We Just Shipped 12 Integrations and a Tor Attribution Framework. On a Monday.

Six months ago DugganUSA was a guy with a STIX feed and a blog. Today we shipped the Tor Infrastructure Attribution Framework, updated 12 integration repositories, and found a 50-relay operator cluster sharing infrastructure with Interlock ransomware. On a Monday. Before lunch.

Here is every way you can consume our threat intelligence right now.

VS Code Extension (v0.3.0 — live on the Marketplace). Select any IP, domain, hash, CVE, or .onion address in your code. Right-click. "DugganUSA: Look Up Selected Text." One click, 1,089,889 indicators checked. New in this release: "Check Tor Relay" tells you if that IP is running a Tor relay, what flags it has, what country, what ASN, and how much bandwidth. Your code review just became a threat review.

Chrome Extension. Every webpage becomes an IOC scanner. The content script highlights indicators on the page. Right-click any IP for Tor relay verification. Read a CrowdStrike advisory and get our enrichment on their IOCs without opening another tab.

CLI Tool. Pipe-friendly, zero dependencies. "npx dugganusa-lookup 185.39.19.176" from any terminal. New: "--tor-check" to verify relay status, "--tor-hunt" to see suspicious relays, "--tor-stats" for the network overview. Works in CI/CD pipelines, shell scripts, and Makefile targets.

GitHub Action. Add three lines to your workflow YAML and every pull request gets scanned for IOCs. Committed an IP that matches our index? The PR fails. Committed a .onion address? Flagged. The cheapest security gate you will ever install.

Slack Bot. Paste "/dugganusa 185.39.19.176" in any channel. Instant enrichment. "/dugganusa tor hunt" shows the most suspicious relays on the network right now. "/dugganusa scan" followed by a paste extracts and checks every IOC in the text. Enterprise viral — one person installs it, the whole team uses it.

Splunk Technology Add-on. Modular input pulls the STIX feed into your Splunk deployment. New "dugganusa:tor:relays" sourcetype indexes the full Tor relay consensus with CIM field mappings. Cross-reference your firewall logs against 10,269 relays and 1,089,889 IOCs.

Microsoft Sentinel Connector. ARM template deploys in one click. TAXII 2.1 discovery endpoint (we fixed that this weekend — it was 404ing). New KQL hunting query matches your CommonSecurityLog against Tor exit relay IPs. Find out who in your environment is talking to the Tor network.

Elastic Integration. Filebeat pulls the STIX feed and Tor relay data. Logstash config for custom pipelines. Kibana dashboard NDJSON for instant visualizations. Tor relay data updates daily with country and ASN breakdowns.

Obsidian Plugin. OSINT researchers building investigation vaults can right-click any IP and get threat enrichment injected as a callout block. New "Check if IP is a Tor relay" command. Someone already cited us from their published Obsidian vault — publish.obsidian.md is sending us referral traffic.

Neovim Plugin. Because the terminal crowd deserves threat intel too. ":DugganUSA" looks up the word under cursor. ":DugganUSATor" checks if it is a relay. Leader-dt keymap for speed. Results in a notification, not a new buffer — your flow stays unbroken.

Raycast Extension. macOS power users get "Tor Relay Check" and "Tor Relay Hunt" as Raycast commands. Two keystrokes to check an IP. One keystroke to see what is suspicious on the Tor network right now.

Scanner Core (npm). The shared engine all integrations depend on. extractIOCs, lookupIOC, lookupRelay, huntTorRelays, checkTorRelay, formatRelay. Import it into your own tools. Build on our patterns. .onion addresses are now a first-class IOC type alongside IPv4, domains, SHA256, and CVE.

185 unique people cloned these repositories in the last two weeks. 66 cloned the VS Code extension alone. 13 cloned the Sentinel connector. Nobody asked permission. Nobody signed a contract. They just pulled the code and wired it into their environments.

That is how threat intelligence should work. Not behind a paywall with a 60-day evaluation and a sales call. In your editor. In your terminal. In your Slack channel. In your SIEM. Where you already are.

The Tor Infrastructure Attribution Framework indexes the full relay consensus daily. 10,269 relays across 77 countries from 9 directory authorities. We cross-reference every relay IP against our IOC database. We cluster operators by ASN, bandwidth, and deployment timing. We detect mass deployment and mass abandonment. We found the Quetzalcoatl cluster — 50 exit relays on 1337 Services GmbH sharing an ASN with Interlock ransomware C2 — on day one. Not because we are smarter than everyone else. Because we built the plumbing and let the data talk.

18.6 million documents. 46 indexes. 1,089,889 IOCs. 10,269 Tor relays. 1,748 blog posts. 275+ STIX consumers in 46 countries. $75 a month in infrastructure. One person. One Claude. One mission: give back more than we take.

Every integration is open source. Every indicator is in the STIX feed. The API is free to register.

analytics.dugganusa.com/stix/pricing

Code RESCUEME for 40% off paid tiers this week.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com