theirs comes with a curated score and a suggestion to trust the vendor.

We'd rather show you the work and let you decide.

The Strategy

At this point, who cares if something is compromised? Block it.

Any person with firewalls and switches can disable compromised hosts and ports in milliseconds. The technology to act on threat intelligence has been commodity for two decades. The gap was never in the blocking — it was in the knowing.

Seven IPs. Six years. Five industries. Zero community reports. Six sources enriched. 275 consumers covered. Hours, not weeks.

The block is free. The intelligence is $499 a month. And your existing infrastructure does the rest.

*The CL-UNK-1068 hunt: [dugganusa.com/post/cl-unk-1068-the-c2-hunt-unit-42-didn-t-finish](https://www.dugganusa.com/post/cl-unk-1068-the-c2-hunt-unit-42-didn-t-finish)*

*STIX feed: [analytics.dugganusa.com/api/v1/stix-feed](https://analytics.dugganusa.com/api/v1/stix-feed)*

*API keys are instant. Payment gets you a key in hand.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →