DugganUSA Security Feed Integration Guide

Real-time threat intelligence delivered via RSS

What is the DugganUSA Security Feed?

Our RSS feed publishes real-time threat intelligence from our automated OSINT investigation platform. Every IP that hits our infrastructure is profiled via AbuseIPDB, VirusTotal, and ThreatFox, then published to https://www.dugganusa.com/blog-feed.xml

24/7

Automated Publishing

3 Sources

AbuseIPDB, VirusTotal, ThreatFox

RSS 2.0

Industry Standard Format

Who should use this feed?

Security Operations Centers (SOCs) - Automated threat intelligence ingestion
Developers & DevOps - Integrate into CI/CD pipelines for security checks
Competitors - We publish faster than you can copy 🎯
Investors & Press - Proof we ship real security intelligence

Feed URL

https://www.dugganusa.com/blog-feed.xml

Update Frequency: Hourly (when new threats are auto-blogged by the Brain)
Format: RSS 2.0 with full content
Authentication: None (public feed)

Integration Methods

1. cURL Polling (Simplest)

Poll the feed every hour for new threats:

        #!/bin/bash
# Poll DugganUSA threat feed hourly
curl https://www.dugganusa.com/blog-feed.xml > /tmp/duggan-feed.xml

# Parse with xmllint or grep for specific threats
cat /tmp/duggan-feed.xml | grep -oP '(?<=<title>).*?(?=</title>)'
      

2. Python with feedparser

Parse and process threat intelligence programmatically:

        import feedparser
import requests

# Fetch DugganUSA threat feed
feed = feedparser.parse('https://www.dugganusa.com/blog-feed.xml')

for entry in feed.entries:
    print(f"Threat: {entry.title}")
    print(f"Published: {entry.published}")
    print(f"Link: {entry.link}")
    print(f"Summary: {entry.summary}")
    print("---")

# Example: Extract IPs from titles
# Format: "Hall of Shame: 185.220.101.1 - The Tor Exit Node Menace"
for entry in feed.entries:
    if 'Hall of Shame' in entry.title:
        # Extract IP address
        parts = entry.title.split(': ')
        if len(parts) >= 2:
            ip = parts[1].split(' - ')[0]
            print(f"Malicious IP detected: {ip}")
      

3. Node.js RSS Parsing

Integrate into Node.js applications:

        const Parser = require('rss-parser');
const parser = new Parser();

async function fetchThreats() {
  const feed = await parser.parseURL('https://www.dugganusa.com/blog-feed.xml');

  console.log(`Feed Title: ${feed.title}`);

  feed.items.forEach(item => {
    console.log(`${item.title} - ${item.pubDate}`);

    // Extract IP if it's a Hall of Shame post
    if (item.title.includes('Hall of Shame')) {
      const ipMatch = item.title.match(/\d+\.\d+\.\d+\.\d+/);
      if (ipMatch) {
        console.log(`  → Malicious IP: ${ipMatch[0]}`);
      }
    }
  });
}

// Poll every hour
setInterval(fetchThreats, 60 * 60 * 1000);
fetchThreats(); // Run immediately
      

4. SIEM Integration (Splunk, Azure Sentinel, Datadog)

Ingest threats into your security information and event management system:

Splunk Example

        # inputs.conf
[script://bin/fetch_duggan_feed.sh]
interval = 3600
sourcetype = dugganusa:threatfeed

# Create bin/fetch_duggan_feed.sh:
#!/bin/bash
curl -s https://www.dugganusa.com/blog-feed.xml \
  | xmllint --xpath '//item/title/text()' - \
  | grep -oP '\d+\.\d+\.\d+\.\d+' \
  | while read ip; do
      echo "{"threat_ip":"$ip","source":"dugganusa","timestamp":"$(date -u +%Y-%m-%dT%H:%M:%SZ)"}"
    done
      

Azure Sentinel Example

        // Azure Function (JavaScript) - runs hourly
const Parser = require('rss-parser');
const parser = new Parser();

module.exports = async function (context, myTimer) {
  const feed = await parser.parseURL('https://www.dugganusa.com/blog-feed.xml');

  const threats = feed.items.map(item => ({
    title: item.title,
    published: item.pubDate,
    link: item.link,
    ip: item.title.match(/\d+\.\d+\.\d+\.\d+/)?.[0] || null,
    timestamp: new Date().toISOString()
  }));

  // Send to Log Analytics Workspace
  // (Configure with Azure Monitor HTTP Data Collector API)
  context.log(`Ingested ${threats.length} threats from DugganUSA feed`);
};
      

Feed Format & Structure

RSS 2.0 Specification:

        <?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>DugganUSA Security Blog</title>
    <link>https://www.dugganusa.com/blog</link>
    <description>Threat intelligence and security insights</description>

    <item>
      <title>Hall of Shame: 185.220.101.1 - The Tor Exit Node Menace</title>
      <link>https://www.dugganusa.com/blog/hall-of-shame-185-220-101-1</link>
      <pubDate>Mon, 01 Nov 2025 12:00:00 GMT</pubDate>
      <guid>https://www.dugganusa.com/blog/hall-of-shame-185-220-101-1</guid>
      <description>
        <![CDATA[
          Complete OSINT investigation of 185.220.101.1 -
          AbuseIPDB score: 100%, 12,847 reports from 1,203 victims.
          Tor exit node involved in DDoS attacks...
        ]]>
      </description>
    </item>
  </channel>
</rss>
      

Key Fields:

<title> - Threat name + IP address (when applicable)
<link> - Full blog post URL with OSINT details
<pubDate> - RFC 822 timestamp (e.g., "Mon, 01 Nov 2025 12:00:00 GMT")
<description> - Full OSINT investigation (HTML content)

Use Cases

1. Automated IP Blocklisting

Extract malicious IPs from the feed and automatically add them to your firewall, WAF, or CDN blocklist. DugganUSA publishes threats with AbuseIPDB scores >5, court documents, and OSINT attribution.

2. Competitive Intelligence

Monitor what threats DugganUSA is detecting and blocking. Our feed shows the speed and rigor of our OSINT methodology. We publish faster than you can copy.

3. Threat Research

Use the feed for academic or security research. Every threat includes:

AbuseIPDB confidence score
Total abuse reports
Country and ISP attribution
Attack categories (DDoS, brute-force, phishing, etc.)
VirusTotal malware detections (when available)
ThreatFox IOC matches (when available)

4. SIEM/SOAR Enrichment

Enrich your security events with DugganUSA threat intelligence. When an IP hits your infrastructure, cross-reference it against our Hall of Shame for instant context.

Sample RSS Reader Workflow

        1. Poll feed every hour
   ↓
2. Parse XML → Extract IPs
   ↓
3. Check if IP exists in your logs
   ↓
4. If match found → Alert SOC team
   ↓
5. Auto-block IP via firewall API
   ↓
6. Log incident with OSINT context from feed
      

FAQ

Q: How often is the feed updated?

A: Hourly, when the Brain (analytics.dugganusa.com) publishes new Hall of Shame auto-blog posts.

Q: Is authentication required?

A: No. The feed is public. We believe in radical transparency for threat intelligence.

Q: What if I want to block ALL IPs in your Hall of Shame?

A: Use the Hall of Shame API: GET https://security.dugganusa.com/api/hall-of-shame to get all blocked IPs with full OSINT data.

Q: Do you offer a JSON feed alternative?

A: Yes. Visit https://security.dugganusa.com/api/hall-of-shame for JSON format.

Q: Can I integrate this with GitHub Security Advisories?

A: Yes. Parse the feed, extract IPs, and create GitHub issues with the OSINT details as evidence.

Q: What's the false positive rate?

A: Extremely low. We only publish IPs with AbuseIPDB scores >5 (default threshold). Most Hall of Shame entries have scores 75-100%.

Need Help?

Technical Support: [email protected]
API Documentation: /api-docs
GitHub Issues: Report Integration Problems

"We publish threat intelligence faster than competitors can plagiarize it. Steal our feed. We dare you to keep up." — Judge Dredd, Automated Compliance Agent