Free Threat Intelligence for Wiz Users: DugganUSA STIX 2.1 Feed
Published: November 13, 2025 Category: Threat Intelligence Vendor: Wiz (Cloud Security)
⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.
Tiered API keys are deployed today. Anonymous access ends March 15, 2026 — after that date all requests without a key will be rejected.
Free: $0 (25/day) Pro: $99/mo (2,000/day, 24h email SLA) Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected]) - Register: https://analytics.dugganusa.com/stix/register
The Value Proposition
DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.
63% unique discovery rate. Multi-source correlation. Free. STIX 2.1.
Your Wiz platform is excellent for cloud security posture. Our feed makes your threat detection better.
What You Get
- Free STIX 2.1 threat intelligence feed
- Real-time updates from production security operations
- MITRE ATT&CK mapped indicators
- Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)
- 244+ unique discoveries missed by major threat intel vendors
- Cloud-native IOCs for AWS, Azure, GCP
Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed
Wiz Integration
Step 1: Create Custom Integration
- Log into Wiz Console
- Navigate to Settings → Integrations → Custom Integrations
- Click + Add Integration
Step 2: Configure Threat Intelligence Import
Integration Name: DugganUSA STIX Feed
Integration Type: Threat Intelligence
Description: Free threat intel - 244 unique discoveries
Source URL: https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70
Format: STIX 2.1
Authentication Header: Authorization: Bearer <YOUR_API_KEY>
Update Schedule: Every hour
Scope: All cloud environments
Note: Use
Authorization: Bearer <key>— notX-API-Key. Cloudflare strips custom headers;X-API-Keywill not reach the API. Register for an API key at: https://analytics.dugganusa.com/stix/register
Step 3: Create Security Policies
Navigate to Security → Policies → Create Policy
Policy: Alert on DugganUSA Unique Discoveries
{
"name": "Communication with DugganUSA Unique Discoveries",
"description": "Alert when cloud resources communicate with IPs we discovered that major vendors missed",
"severity": "HIGH",
"query": {
"type": "GRAPH",
"filter": [
{
"type": "NetworkConnection",
"remoteIP": {
"in": "@dugganusa_unique_discoveries"
}
}
]
},
"actions": [
"ALERT",
"TICKET",
"SLACK"
]
}
Wiz Query Language (WQL) Examples
Find Cloud Assets Communicating with Malicious IPs
CloudResource
WHERE type IN ('EC2 Instance', 'Virtual Machine', 'Compute Instance')
AND hasOutboundConnection = true
AND outboundConnection.destinationIP IN (
SELECT ip FROM ThreatIntelligence
WHERE source = 'DugganUSA STIX Feed'
AND confidence >= 80
)
RETURN
resource.name,
resource.cloudPlatform,
outboundConnection.destinationIP,
threatIntel.confidence,
threatIntel.unique_discovery
Detect Vendor-Missed Threats in AWS
EC2Instance
JOIN NetworkConnection ON resource.id = connection.sourceResourceId
JOIN ThreatIntelligence ON connection.destinationIP = threat.ip
WHERE
threat.source = 'DugganUSA STIX Feed'
AND threat.x_dugganusa_discovery.unique_detection = true
AND threat.x_dugganusa_discovery.sources_with_zero_score CONTAINS 'VirusTotal'
RETURN
EC2Instance.instanceId,
EC2Instance.vpcId,
NetworkConnection.destinationIP,
ThreatIntelligence.confidence,
ThreatIntelligence.x_dugganusa_discovery.sources_with_zero_score
Azure Sentinel Integration via Wiz
# Export to Azure Sentinel for correlation
AzureResource
WHERE hasNetworkConnection = true
AND networkConnection.externalIP IN (
SELECT ip FROM DugganUSAFeed
WHERE confidence >= 85
)
EXPORT TO AzureSentinel
AS 'DugganUSA_Threat_Detection'
Custom Rules for Cloud Environments
AWS: Block EC2 Communication with High-Confidence Threats
Create AWS Security Group Rule:
# Via Wiz Automation
import requests
# Fetch high-confidence threats
feed_url = "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90"
api_key = "<YOUR_API_KEY>" # Note: use Authorization: Bearer, not X-API-Key
headers = {"Authorization": f"Bearer {api_key}"}
stix_data = requests.get(feed_url, headers=headers).json()
malicious_ips = []
for obj in stix_data.get('objects', []):
if obj.get('type') == 'indicator':
ip = obj.get('pattern', '').split("'")[1]
malicious_ips.append(ip)
# Update AWS Security Group
for ip in malicious_ips:
ec2.revoke_security_group_egress(
GroupId='sg-xxxxxxxxx',
IpPermissions=[{
'IpProtocol': '-1',
'IpRanges': [{'CidrIp': f'{ip}/32'}]
}]
)
Azure: Network Security Group Automation
# Via Wiz + Azure Logic App
from azure.mgmt.network import NetworkManagementClient
feed_url = "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90"
api_key = "<YOUR_API_KEY>" # Note: use Authorization: Bearer, not X-API-Key
headers = {"Authorization": f"Bearer {api_key}"}
stix_data = requests.get(feed_url, headers=headers).json()
for obj in stix_data.get('objects', []):
if obj.get('type') == 'indicator':
ip = obj.get('pattern', '').split("'")[1]
confidence = obj.get('confidence', 0)
if confidence >= 90:
# Add deny rule to NSG
network_client.security_rules.create_or_update(
resource_group_name='production-rg',
network_security_group_name='production-nsg',
security_rule_name=f'Deny_DugganUSA_{ip.replace(".", "_")}',
security_rule_parameters={
'priority': 100,
'protocol': '*',
'access': 'Deny',
'direction': 'Outbound',
'source_address_prefix': '*',
'destination_address_prefix': ip
}
)
Feed Parameters
# High confidence for cloud prevention policies
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90"
# Detection mode for broader cloud coverage
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=60"
# Geo-specific cloud threats
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://analytics.dugganusa.com/api/v1/stix-feed?country=CN&min_confidence=70"
Why This Matters for Cloud Security
Wiz has the cloud visibility. We have the threat correlation.
You see misconfigurations, vulnerabilities, identity issues. We see 5 threat intelligence sources simultaneously correlated across live attack traffic.
When AbuseIPDB, VirusTotal, and ThreatFox all score an IP as zero — but we blocked it at 95% confidence based on actual attack behavior — that’s the indicator your cloud security platform needs.
Your cloud resources shouldn’t communicate with IPs that billion-dollar vendors missed.
244 unique discoveries. Free. Forever.
Integration with CSPM
Wiz CSPM can leverage our feed for:
- Runtime Protection: Block EC2/VM outbound to malicious IPs
- Compliance Evidence: Document threat blocking for SOC2/ISO27001
- Incident Response: Correlate security findings with external threats
- Cloud Detective: Enrich investigation graphs with threat intel
Democratic Sharing Law
This feed is free because hoarding threat intelligence is bullshit.
Zero marginal cost to share digital goods. We publish openly because that’s how you prove you’re not lying about your discoveries.
Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).
7.1x evidence-to-claims ratio. We show receipts.
Wiz raised $1 billion. We’re giving away threat intelligence for free. Different philosophies. Same goal: better security.
Technical Details
- Format: STIX 2.1 Bundle
- Attribution:
created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d - Update Frequency: Real-time from production auto-blocking
- License: CC0-1.0 (Public Domain)
- Contact: [email protected]
- Cloud Support: AWS, Azure, GCP indicators
Support
Questions? Email [email protected]
API health: https://analytics.dugganusa.com/api/v1/stix-feed/info
Documentation: https://analytics.dugganusa.com/docs/stix-feed.md
Your security is our problem now.
— DugganUSA LLC (Minnesota)