DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

200,000 Devices. Your Own MDM. That's How Iran Did It.

Patrick Duggan
Mar 16
2 min read

# 200,000 Devices. Your Own MDM. That's How Iran Did It.

**Author:** Patrick Duggan (with Claude Code)

**Series:** DugganUSA Field Reports

The Number Is 200,000

When we published "Iran Hit Stryker" this morning, we had the attack surface — 1,014 subdomains, 192 dev servers, MAKO surgical robot infrastructure in public certificate logs.

Now we have the damage.

Handala didn't just breach Stryker. They wiped 200,000 systems. Servers, desktops, laptops, and personal phones enrolled in bring-your-own-device. Fifty terabytes exfiltrated. Seventy-nine offices worldwide disrupted. Tens of thousands of employees offline.

U.S. officials are calling it the most significant wartime cyberattack carried out by Iran against American targets.

They Used Intune

The attack vector, confirmed by security researcher Kevin Beaumont: Handala compromised Active Directory, then used Microsoft Intune — Stryker's own mobile device management platform — to remotely wipe every enrolled device.

Read that again. The tool Stryker deployed to manage and protect their device fleet was the tool Iran used to destroy it.

Intune is designed to remotely lock, wipe, and configure devices. That's the feature. It's also the weapon when the wrong person has the keys. One compromised AD credential with Intune admin rights becomes a remote wipe command to 200,000 endpoints.

The BYOD devices are the cruelest part. Employees' personal phones — photos, messages, personal apps — wiped because they enrolled in the corporate MDM to check email.

What This Means for Every Organization Using Intune

Stryker isn't unique in using Intune. Microsoft Endpoint Manager (Intune) is deployed across hundreds of thousands of organizations. Every one of them has the same architecture: Active Directory controls identity, Intune controls devices, and a compromised admin account controls everything.

If you run Intune, ask yourself:

1. **Who has Intune admin rights?** How many accounts? MFA on all of them?

2. **Can a single compromised account wipe your entire fleet?** Is there a two-person rule for mass wipe commands?

3. **Are BYOD devices in the same wipe scope as corporate devices?** Should they be?

4. **Do you monitor for anomalous Intune commands?** A mass wipe at 3 AM should trigger an alert before it completes.

The Attack Surface We Published This Morning

Eight hours ago, we showed that Stryker had 1,014 subdomains in public certificate transparency logs, including 192 dev/staging/test environments and MAKO surgical robot build infrastructure.

The subdomains were the door. Active Directory was the hallway. Intune was the detonator.

The companies with the smallest certificate footprint had the fewest breaches. The companies with the largest footprint had the most. The correlation held before we knew the damage number. Now we know why — a larger surface means more ways in, and once you're in Active Directory, the MDM does the rest.

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

200,000 Devices. Your Own MDM. That's How Iran Did It.

The Number Is 200,000

They Used Intune

What This Means for Every Organization Using Intune

The Attack Surface We Published This Morning

Recent Posts

Comments