We Are 100 Days Left of Boom. Here Is the Proof.

We have been saying we catch things early. Today we ran the actual measurement.

We pulled a random cross-section of IPs and domains from our IOC corpus — indicators flagged by our own detection pipeline, not ingested from external feeds. We then checked which of those indicators later appeared in ThreatFox, one of the largest community threat intelligence feeds in the world. We found 51 overlapping indicators. In every single case — 51 out of 51 — we had indexed the indicator first.

The median lead time was 104 days. The average was 107 days. The maximum was 134 days.

What the Numbers Actually Mean

Thirteen of the overlapping indicators were IP addresses. All thirteen: we were first. Average lead 117 days, median 116 days. Every IP by more than 90 days.

Thirty-eight were domains. All thirty-eight: we were first. Average lead 104 days, median 104 days. Thirty-seven of the thirty-eight by more than 90 days.

This is not a cherry-picked sample. This is a random cross-section of our corpus against a random cross-section of theirs. The overlap is small relative to both corpora, which is itself informative — we are indexing infrastructure that the mainstream community has not seen yet. When the same infrastructure eventually appears in ThreatFox, it shows up 100 days later.

Why This Happens Structurally

ThreatFox works the way most threat intelligence feeds work. An analyst sees a malware sample. They submit it. The infrastructure the malware calls home gets extracted and logged. The timestamp on the ThreatFox entry is the timestamp of the malware submission — which means it is the timestamp of a victim.

Our pipeline works differently. Our PreCog sweeps run hourly against behavioral signals: certificate patterns, DNS registration anomalies, novel C2 architectures, GitHub-hosted infrastructure, supply chain injection signatures. We are observing infrastructure in the build phase, before campaigns launch. By the time an adversary uses a domain we have already indexed, they have been in our corpus for months.

The Megalodon receipt from last month makes this concrete. Our IOC index carried the command-and-control endpoint for the Megalodon campaign — which poisoned 5,561 GitHub repositories in six hours — 49 days before the attack occurred. ThreatFox picked up that same infrastructure roughly 90 days after our initial indexing. Forty-nine days before the attack is a defender opportunity. Ninety days after our indexing is the victim timeline.

The ClearFake/ClickFix infrastructure cluster tells the same story at scale. Domains like cdn-server.click, img-cdn-cloud.cfd, winupdate.cfd, and dev-js-cdn.cfd — fake CDN, fake Cloudflare, fake Windows update infrastructure — appeared in our corpus on February 15, 2026. ThreatFox indexed the same cluster on May 30, 2026. One hundred and four days. The operators had three months of undetected runway between our detection and the point at which their infrastructure became broadly known.

The Documented Receipts

The cross-corpus measurement is the structural proof. The documented receipts are the specific instances.

Zscaler published their NodeCordRAT supply chain analysis on January 7, 2026. We published the identical pattern — same TTPs, same payload family, same delivery mechanism — on November 25, 2025. Forty-three days before them.

Unit 42 published on a campaign we had covered 60 days earlier, documented in our February 2026 Receipts post.

We had EtherHiding IOCs and detection guidance six weeks before mainstream coverage.

We flagged the Medtronic exposure 34 days before ShinyHunters posted the claim on the dark web forum.

We published a step-by-step blocking guide for Cisco FMC CVE-2026-20131 six weeks before Cisco formally disclosed the zero-day.

The day after we published our Interlock ransomware piece, Amazon Threat Intelligence confirmed the same attribution we had documented. One day. That is the compression end of the range. The expansion end is 134 days.

What We Run On

The corpus behind these numbers is 1.45 million indicators. Sixty-six percent of those — 953,000 indicators — originated from our own detection pipeline: PreCog sweeps, Oz behavioral decisions, exploit harvester, GitHub threat hunt, edge honeypot telemetry. Thirty percent came from external feeds like URLhaus, ThreatFox, OpenPhish, and Spamhaus, which provide the baseline coverage we enrich against. The rest is hybrid enrichment.

The compute cost for all of this: $384 per month on Azure. The STIX feed we produce from it serves 275 organizations in 46 countries daily, including Microsoft, AT&T, and Starlink.

The Caveat

The sample is 51 indicators. That is statistically meaningful directionally but not definitive. We are not claiming that we are 104 days ahead of the entire threat intelligence industry on every indicator we index. We are claiming that when our pipeline flags something and that same thing later surfaces in a major threat feed, the distribution of lead times centers around 100 days and has never, in our measured sample, been negative.

The structural reason that distribution should hold: PreCog observes the infrastructure lifecycle from the beginning. Victim-reported feeds observe it from the end. Those two observation windows are not the same window, and the gap between them is not luck.

Methodology: random sample of OTX-sourced indicators (type: ip and type: domain) from the DugganUSA iocs index, cross-referenced against ThreatFox sample from the same index (2,000 IPs, 5,000 domains). 51 overlapping indicators identified. Delta calculated as ThreatFox first-seen minus DugganUSA first-seen. Full corpus stats available at analytics.dugganusa.com/api/v1/search/stats.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register