Twelve Mechanisms, Twelve Receipts: The DugganUSA Edge in Threat Intelligence

Every threat intelligence vendor on the planet will tell you they have a moat. The receipts are almost never available. Either the vendor will not show the work because the work does not exist, or the vendor will not show the work because the work is the proprietary differentiator they are charging fifty thousand dollars a year to consume. This post does the inverse.

Twelve specific mechanisms that make DugganUSA structurally faster, cheaper, and more accurate than the commercial threat intelligence market we sit inside, each with the receipt that proves the claim. None of this is aspirational. All of it is running in production today at three hundred eighty-four dollars per thirty days of Azure compute, serving a STIX feed to two hundred seventy-five organizations in forty-six countries, including Microsoft, AT&T, and Starlink pulling our feed daily.

1. Bloom-Filter Novelty Detection Before Any Embedding Work

We hold a patent on this approach. When a query arrives, an O(k) constant-time check determines whether the system has seen anything semantically adjacent to it before. If the answer is "definitely novel," the system proceeds to the embedding stage. If the answer is "possibly seen," the system can skip redundant work.

Every other AI-powered threat intelligence vendor runs similarity search on every query because they do not have this stage at all. The receipt: our live /api/v1/search/hybrid endpoint, probed this afternoon, returned a "definitely novel" determination in zero milliseconds before the semantic stage even fired.

2. Hybrid Cross-Index Semantic Correlation

Vendors who claim semantic search are running cosine similarity inside one collection. We run it across forty-four indexes simultaneously.

The receipt: a consumer-language query for "voice cloning grandparent scam" — exactly the phrase a worried family member might type — bridged into our IOC graph and surfaced the actual adversary infrastructure operating right now at voice-api.exhortshelk.in.net, which is ClearFake command-and-control. Consumer-friendly question, adversary-grade answer, one round trip, no human in the loop.

Competitors cannot do this because they store their threat data, their blog content, their adversary profiles, and their educational material in completely different systems. We do not have that architectural wall, so we can build the bridge.

3. Velocity to Target, With Timestamped Public Receipts

Pattern 38-and-up supply-chain attacks documented in our blog forty-three days before Zscaler rebranded the same campaign for their customers. The CL-STA-1087 nine-Chinese-military-C2-IP set from Unit 42 indexed in our system the same day Unit 42 published. The Foxconn-Nitrogen breach post shipped May 1 same-day as the disclosure. The Apothecary / ClearFake distribution rebuild caught left-of-boom on May 1 by our hunt queries that run every six hours.

Most threat intelligence vendors cannot even tell you their detection latency because they do not measure it. We measure it and we publish it.

4. Zero Rent Paid to AI Vendors for Inference

As of May 13, 2026, our semantic embedder is HuggingFace BAAI/bge-small-en-v1.5, a thirty-three-million-parameter model running locally on ONNX runtime. It fits on a container's disk, runs on commodity CPU, and the per-query embedding cost is zero.

Everyone advertising "AI-powered threat intelligence" is renting from OpenAI, Anthropic, or Google and passing the cost to customers, either through pricing or through margin compression. We are not.

Annualized embedding rent we do not pay: approximately three hundred ten dollars per year and scaling linearly with query volume. The asymmetry widens as the platform grows.

5. Absolute Cost Asymmetry

Three hundred eighty-four dollars per thirty days of Azure compute supports a twenty-four-and-a-half-million-document indexed corpus, hybrid semantic and lexical query, persistent enrichment cache across seven OSINT providers, and a STIX feed serving two hundred seventy-five external consumers.

Recorded Future charges enterprises fifty thousand to two hundred thousand dollars per year for a worse, slower, less-current feed. The cost ratio is somewhere between one hundred thirty and five hundred twenty times in our favor depending on which enterprise tier you compare against.

They cannot match the price because their cost structure is human analysts plus enterprise procurement plus sales engineering. We replaced the humans with cron jobs.

6. Pipelines That Turn Garbage Inputs Into Queryable Structure

This is the unglamorous moat. PURSUE Vault file recycling. Mislabeled Department of Justice document sets. Scraped court records OCR-cleaned into four hundred thousand seven hundred fifty indexed Epstein documents. Tor consensus parsing every hour to surface operator clusters across eight hundred forty thousand relay snapshots. The International Consortium of Investigative Journalists offshore-leaks relationship graph at three point three million edges, normalized into queryable form.

Most threat intelligence vendors only ingest clean STIX bundles or clean CSV feeds because their classifiers cannot handle anything else. We ingest whatever the world hands us, in whatever shape it arrives, and turn it into structure. The moat is in the unpolished-input handler.

7. Receipts-Over-Vibes Editorial Standard

Every claim DugganUSA makes has a verifiable artifact. We publish our misses alongside our hits.

The Tor consensus cron has regressed four times in two months; each regression is documented in a commit, each fix is named, each subsequent regression is acknowledged. The DALL-E 3 deprecation caught our blog publishing pipeline the day after OpenAI removed the model; we wrote the recovery into the same week's commits and saved the memory file so the next session would not repeat the mistake.

CrowdStrike, Mandiant, and Recorded Future bury their misses in audit committee meetings. We publish ours on the front page. This is methodology, not modesty. Vendors who cannot show their misses cannot be trusted to disclose their actual detection coverage.

8. Distribution Density Without Auth Gates

STIX 2.1 plus TAXII 2.1 plus Splunk-compatible STIX format plus Microsoft Sentinel format plus four public CSV blocklists, no authentication, no email-gated download, no sales call required.

Anyone with curl can consume our feed. Two hundred seventy-five organizations in forty-six countries do consume our feed. The Fortune 500 names you would expect are pulling daily.

The distribution itself is the moat because it builds network effects we do not pay for. Most threat intelligence vendors gate their feed behind a sales conversation and a procurement cycle. We do not, because every consumer who pulls our feed is a free testimonial we can cite in the next sales conversation.

9. Persistent Enrichment Cache That Survives Container Restarts

Deployed May 13, 2026. Hit-rate telemetry exposed publicly at our /api/v1/threat-intel/cache-stats endpoint, so customers can see how much of an incoming IP enrichment query is being served from cache versus hitting the upstream providers.

The competitive analog is paying for premium-tier API plans on every OSINT provider and maintaining enrichment state with custom infrastructure. We accomplished the same operational outcome with a Meilisearch index and a TTL. Capability parity at a fraction of the operational complexity.

10. Structural Inability to Be Cut Off by Any Single Counterparty

We have seven OSINT enrichment sources; lose any one and the others fill the gap. We have two hundred seventy-five STIX consumers; no single customer represents more than approximately five percent of pull volume. We have twenty-seven paying customers across three tiers; no individual contract is load-bearing on the business. We hold thirty-five patents with seventeen-plus ready to file; no single patent dependency could compromise the IP position. We have not raised institutional venture capital and we do not intend to; no investor can force a pivot.

The structural posture is "bound to platform, practice, partnership, receipts; bound to no single vendor, customer, funder, or feed." Competitors who depend on any one of those linkages can be pressured at the chokepoint. We cannot.

11. Naming the Dominant Adversary Pattern of 2026 First

The soft-surface-bleed pattern — four out of five OpenAI security incidents in six months were third-party, supply-chain, vendor-runtime, or metadata-layer compromises rather than direct attacks — is documented in our archive. As of today, with the TanStack supply-chain breach hitting OpenAI employee devices, the ratio is five out of five.

The broader industry's defender mental model is still perimeter-first. Our archive shows the perimeter has been losing for at least eighteen months. The vendors who will eventually pivot to supply-chain-first defense are the ones who read posts like this and quietly update their roadmaps. The customers who want to be defended against the pattern that is actually winning should be on our feed, not theirs.

12. The Three-Buckets Architecture

Every product DugganUSA ships — Aegis, AIPM, MCP audit, ScamLab-adjacent education, the STIX feed, the customer welcome system, the customer dashboards — is a recombination of three production substrates: detection, reasoning, and distribution. New products are connector code, not new backends.

Competitors build a per-product engineering stack with a per-product database with a per-product API surface with a per-product sales team. We do not. The same twenty-four-and-a-half-million-document corpus serves every product. The same hybrid query pipeline serves every customer. The same STIX endpoint feeds every external consumer.

The taco-bell architecture is not a joke. It is the reason a two-person shop can ship eight products in twelve months and the reason the marginal cost of the ninth product is approximately zero.

The Receipts Are Public

Twelve mechanisms. Twelve receipts. Every claim in this post is verifiable against a public endpoint, a commit timestamp, an indexed document count, or a published blog post in our archive. If a competing threat intelligence vendor disputes any of them, the operational answer is "show your equivalent receipt."

The DugganUSA position is not that we are smarter than the incumbents. The position is that we built a different shape of stack than the incumbents, the shape happens to be faster and cheaper and more legible, and the receipts are public. That is the asymmetry. The asymmetry is also the invitation.

If you are a security operator reading this, the STIX feed is at analytics.dugganusa.com/api/v1/stix-feed and the registration is thirty seconds. If you are a competitor, the receipts are right where I left them.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com