Your Free Threat Intelligence Feed Just Got Better

What You Get (For Free)

Total indexed: 270,442 indicators

The Receipts

Real numbers from our production feed:

Last 7 days:        858 new indicators
Hourly updates:     8 threat intel sources
STIX version:       2.1 (OASIS standard)
License:            CC0-1.0 (public domain)
Uptime:             180+ days zero downtime

What Makes This Different

Most "free" threat feeds give you stale IP lists. We give you:

1. SSL Certificate Intelligence - Every IP enriched with cert CN, issuer, self-signed detection

2. JARM Fingerprints - Server-side TLS signatures (Cobalt Strike, Sliver, Brute Ratel detection)

3. JA3 Fingerprints - Client-side TLS signatures (AsyncRAT, Quasar, DcRat attribution)

4. MITRE ATT&CK Mapping - Tactics and techniques on every indicator

5. Confidence Scoring - 0-100 scale so you can tune your thresholds

Integration Guide

Option 1: Direct STIX 2.1 Bundle (Recommended)

# Full feed (last 30 days)
curl https://analytics.dugganusa.com/api/v1/stix-feed/v2

Option 2: CSV Blocklists (For Firewalls)

# IP blocklist
curl https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv

Option 3: TAXII 2.1 Discovery

# Discovery document
curl https://analytics.dugganusa.com/api/v1/stix-feed/manifest.json

SIEM Integration Examples

Splunk

| inputlookup dugganusa_threats.csv
| eval threat_source="DugganUSA"
| outputlookup threat_intel.csv

Download daily via scheduled search: ``bash curl -o /opt/splunk/etc/apps/search/lookups/dugganusa_threats.csv \ https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv ``

Microsoft Sentinel

• API Root: https://analytics.dugganusa.com/api/v1/stix-feed

• Collection ID: dugganusa-threats

Elastic Security

{
  "name": "DugganUSA Threat Feed",
  "url": "https://analytics.dugganusa.com/api/v1/stix-feed/v2",
  "interval": "1h",
  "format": "stix"
}

Palo Alto XSOAR

name: DugganUSA Feed
type: STIX
url: https://analytics.dugganusa.com/api/v1/stix-feed/v2
interval: 3600

New This Week: Complete TLS Fingerprint Coverage

JARM (Server-Side)

We scan suspicious IPs and fingerprint their TLS implementation. Cobalt Strike, Metasploit, Sliver, and Brute Ratel each have distinct "accents" in how they do TLS handshakes.

• Cobalt Strike default certs (serial 146473198)

• Self-signed C2 certificates

• DGA-generated certificate CNs

• APT infrastructure patterns (HAINAN, CHINANET)

JA3 (Client-Side) - NEW

We now ingest 97 known malware JA3 fingerprints from SSLBL. When malware phones home, its TLS Client Hello has a unique signature.

• AsyncRAT, Quasar, DcRat, BitRAT

• Cobalt Strike beacons

• Mythic, Havoc, Sliver agents

What We Don't Do

• We don't paywall the feed

• We don't require registration

• We don't track who downloads

• We don't sell your usage data

• We don't throttle requests

Why? Because security is cumulative. When you block a C2 we discovered, that attacker loses infrastructure. That helps everyone.

Quality Assurance

Every indicator passes through our Judge Dredd 6D Framework:

1. D1 - Commit Compliance: Git-tracked, auditable changes

2. D2 - Corpus Alignment: Cross-referenced against multiple sources

3. D3 - Production Evidence: VirusTotal correlation, honeypot captures

4. D4 - Temporal Decay: Fresh indicators prioritized, stale ones aged out

5. D5 - Financial Efficiency: We don't pay per indicator (no perverse incentives)

6. D6 - Democratic Sharing: Published openly, CC0 licensed

Get Started

# Test it right now
curl -s https://analytics.dugganusa.com/api/v1/stix-feed/v2?days=1 | jq '.objects | length'

Endpoints:

Questions? [email protected]

DugganUSA LLC - Minnesota, USA

"The gap is the mission."

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.