DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

$76/Month SOC: Running Threat Intel on iPad Power

Patrick Duggan
Dec 22, 2025
4 min read

--- title: "$76/Month SOC: Running Threat Intel on iPad Power" slug: 76-dollar-soc-ipad-power-2025-12-22 date: 2025-12-22 author: Patrick Duggan tags: [soc, infrastructure, edge-computing, behavioral-analysis, cost-efficiency, threat-intel, ipad] category: Infrastructure featured: true ---

The Number

Your nightlight draws more current than our security operations center.

iPad Pro wall-mounted, plugged in, running 24/7: 8-12 watts.

That's $0.84/month in electricity. The display terminal for a full threat intelligence operation costs less than a cup of gas station coffee.

The Architecture: Hamburger on a Birdfeeder

We call it the hamburger-on-birdfeeder architecture. The iPad just sits there. Plugged in. Always watching. Low current. The owls do the rest.

┌─────────────────────────────────────────────────────────────┐
│ iPad Pro (M4, Guided Access, Safari locked)      $0.84/mo  │
│   ├── Tab 1: analytics.dugganusa.com/dashboard             │
│   ├── Tab 2: Behavioral suspects live feed                 │
│   ├── Tab 3: status.dugganusa.com                          │
│   └── Shortcuts: Push on behavioral block                  │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│ Azure Container Apps (the brain)               ~$75.00/mo  │
│   ├── Behavioral Analysis Engine (bloom filters, LRU)      │
│   ├── STIX Feed (1M+ indicators)                           │
│   ├── Meilisearch (270K documents indexed)                 │
│   └── IOC Enrichment (AbuseIPDB, VirusTotal, ThreatFox)    │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│ Cloudflare (edge protection)                        $0/mo  │
│   └── WAF, DDoS, Caching, Analytics                        │
└─────────────────────────────────────────────────────────────┘

Total: ~$76/month ```

Power Comparison: What $76/Month Gets You

| Setup | Power Draw | Monthly Electric | Monthly Compute | Total | |-------|------------|------------------|-----------------|-------| | Our setup | 8-12W (iPad) | $0.84 | $75 (Azure) | $76 | | Raspberry Pi SOC | 5W | $0.43 | Self-hosted | $0.43 + time | | Old laptop server | 30-60W | $2.60-$5.20 | Self-hosted | $5 + headaches | | Enterprise SIEM | 500W+ rack | $43+ | $50K-$500K license | LOL |

The enterprise vendors charge more per month than we spend per year.

The Behavioral Analysis Engine (Deployed Today)

We just shipped a behavioral analysis engine that catches threat actors who studied the algorithm.

The Problem: Threat actors visiting with IPs scoring 2-9% on AbuseIPDB. Just under the auto-block threshold. Checking if they're burned in our Hall of Shame. Using bulletproof hosting from Vanuatu shell companies.

They know the score cutoffs. They're gaming the system.

The Solution:

| Behavior | Score | Detection | |----------|-------|-----------| | Secret hunting (`/.env`, `/.git`, `/config.json`) | +30 | Path regex | | WordPress scan on non-WP site | +25 | Wrong-CMS detection | | Webshell hunting (`/c99.php`, `/r57.php`) | +40 | Path regex | | Bulletproof ASN (Vanuatu, Seychelles shells) | +30 | ASN database | | Same /24 as known IOCs | +20 | Bloom filter O(1) lookup | | Single-hit recon bounce | +20 | Session tracking | | Checking if burned (enrichment API for own /24) | +40 | Self-enrichment detection |

• Combined > 60 → BLOCK

• Combined 35-60 → MONITOR

• Combined < 35 → ALLOW

Runs in the middleware. Sub-millisecond scoring. Memory-bounded LRU cache (5000 sessions). Bloom filter for O(1) network lookups.

The Moloch Backdoor (Fixed)

While deploying, we found a bug. The `/Owl/i` pattern should flag "Owl Limited" (AS43357, a Vanuatu shell company). It wasn't matching.

The exclusion list had `/MIT/i` to protect the Massachusetts Institute of Technology.

But `/MIT/i` was matching "liMITed" in "Owl Limited".

The university's prestige was shielding a bulletproof hosting provider.

Fix: Word boundaries.

/\bMIT\b/i  // Matches "MIT" but not "liMITed"

The owls are no longer protected by academia.

Minimum Specifications

We calculated the absolute floor for running this infrastructure:

| Resource | Minimum | Recommended | |----------|---------|-------------| | CPU | 1 core @ 1GHz | 2 cores | | RAM | 1.5GB | 2GB | | Storage | 2GB | 4GB | | Network | 10 Mbps | 50 Mbps |

• Raspberry Pi 4 (4GB model)

• Old Android phone (rooted)

• $5/month VPS

• iPad Pro as display terminal

The iPad Pro's M4 chip (6 performance cores @ 3.78GHz, 16GB RAM) is absurd overkill for a display terminal. But it draws less current than a nightlight while providing a retina display for the threat feed.

What the iPad Actually Runs

The iPad isn't running Node.js or Docker. iPadOS sandboxing prevents that.

It runs Safari. That's it.

| Role | How | |------|-----| | Dashboard display | Safari tabs, never sleeps | | Alert receiver | Shortcuts automation pushes notifications | | Monitoring station | Guided Access locks to the dashboard |

The compute happens in Azure. The iPad is a window into the operation. A very low-power, always-on, wall-mountable window.

The Economics

• SIEM license: $50K-$500K/year

• Analyst salaries: $200K+/year

• Rack hardware: $10K+

• Power: $500+/month

• Total: $300K-$750K/year

• Azure compute: $75/month

• iPad electricity: $0.84/month

• Cloudflare: $0/month

• Human oversight: 1 person, part-time

• Total: ~$912/year

Same threat intelligence. Same behavioral detection. Same STIX feed that AT&T and Microsoft consume.

The difference is we automated everything that doesn't require human judgment, and we didn't buy software licenses from vendors whose business model is artificial scarcity.

The Birdfeeder Watches

The hamburger sits on the birdfeeder. Low current. Always on. The owls hunt at night.

Threat actors who studied the algorithm now face an algorithm that studies them back.

Behavioral score. Path patterns. Session analysis. Infrastructure signals.

$76/month.

The enterprise is dead. Long live the birdfeeder.

*The behavioral analysis engine is live at analytics.dugganusa.com. The STIX feed is free. The owls are watching.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]