World-Class Security For The Plebian

One Worker. 8,898 catches a day. Zero servers. Free to start.

May 2, 2026 · Patrick Duggan, DugganUSA LLC

In the last 24 hours, a single Cloudflare Worker we wrote — Edge Shield — caught 8,898 attacker probes and reported them home. That's six probes a minute, every minute, all day, never reaching our origin server. No SOC analyst on shift. No SIEM. No EDR license. No on-call rotation. It just runs.

The Worker is open source. The same code runs on a $10/month side project and a Fortune 500's CDN tier. Your traffic hits Cloudflare's global edge. The Worker decides — at the edge, before a packet ever reaches your origin — whether the request gets through, gets a 403 with our register-or-pay help text, gets a 418 "I'm a Teapot" troll, or gets a clean pass through enriched with city/region/ASN headers your application can use.

This is the post about why that matters. And why a one-person shop in Minneapolis can run the same edge security architecture as a hyperscaler.

What "world-class" actually means at the edge

For most of computing history, "edge security" meant racks of WAF appliances at $40K each, plus license, plus services attach, plus a vendor relationship, plus a yearly renewal cycle that may or may not include the threat intelligence anyone bought it for.

Cloudflare changed that. Their global edge — 330+ cities, single-digit-millisecond reach to most of the world's internet — is rented to anyone with a credit card, including the free tier. The same edge that fronts the New York Times and the U.S. government is also fronting your hobby project.

A Worker is a piece of JavaScript that runs at every edge POP. When a request comes in, the Worker decides what to do with it before it reaches your origin. That's the architectural shift: the decision happens close to the attacker, not close to the asset.

What we did was bolt three things onto that primitive:

• A live cache of 1.12 million IOCs from our threat-intel feed, refreshed continuously

• A scanner-detection layer that knows the User-Agent fingerprints and ASN footprints of LeakIX, Censys, Shodan, Nuclei, SQLMap, and the rest of the recon stack

• A 30-canary honeypot mesh that exposes paths attackers can't help but probe — and reports every catch back to our IOC index in real time, growing the corpus

The Worker code is one file. MIT licensed. The intelligence powering it is the subscription. Same separation as a paid threat-intel feed plus a free SIEM — except the SIEM is Cloudflare's edge and you didn't have to deploy it.

The tier ladder, same Worker

The plebian. A solo developer with a side project on a $5/month VPS. They put Cloudflare in front of it (free tier). They deploy our Worker (one command). They register a free DugganUSA STIX feed key (25 queries a day). The Worker now blocks 1.12 million known-bad IPs at the edge before any of them touch their VPS. Cost: $0 incremental. Time-to-deploy: less than the time to read this paragraph.

The small shop. A five-person SaaS company. Same Worker, same Cloudflare account, $99/month for the STIX Pro tier (2,000 queries/day, real-time refresh, full IOC corpus, OPNsense and Splunk plugins). They get the same protection that costs them $40K of WAF appliance plus $20K of services in the appliance world. Their compliance auditor sees the same logs.

The enterprise. A Fortune 500 medical device company that's been on our medical-device vertical pitch for two months. $995/month for Enterprise (50,000 queries/day, dedicated ingestion endpoint, Splunk ES native format, 4-hour SLA, behavioral intel + attack-surface scanner). They run the same Worker in front of their public-facing portals. Their existing CNAPP — Wiz, Palo Alto, whoever — keeps doing what it does inside their cloud. The Worker handles the part the CNAPP doesn't reach: the actual edge.

The mega-cloud host. A hosting provider that wants to give all of their tenants edge protection by default. Custom partnership pricing, dedicated feed cadence, attribution rights. The Worker scales horizontally because Cloudflare's edge does. The same code runs across all their domains. The intelligence is one feed they pay for once.

The reason the same Worker works across all four scales is that the security primitive — match request against a million-row IOC list, decide in microseconds, log result — doesn't change at scale. What changes is the cadence and depth of the threat intel feeding it. We sell that. The Worker is free.

What this replaces, and what it doesn't

Edge Shield does NOT replace your firewall, your IDS, your EDR, your SIEM, your CNAPP, your WAF appliance, or your secret-scanning pre-commit hook. It replaces nothing. It augments.

What it adds is the thing none of those tools do well: block at the edge, before any of your other tools have to think about the request. A request that gets a 403 from Cloudflare never appears in your SIEM. Never costs you a SIEM seat-license event. Never triggers an EDR alert downstream. The Worker is the cheapest, fastest decision in your stack.

The thing it gives the plebian that they otherwise can't have at any price is threat intelligence at the edge as a subscription, not a product. Our 1.12 million IOCs include indicators we caught left-of-boom on Apothecary/ClearFake, Iran/Handala, Pay2Key, ShinyHunters, NrodeCodeRAT, and the whole long tail of the threat landscape we publish about constantly. The plebian's $5 VPS gets the same IOCs as the Fortune 500 that pays $995 a month. The difference is refresh cadence and query budget, not access to the data.

That, more than anything, is what makes this fair.

How a plebian deploys this tonight

Three commands and a registration form:

1. Sign up for a free Cloudflare account and add your domain. (5 minutes)

2. Register a free DugganUSA STIX feed key at analytics.dugganusa.com/stix/register. (30 seconds)

3. Clone the Worker from github.com/pduggusa/dugganusa-edge-shield, set your API key as a secret, and deploy with wrangler. (60 seconds)

That's it. The Worker now sits between the internet and your origin. 1.12 million IOCs are blocking known-bad IPs before they reach you. Scanners are getting trolled with structured 418 responses they can index. Honeypot canaries are catching the slow scanners. Every clean request gets through enriched with city, region, ASN, and the X-DugganUSA-Shield: active header your application can read.

If you operate at the upper end of the tier ladder, the deployment is the same — the Worker is the same Worker. Only the Cloudflare seat and the STIX feed tier change.

Where the floor is

The thing we were never able to do for ourselves until Cloudflare Workers existed is the thing we're now telling you to do for yourself: put the security decision close to the attacker, not close to the asset.

The reason 8,898 probes hit our edge today and zero of them made it to our origin is not that we have a better firewall. It's that the firewall isn't the right tool. The right tool is a $0 piece of JavaScript running at 330 POPs around the world, fed by a threat-intel feed we keep current, deciding fast and locally what to do with each request.

The plebian gets it for free. The Fortune 500 gets it with a 4-hour SLA. The mega-cloud host gets a partnership. The Worker is the same Worker. The math works because Cloudflare's edge does the heavy lifting of being globally distributed. We do the heavy lifting of being current on what the bad guys are using this week.

You can have what we have. The barrier is registration time, not budget.

— Patrick Duggan, DugganUSA LLC. Edge Shield is at github.com/pduggusa/dugganusa-edge-shield. The STIX feed is at analytics.dugganusa.com/stix. Free tier covers 25 queries a day; Pro is $99 a month for 2,000; Enterprise is $995 a month for 50,000. Stripe checkout adjusts USD list price for regional purchasing power.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com