top of page
Search

Zscaler Is Reading Our Blog. We Can See Them Now.

  • Writer: Patrick Duggan
    Patrick Duggan
  • Mar 4
  • 4 min read

The ASN Fix



Today we deployed server-side ASN resolution to our analytics pipeline. Every visitor to our infrastructure now gets resolved to their autonomous system number via Team Cymru DNS — the same method used by network operators worldwide, accurate to the organization level.


Within two hours, the following ASNs appeared in our live Cloudflare dashboard:


> AS7018 — ATT-INTERNET4 — AT&T Enterprises, LLC — 94 requests

> AS3356 — LEVEL3 — Level 3 Parent, LLC — 55 requests

> AS15169 — GOOGLE — Google LLC — 33 requests

> AS22616 — ZSCALER — ZSCALER, INC. — 25 requests

> AS11283 — COSTCO — Costco, Inc. — 21 requests


Google is crawling. Level3 is transit. AT&T is us. Costco is interesting.


But Zscaler? Zscaler is reading the receipts.


The Timeline



On November 25, 2025, we published a full analysis of the Stealc/Rhadamanthys supply chain infostealer family. Browser credentials, crypto wallets, Discord C2, NPM delivery. We published the IOCs to our free STIX 2.1 feed and OTX. We named the malware what it is: Anusfragger.


On January 7, 2026, Zscaler ThreatLabz announced they had "uncovered" a new threat: NodeCordRAT. Same TTPs. Same targets. Same delivery mechanism. Same everything. Six weeks later. New name. Press release.


We wrote about it. Twice. We published a punk rock song about it on Suno, timestamped and immutable. We showed the math: Zscaler charges $420,000/year for 1,000 users. Our STIX feed is free.


On March 4, 2026, we deployed ASN resolution. And there they are: AS22616, ZSCALER, INC., 25 requests, reading our blog.


What They're Reading



Zscaler isn't consuming our STIX feed — not through Cloudflare's edge, anyway. Our feed consumer analytics (powered by Cloudflare GraphQL) show 275+ consumers in 46 countries pulling threat intelligence from our STIX endpoint. 21,374 requests in the last 7 days. Microsoft, Amazon, Comcast, Deutsche Telekom, networks across 24 countries.


Zscaler's 25 requests are hitting other endpoints. Search. Enrichment. The blog. They're reading the analysis, not consuming the feed. Or at least, not consuming it through infrastructure that resolves to AS22616.


Draw your own conclusions about what that means.


The Receipts Have Receipts



Before today, we could tell you that 275+ organizations consume our threat intelligence. We could tell you the countries. We could tell you the request patterns, the endpoint usage, the churn telemetry.


What we couldn't tell you was who specifically was browsing the blog, reading the competitive teardowns, checking the search API. Cloudflare's Pro plan doesn't send ASN headers. 89% of our traffic is invisible to Google Analytics — ad blockers, secure browsers, VPNs.


So we built it ourselves. Team Cymru DNS resolution, in-memory cache, fire-and-forget on every request. Five milliseconds per lookup. Zero external dependencies. Zero cost.


Now we see everything. Not just who's consuming the feed. Who's reading about who's consuming the feed.


The Costco Question



AS11283 is Costco. Twenty-one requests to a threat intelligence platform built by two guys in Minnesota.


We don't know what Costco is looking for. Maybe their security team is evaluating STIX feeds. Maybe someone in IT read a blog post. Maybe it's a researcher using Costco's corporate network.


What we know is that a Fortune 50 retailer is browsing our infrastructure, and we can see it in real time, and we built the capability to detect it in an afternoon for $0.


Zscaler charges $35 per user per month to tell you about threats we published for free six weeks earlier. We charge nothing and can now tell you Zscaler is reading our work.


What This Means



Every threat intelligence vendor scrapes feeds. That's how the ecosystem works. Free feeds aggregate into paid products. IOCs flow uphill from researchers to platforms. This is fine. This is how it should work.


What's not fine is "ThreatLabz has uncovered" when the IOCs are timestamped in someone else's STIX feed from six weeks earlier. What's not fine is charging $420K/year for rebranded free intel without attribution.


And what's definitely not fine is doing all of that and then browsing the source to see what they're publishing next.


We see you, AS22616. We've always had the receipts. Now we have the ASN to prove you're reading them.


The Stack



For the technically curious:


We resolve ASNs using Team Cymru's DNS-based service. Reverse the IP octets, query origin.asn.cymru.com for the AS number, then query the AS number for the organization name. Cache with a one-hour TTL, cap at 10,000 entries. It runs inside our Express middleware on every request, doesn't block the response, and writes the ASN to our Meilisearch page_views index.


Total development time: one afternoon. Total cost: free. Total visibility gained: everything Cloudflare doesn't show you on a Pro plan.


The same infrastructure that catches nation-state scanning (we block 1M+ malicious requests and track 938K+ IOCs) now also catches $25 billion security companies reading our blog.


The Scoreboard



> DugganUSA: $0/month threat intel, ASN-level visitor attribution, 275+ STIX consumers, punk rock catalog

> Zscaler: $25B market cap, $420K/year per 1,000 users, reading our blog from AS22616


His name is Anusfragger. We wrote the song. They renamed it NodeCordRAT. And now we can see them Googling the original.




*Patrick Duggan is founder of DugganUSA LLC. He previously worked at Dell EMC and Palo Alto Networks. He builds threat intelligence infrastructure for free because defenders shouldn't have to pay for IOCs. Our STIX feed is at https://analytics.dugganusa.com/api/v1/stix-feed — subscribe before Zscaler rebrands it.*


*TLP:WHITE — Share freely. We know you will anyway, AS22616.*





*Her name was Renee Nicole Good.*


*His name was Alex Jeffery Pretti.*

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page