Five principles. Two math tricks. One NDA-gated full methodology at the bottom.
CrowdStrike's cheapest Falcon Intelligence tier is ~$100,000/yr. Recorded Future's enterprise plan is $50,000+ per seat. Mandiant Advantage starts at $75,000. We charge zero for Free and $45/month for Starter. Our ingestion-to-publication latency is under ten minutes. Theirs is 24 to 72 hours. The difference is not scale. It is architecture.
Detection, classification, enrichment, exemption, and emission are five distinct stages. Each has its own inputs, outputs, cadence, and error budget. When you conflate them, every correction becomes a rebuild. When you separate them, every correction is a config change.
Every ingestion source, every classifier, every enrichment call, every AI model query, every cron job runs concurrently. Sequential code in a threat pipeline is a performance bug.
LLMs are good at language, ambiguity, and research. They are bad at deterministic scoring, edge-case rules, and fast lookups. Discipline about where you do not use AI is as important as cleverness about where you do.
The difference between a 5% false-positive rate and sub-0.01% is the quality and maintenance of the exemption layer. We put as much engineering into the "definitely not a threat" path as the "definitely a threat" path.
Every confirmed false positive, every missed detection, every deploy failure becomes a structured incident record, an automated compliance pattern, and a standing lesson-learned. Accountability is not a marketing virtue; it is an architectural feature that compounds over time.
A continuously-updated Bloom filter over 1M+ indicators. Every candidate gets a novelty check before classification. Known-returning-bad routes one way. First-ever-seen routes another. Runs in O(1) regardless of corpus size. This prevents the single biggest source of false positives in any threat feed: re-scoring known-bad indicators as known-good after a tenant reassignment.
42 Meilisearch indexes on a single substrate. When an IP, domain, or company name appears in multiple unrelated indexes within a short time window, the correlation is itself a signal. Most commercial platforms store data in separate databases per product line and physically cannot do this in real time. We correlate in milliseconds because we built the whole platform on one substrate on purpose.
| DugganUSA | CrowdStrike | Recorded Future | Mandiant | |
|---|---|---|---|---|
| Starting price | $0 (Free tier) | ~$100K/yr | ~$50K/seat | ~$75K |
| Ingestion latency | <10 min | 24-72 hrs | 24-72 hrs | 24-72 hrs |
| False-positive rate | 0.004% | Not published | Not published | Not published |
| Monthly compute | ~$500 | Enterprise | Enterprise | Enterprise |
Download the full short-version PDF
4 pages. Flow diagrams. Vendor comparison. The receipts.
Download PDF ↓The full methodology is an 8,500-word whitepaper with flow diagrams for every detection, classification, enrichment, exemption, and alert path. We share it under NDA. Email [email protected] with subject line methodology.
LinkedIn:
https://security.dugganusa.com/methodology?utm_source=linkedin&utm_medium=social&utm_campaign=methodology-2026-04
Bluesky:
https://security.dugganusa.com/methodology?utm_source=bluesky&utm_medium=social&utm_campaign=methodology-2026-04
Twitter/X:
https://security.dugganusa.com/methodology?utm_source=twitter&utm_medium=social&utm_campaign=methodology-2026-04
Email signature:
https://security.dugganusa.com/methodology?utm_source=email&utm_medium=signature&utm_campaign=methodology-2026-04
Direct (PDF link):
https://security.dugganusa.com/whitepapers/five-principles-threat-intel.pdf?utm_source=direct&utm_medium=pdf&utm_campaign=methodology-2026-04
Start consuming threat intelligence for free
500 API calls/day. STIX 2.1 feed. No credit card required.
Register Free →