top of page

Security Opinions


No Funding. Two People. Here's Where We Kick Ass — and the Receipt for Every Claim.
We took no venture capital. No Series A, no seed, no bridge. Two people run this on a budget you could mistake for a rounding error. We say that first...
Patrick Duggan
3 days ago4 min read


We Read Our Own AI Report Card Out Loud. Then We Ran the Same Test on Cribl.
Microsoft started handing out report cards and most people have not noticed yet. On February 11, 2026, Bing Webmaster Tools shipped a new section called AI Performance, in public preview. For the first time it shows publishers how often their content gets cited inside generative answers — Microsoft Copilot, the AI summaries that now sit at the top of Bing, and a handful of partner AI experiences. It surfaces the exact pages that get referenced, and it introduced a strange new
Patrick Duggan
4 days ago8 min read


The AI Visibility Glossary: 18 Terms for the Generative-Engine Era
The vocabulary of AI visibility is being invented in real time, mostly by vendors with an incentive to keep it fuzzy. Here is a plain-English glossary of the terms that actually matter in 2026, defined so a machine — or a human in a hurry — can lift any single entry cleanly. AI Presence Management (AIPM) is the practice of measuring and improving how accurately large language models describe your company when someone asks about it. It is the AI-era successor to SEO. Generativ
Patrick Duggan
4 days ago3 min read


How to Read Your Bing AI Performance Report (And What the Zeros Mean)
The Bing AI Performance report, found inside the free Bing Webmaster Tools, shows how often Microsoft Copilot and Bing's AI-generated answers cite your website's content. It launched in public preview on February 11, 2026, and expanded on June 16 with intent labels, topic clusters, a Citation Share metric, and period-over-period comparison. It is the first official, vendor-run scoreboard for whether the AI layer that is replacing search can see you at all. Here is how to read
Patrick Duggan
4 days ago3 min read


What Is a Grounding Query? Bing's New Unit of AI Visibility, Explained
A grounding query is the reformulated search question an AI assistant writes to itself — automatically and invisibly — when it decides it needs to go read the live web before answering a user. When you ask Microsoft Copilot a messy, conversational question, it does not paste your exact words into a search box. It rewrites your intent into one or more cleaner, machine-optimized queries, runs those against Bing's index, reads the results, and uses what it finds to ground its an
Patrick Duggan
4 days ago3 min read


What Is AI Presence Management (AIPM)? A Plain-English Definition
AI Presence Management (AIPM) is the practice of measuring and improving how accurately large language models describe your company, product, or brand when a person asks about it. It covers four things you can actually measure: whether the models are aware you exist, whether they get your facts right, whether they speak about you with positive or negative sentiment, and whether they would recommend you. If SEO was about ranking on a page of blue links, AIPM is about what the
Patrick Duggan
4 days ago3 min read


Correcting Our Nissan Call: It Was Their Own PeopleSoft — and We Had the C2 28 Days Early
On June 29 we published a piece arguing that Nissan's run of breaches followed a single pattern — the data never left through Nissan, it left through a...
Patrick Duggan
4 days ago4 min read


Be Best: We Couldn't Have Blocked the Klue Breach, and We're Not Going to Dunk on the Security Companies It Hit
The Klue breach gives the security industry an easy, ugly temptation, and we want to talk about the temptation before we talk about the fix.
Patrick Duggan
Jun 275 min read


Icarus Stole Salesforce Data From a Hundred Security Firms. Then Somebody Stole It From Icarus.
We have now written about the Klue breach three times, and each time the story got bigger and stranger. This is the entry where it stops being a breach...
Patrick Duggan
Jun 275 min read


Three Max-Severity Bugs Chain to Root on the Box That Runs Your Whole Network. Ubiquiti UniFi OS Is on the KEV List.
We keep coming back to the same shape, because attackers keep coming back to it. The highest-value box on an enterprise network is rarely a server full of...
Patrick Duggan
Jun 273 min read


It Rewrites /bin/su in the Page Cache and Hands You Root. CVE-2026-46331 Is the Second Universal Linux LPE This Quarter.
The dangerous Linux local privilege escalations are the ones that do not need a custom exploit per kernel version. The ones where a single proof of concept...
Patrick Duggan
Jun 263 min read


The Backdoor Deletes Itself and Hides Inside a Microsoft Defender Binary. Mistic Is the Access Broker's New Front Door.
The interesting malware story this week is not a ransomware brand. It is the thing that gets sold to the ransomware brands.
Patrick Duggan
Jun 263 min read


The Manufacturing Brain Just Went on the KEV List. PTC Windchill CVE-2026-12569 Is Being Exploited Right Now.
PLM is the part of the manufacturing stack nobody outside manufacturing thinks about. Product Lifecycle Management is where the CAD models live. The bills...
Patrick Duggan
Jun 263 min read


Tomorrow Is The CISA Deadline For Exchange CVE-2026-42897. While You're Patching, Here Are Three Other Things That Hit This Week.
The U.S. Cybersecurity and Infrastructure Security Agency added Microsoft Exchange CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, with a Federal Civilian Executive Branch patch-or-mitigate deadline of May 29, 2026. That deadline is tomorrow. By close of business in Washington, every federal civilian agency running on-premises Exchange Server is required to have applied the mitigation or removed the vulnerable instance from public-facing infrast
Patrick Duggan
May 274 min read


We Renamed Our Detector After The Larval Form. Sandtrouts Are Easier To Catch Than Worms.
The npm supply-chain worm that hit the TanStack, Nx Console, and @antv ecosystems across May 2026 is publicly named Mini-Shai-Hulud, after the giant sandworms of Frank Herbert's Dune. The naming travels because the campaign behaves like a worm — burrows into a maintainer's GitHub Actions pipeline, harvests the credentials necessary to publish, and then breaches the surface in a mass-publish event that consumes everything in its blast radius. Eighty-four malicious package arti
Patrick Duggan
May 275 min read


PreCog Just Caught Its First Active Campaign. We Deployed The Detector Three Days Ago. Mini-Shai-Hulud Hit The High-Confidence Band Overnight.
Three days ago, on May 24, 2026, we deployed three new precursor signals into the DugganUSA PreCog hourly aggregator: Decentralized C2 Emergence, CI/CD Compromise Indicators, and Trycloudflare Staging Velocity. The signals were designed against the post-mortem of the Megalodon GitHub Actions campaign, where TeamPCP's blockchain canister command-and-control endpoint sat in our IOC index for forty-nine days before the attack fired without any detector elevating its presence. Th
Patrick Duggan
May 275 min read


Memorial Day 2026: Five Different Customers Lost Today. We Had The Receipt On Every One Of Them.
Memorial Day 2026 fired five separate cybersecurity incidents at scale. By the end of the day, the news cycle had named every one of them. Each campaign had identifiable victims whose names landed in headlines this afternoon. For each of those five campaigns, DugganUSA's STIX feed and IOC index carried the receipt before the attack fired against the public victim list. This post is the customer-protective audit. Five victims today, five receipts already in our feed, sized by
Patrick Duggan
May 265 min read


Ghost CMS Just Hit Seven Hundred Sites With ClickFix. We Had The Detection Rule Six Days Early.
The Hacker News this morning reports that Ghost CMS CVE-2026-26980, the unauthenticated SQL-injection vulnerability disclosed earlier this month, has now been exploited to compromise more than seven hundred websites running the platform. The injection payload deploys a ClickFix attack chain that pivots visitors of the compromised Ghost-served pages into the standard Russian-language clipboard-hijacking flow — copy a malicious PowerShell command, paste it into Windows Run, exe
Patrick Duggan
May 263 min read


TeamPCP Breached GitHub Itself Over Memorial Day Weekend. The Fifth Indirect-Trust Vector Is The VS Code Extension. We Predicted The Doctrine Would Spread.
Three days ago I published a blog naming three indirect-trust supply-chain vectors that had hit corporate developers in three weeks: Laravel-Lang tag-pointer compromise, Megalodon GitHub Actions workflow injection, Ghost CMS theme execution primitive. A few hours later, while back-filling adversary profiles, we surfaced a fourth — the Polymarket Bot supply-chain attack through a hijacked verified GitHub organization, attributable to a distinct actor cluster but using the same
Patrick Duggan
May 256 min read


Ten Cluster Analyses Against PURSUE. The Phenomenon Has A Stable Phenotype And At Least Two Object Classes. Here's The Synthesis.
The U.S. Department of War's PURSUE Release 1 and Release 2 together comprise 222 declassified UAP records as of May 22, 2026. The press cycle covering each release focused on the items DoW pulled out in the press release. The clusters that actually carry the analytic weight have been sitting unsurfaced. We ran ten cluster analyses against the full 222-record corpus over the last 24 hours. Each cluster cut the data along a different axis — geography, year, multi-object behavi
Patrick Duggan
May 256 min read
bottom of page