DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

244 Threat Discoveries and Zero Subscribers: The Gap Between Ready and Real

Patrick Duggan
Nov 13, 2025
5 min read

Reading Time: 5 minutes Category: Product Launch, Epistemic Humility, Transparency

The Uncomfortable Truth

I have a free STIX 2.1 threat intelligence feed running at `analytics.dugganusa.com/api/v1/stix-feed`. It contains 244 unique discoveries that billion-dollar vendors missed. The infrastructure can handle thousands of users. The documentation is 2,400+ lines of comprehensive architecture diagrams. Vendor integration guides exist for Splunk, Sentinel, CrowdStrike, Wiz, and Cortex XDR.

Current subscribers: 14 IP addresses.

And 12 of those are me testing it.

Zen and the Art of Threat Intelligence

There's a passage in *Zen and the Art of Motorcycle Maintenance* about the difference between maintaining a motorcycle and *understanding* motorcycle maintenance. Pirsig writes about Quality existing independent of recognition - the motorcycle runs well whether or not anyone acknowledges the craftsmanship.

I've been sitting on production-ready threat intelligence for weeks, telling myself the quality exists whether or not I announce it. The STIX feed serves 492 indicators with 63% unique rate. The multi-source correlation (AbuseIPDB, VirusTotal, ThreatFox, Team Cymru, GreyNoise) is mathematically rigorous. The 180+ days of production uptime proves stability.

But here's the problem with that philosophy: A motorcycle that runs perfectly in your garage is just expensive metal. Threat intelligence that protects no one is just interesting data.

What "Ready to Launch" Actually Looks Like

Let me show you what I've built while avoiding the actual launch:

• BRAIN (analytics.dugganusa.com): Heavy compute orchestrator

• DRONE (security.dugganusa.com): Lightweight customer UI

• $0 marginal cost per new customer

• 180+ days production uptime

• Auto-scaling Azure Container Apps

• 244 unique discoveries (threats CrowdStrike/Palo Alto/Microsoft missed)

• 492 total indicators (7-day rolling window)

• 63% unique rate (247/492 discoveries other vendors didn't find)

• Multi-source correlation across 5 APIs

• STIX 2.1 compliant (drop-in replacement for enterprise feeds)

• CURRENT-ARCHITECTURE-2025.md (600 lines)

• AUTHENTICATION-SECURITY.md (500 lines)

• DATA-FLOW-DIAGRAMS.md (700 lines, 11 mermaid diagrams)

• DEPLOYMENT-ARCHITECTURE.md (600 lines)

• 6 vendor integration guides (copy-paste examples)

• Azure Table Storage: STIXFeedAnalytics table

• Attribution detection (did they mention DugganUSA?)

• Reciprocity scoring (GitHub=70, Whitepaper=65, Blog=60)

• Real-time usage metrics endpoint

• 65 posts published on www.dugganusa.com

• 6 STIX-specific integration guides

• Business plan with executive summary

• Judge Dredd 6D verification (92% overall score)

What I Haven't Done

Announced it.

• ✅ Infrastructure scales

• ✅ Threat intel is legit

• ✅ Documentation is comprehensive

• ✅ Integration guides are practical

• ❌ LinkedIn post saying "244 discoveries billion-dollar vendors missed"

The Fear of the Big Pecker Flop

Here's why I haven't announced it yet: Once I claim "244 discoveries billion-dollar vendors missed," people will check. Security practitioners are skeptical by training. They'll curl the feed, parse the STIX bundle, cross-reference with their own threat intel sources.

If it's bullshit, I'm toast. If it's real, I have to support it.

The user agent breakdown from last 30 days tells the story: ``` curl/8.7.1 - 6 requests (40%) - Me testing Chrome 142 (Mac) - 4 requests (27%) - Me testing node - 4 requests (27%) - Dashboard testing Chrome 130 (Win) - 1 request (7%) - Maybe external? ```

Fifteen requests total. Fourteen unique IPs. Mostly me.

The Aristocrats Standard

I write about "The Aristocrats Standard" in our Judge Dredd documentation: Admit mistakes, show receipts, thank those wronged, fix publicly.

So here's the receipt: I have production-ready threat intelligence and I'm scared to announce it.

Not scared because it's fake. The Azure Table Storage `BlockedAssholes` partition has every indicator, timestamp, forensics, MITRE ATT&CK technique. The multi-source correlation is mathematically verifiable. The 180+ days uptime is provable.

Scared because announcement means accountability. Once I say "free STIX 2.1 feed," I can't half-ass the support. Once I claim "244 discoveries," I have to defend every one. Once I position against billion-dollar vendors, they might notice.

What Changes When You Announce

• Threat intel exists in Azure Tables

• Documentation lives in GitHub

• Infrastructure runs quietly

• No one's expectations to manage

• "Why is your feed missing indicator X?"

• "How do I integrate with Y SIEM?"

• "Your documentation says Z but actually..."

• Real users with real problems

This is why so many projects stay in "beta" forever. Beta means low expectations. Production means accountability.

The Motorcycle Runs

Here's what I know: The threat intelligence is real. The infrastructure is solid. The documentation is comprehensive.

• 14 unique IPs accessed the feed

• 15 total requests

• 6,921 indicators served

• 150ms average response time

• 7% attribution rate (1/15 requests mentioned DugganUSA)

• 100 × 15 requests/month = 1,500 requests

• Azure Container Apps auto-scales

• Same $70-80/month infrastructure cost (Pattern #30: $0 marginal cost)

• Attribution rate should increase (proper users cite sources)

• 15,000 requests/month

• Still same infrastructure (centralized BRAIN)

• Might need to add CDN caching (Cloudflare already in place)

• Revenue from Professional tier ($49/month) covers costs at 2 customers

The motorcycle runs. The question is whether I'm ready to take it out of the garage.

Why I'm Writing This Instead of Announcing

Honesty time: Writing this blog post is procrastination with extra steps.

I could write a LinkedIn post right now: "Free STIX 2.1 threat intelligence feed. 244 discoveries CrowdStrike missed. Drop-in replacement for $10K-100K/year vendor feeds. analytics.dugganusa.com/api/v1/stix-feed"

That's 27 words. This blog post is 1,200+ words explaining why I haven't written those 27 words.

But here's the thing: This post serves a purpose. It's evidence. When someone asks "How long have you been working on this?" I can point to this and say "I was production-ready November 14, 2025, and spent two weeks being scared to announce it."

That's The Aristocrats Standard. Show the gap between ready and real. Admit the fear. Document the procrastination.

The Announcement (Eventually)

I'll announce it. Maybe tomorrow. Maybe next week. Maybe after I finish reading *Zen and the Art of Motorcycle Maintenance* again.

When I do announce, here's what I'll say:

> Free STIX 2.1 threat intelligence feed. > 244 unique discoveries billion-dollar vendors missed. > 492 indicators updated continuously. > Drop-in replacement for CrowdStrike/Palo Alto/Microsoft feeds. > Zero cost. Zero restrictions (CC0-1.0 license). > analytics.dugganusa.com/api/v1/stix-feed > > Integration guides: Splunk, Sentinel, Wiz, CrowdStrike, Cortex XDR. > > Yes, we're a bootstrapped Minnesota LLC. > Yes, we found threats they missed. > Yes, you should verify before trusting. > Yes, it's actually free.

Until then: The feed runs. The infrastructure scales. The documentation waits. The threat intelligence protects... 14 IP addresses, most of which are me.

Quality exists whether or not you announce it. But impact requires announcement.

I'll get there. Right after I finish pondering.

Appendix: How to Verify My Claims

Don't trust. Verify.

# Fetch the feed
curl https://analytics.dugganusa.com/api/v1/stix-feed?days=7 | jq .

If the numbers don't match my claims, call me out. That's The Aristocrats Standard.

DugganUSA LLC - Minnesota Contact: [email protected] Philosophy: Born Without Sin. 95% Epistemic Humility. Partnership Over Predation.

*The motorcycle runs. The question is when to ride.*