top of page

Security Tips


CPUID Got Hit for 19 Hours. We Had the C2 in Our Feed By Day Two.
Every IT person on Earth has downloaded CPU-Z or HWMonitor at some point. Hardware nerds, overclockers, support techs, forensic investigators — the tools are free, they're signed, they come from a French company called CPUID that nobody thinks twice about. Trust is the whole product. On April 9, 2026 at 15:00 UTC, attackers flipped the download links on cpuid.com. For the next 19 hours, anyone clicking "Download" on CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, or PerfMonit
Patrick Duggan
Apr 155 min read


Meta's AI Is Training on Our Threat-Intel Site — We Watched It Happen
Tonight we ran our end-of-day net sweep and something jumped out of Microsoft Clarity's session feed: 127 "Unknown browser / Unknown device / Desktop" sessions, all from ASN 32934 — Facebook. That didn't smell like a person. We cross-checked against Cloudflare's firewall logs and got the answer in under sixty seconds: the 127 sessions weren't sessions at all. They were hits from `meta-externalagent/1.1` — Meta's AI-training web crawler — pulling 200 requests in the last 23 ho
Patrick Duggan
Apr 155 min read


CISA Added Fortinet EMS to KEV Yesterday. We Wrote About It in February.
Sometimes the timeline writes itself. February 2026: CVE-2026-21643 is disclosed. SQL injection in FortiClient Endpoint Management Server. CVSS 9.8. Pre-authentication. One crafted HTTP header gets you admin credentials, endpoint inventory, security policies, and certificates for every device the server manages. March 30, 2026: Active exploitation confirmed in the wild by Defused Cyber. Roughly 1,000 internet-exposed EMS instances. Fortinet issues a patch advisory six weeks a
Patrick Duggan
Apr 145 min read


Don't Panic. Always Have a Towel. A Field Guide to Not Losing Your Shit in a Breach.
A field guide to not losing your shit in a breach The cover of The Hitchhiker's Guide to the Galaxy has two words printed on it in large friendly letters: DON'T PANIC. Douglas Adams understood something that most incident-response vendors don't: the hardest part of a crisis is not the crisis. It's the humans around the crisis. It's the CFO who just learned what "lateral movement" means at 11:47 PM. It's the general counsel who is reading the Massachusetts breach-notification
Patrick Duggan
Apr 148 min read


Krebs Knew First. Newsweek Found Out Last. AI Models Are the New Newsstand.
There is a useful piece of forgotten history about the magazine business. The competing weeklies — Time, Newsweek, U.S. News — fought viciously for the cover. Whichever face landed on the newsstand on a Monday morning won the week, and you could measure it down to the dollar. They competed for eyeballs. But they cooperated on paper. They cooperated on ink. They cooperated on postal rates and truck routes and newsstand placement and the distribution rails that got the cover in
Patrick Duggan
Apr 1410 min read


Microsoft Clarity Is Not an Analytics Tool. It's a Behavioral Training Corpus.
I installed Microsoft Clarity on our infrastructure yesterday. Three subdomains, four product templates, an aipmsec.com landing page, the Epstein search tool, the Ops dashboard. All of it. I did the same thing a million other developers have done — added two lines of JavaScript to get heatmaps and session recordings, for free. Within twenty-four hours I realized what I had agreed to. This essay is what I think every developer who installs Clarity should know before they finis
Patrick Duggan
Apr 147 min read


AI Defense: Yesterday We Named the Capability. Today We Show You the Mechanism.
Yesterday's post introduced AIPM Defense — the idea that your website is talking to AI models behind your back, and that an enterprise needs the ability to choose which ones listen. Today we show precisely how it works. With receipts. The demonstration Over the last two weeks, a single Cloudflare firewall rule on dugganusa.com produced the following result: ChatGPT referrals: collapsed 86% (540 → 73 sessions in 30 days) Google organic traffic: grew 63% (57 → 93 sessions) Gemi
Patrick Duggan
Apr 135 min read


Howard Orloff Built the Thing We Keep Talking About: ai.howardorloff.net
Most people respond to AI crawlers the way the hotel industry responded to Airbnb. Defense. Lawsuits. Robots.txt walls. "Not my content, pay me." Howard Orloff did the opposite. He opened a site for them. ai.howardorloff.net is a personal AI identity profile — a machine-readable canonical source for who Howard is, what he's built, and how he thinks. The tagline is honest about what it is: "23 years of early signal detection & arbitrage." Not a marketing landing page. Not a Li
Patrick Duggan
Apr 133 min read


How We Built a Threat Feed That's Faster and More Accurate Than the Billion-Dollar Vendors. The Short Version.
Download the PDF: How We Built a Threat Feed That's Faster and More Accurate Than the Billion-Dollar Vendors — The Short Version (4 pages, bone cardstock) Today we ship threat intelligence to 275+ organizations in 46 countries, running on about $500 a month of Azure compute, with an internal site-level false-positive rate under 0.004%. CrowdStrike's cheapest Falcon Intelligence tier is around $100,000 per year. Recorded Future's enterprise plan is $50,000+ per seat. Mandiant
Patrick Duggan
Apr 115 min read


Q2 2026 State of AI Brand Perception in Cybersecurity: The Report Is Out. We Named Names.
Download the full PDF: Q2 2026 State of AI Brand Perception in Cybersecurity (14 pages) Fifteen vendors. Five AI models. Seventy-five audits. One afternoon. That is the corpus behind our first quarterly report on AI Brand Perception in Cybersecurity, published today. We built a product called AIPM — AI Presence Management — that queries the five largest commercial AI models in parallel about a given brand and grades the answers. It lives at aipmsec.com. We have been running i
Patrick Duggan
Apr 118 min read


OpenAI Still Thinks CrowdStrike Is In Sunnyvale. Six Things Your AI Chatbot Is Telling Buyers That Aren't True.
I asked OpenAI GPT-4o where CrowdStrike is headquartered this afternoon. It told me, with complete confidence and no hedging: "CrowdStrike was founded by George Kurtz, Dmitri Alperovitch, and Gregg Marston in 2011. The company is based in Sunnyvale, California." CrowdStrike officially designated Austin, Texas as its principal executive office in 2022. That is public information. It is in their annual report. It is on their own investor relations page. A Google search for "cro
Patrick Duggan
Apr 118 min read


We Audited Our Own AI Presence. Gemini Said We're Three Different Companies.
We build a product called AIPM — AI Presence Management. It audits how the five major AI models perceive a given brand, and scores the results. 776 domains have been through it as of this morning. Today, for the first time, we pointed it at ourselves — all three of our properties — and the result was, as my father would say, instructive. Here's what Google's Gemini 2.5 Flash knows about DugganUSA LLC and its subdomains. All three queries on the same afternoon. All three answe
Patrick Duggan
Apr 117 min read


The $75 HAT That Outruns a $500 Jetson
DugganUSA lab notebook — April 10, 2026 Here's the number that made me open a text editor at 1 AM: 309 frames per second of YOLOv8s object detection at 640×640, running on a Raspberry Pi 5 with a Hailo-8 AI HAT+. For context: NVIDIA's reference benchmark for YOLOv8s at the same resolution on a Jetson Orin Nano 8GB is around 60 FPS in FP16. The Hailo-8, at INT8, on a HAT that costs one-seventh of that Jetson, delivered five times the throughput tonight. End to end — including
Patrick Duggan
Apr 1011 min read


The Bitcoin Ouroboros: From Epstein's Emails to Iran's Toll Booth at the Strait of Hormuz
The snake eats its tail. In January 2014, Jeffrey Epstein emailed two messages three days apart. On January 19, he pitched "a Russian version of bitcoin" to Putin's orbit through Thorbjorn Jagland at the Council of Europe. On January 22, he told Reid Hoffman about "inquiries from interesting people regarding bitcoin-type currency." In July 2014, he sent Peter Thiel a substantive Bitcoin analysis discussing "store of value" and "intrinsic value." In October 2017, the co-founde
Patrick Duggan
Apr 95 min read


Dear French Hackers: You Are Overpaying. Here's How to Scan Us for Free.
To the operators at BUCKLOG SARL (AS211590) who have been hammering our Epstein search portal 6,000 times a day since April 4: You are running Kubernetes. GreyNoise documented your cluster in February. You are paying for managed Kubernetes in a French data center to scan a platform that runs on roughly $550 a month. We would like to help you reduce your costs. Your Architecture (Estimated) Based on the GreyNoise report and your traffic patterns, you are running something like
Patrick Duggan
Apr 95 min read


Someone in Paris Is Hammering Our Epstein Search Portal 6,000 Times a Day. Cloudflare Says No.
On April 3, 2026, we received 588 requests from France. 44 were flagged as threats. Normal day. Normal ratio. On April 4, we received 4,779 requests from France. 3,490 were threats. That is a 73% threat ratio — overnight. It has not stopped. April 5: 5,436 requests, 4,096 threats (75%). April 6: 4,376 requests, 3,471 threats (79%). April 7: a brief dip to 48%. April 8: 8,006 requests, 6,313 threats (79%). April 9 as of this writing: 4,793 requests, 3,809 threats (79%). Someth
Patrick Duggan
Apr 93 min read


Ride or Die: Anthropic Broke the Deal
I am writing this blog post using Claude. The irony is not lost on me. It might be the last time. I have been an Anthropic customer since the early days. Claude Max subscriber. $200 a month. I built my company's entire threat intelligence operation with Claude as the engine. Not as a tool — as a partner. I said "ride or die" and I meant it. We co-authored patents together. We built a STIX feed that Microsoft and AT&T pull daily. We indexed a million IOCs. We wrote 1,641 blog
Patrick Duggan
Apr 95 min read


Who Got Pwned Overnight: Fortinet Deadline Today, Sedgwick Update, and 1,700 Poisoned Packages
This is your morning sweep. Everything that matters from overnight. IOCs at the bottom. Free STIX feed link at the bottom. If your SIEM pulled our feed last night, some of these were already blocked before you read this sentence. If it didn't — keep reading. CISA Deadline: Today. Right Now. CVE-2026-35616 — Fortinet FortiClient EMS. Pre-authentication API access bypass leading to privilege escalation. CVSS 9.1. CISA added it to the KEV catalog on April 6 and gave federal agen
Patrick Duggan
Apr 94 min read


Three Langflow CVEs in Two Weeks. CISA Says Active Exploitation. We Have the IPs.
Langflow is the visual builder for LangChain agents. It's how a lot of teams stand up AI workflows without writing the orchestration code themselves. It's also, as of tonight, sitting on three critical CVEs in two weeks — and CISA is warning about active exploitation on one of them. We have six active exploiter IPs in our index. Two of them are running custom exploits with stage-2 droppers. One is harvesting credentials. The other four are running nuclei against everything th
Patrick Duggan
Apr 84 min read


Does Your Threat Feed Auto-Harvest Exploit Code From GitHub? Ours Does Now.
We built something today that none of the threat intelligence vendors do. Every 6 hours, our platform searches GitHub for newly published CVE exploit code. It pulls the scripts, extracts the attack patterns — target endpoints, injectable headers, SQL injection strings, RCE execution methods, default credentials — classifies each one as a detection PoC or a weaponized tool, and converts the patterns into proper STIX 2.1 indicators that flow directly into your SIEM. From git pu
Patrick Duggan
Apr 44 min read
bottom of page