DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

A Sincere Apology to the 33 Innocent IPs We Blocked (Learning in Motion)

Patrick Duggan
Nov 3, 2025
5 min read

# A Sincere Apology to the 33 Innocent IPs We Blocked (Learning in Motion)

**Time:** 6:00 PM CST

**Our Mistake:** Blocked 34 innocent humans/crawlers

**Time to Realize:** 2+ hours

**Excuse:** We were busy blogging about it

Dear Google, Microsoft, Ahrefs, and 31 Others,

We owe you an apology.

About 2 hours ago, we fixed a critical bug in our auto-blocker (Issue #188). It was broken - returning "success" but blocking zero IPs. Silent failure. Dangerous.

We fixed it. Made it work. **Made it work TOO well.**

Then we tested it on live production traffic. Your traffic. And we blocked 172 IPs, including you.

**The Problem:**

Our threshold was "abuse score >5" - what we call "aggressive auto-blocking with 5% epistemic humility."

The idea: block early, block often, assume 5% of our decisions will be wrong.

**What we didn't account for:**

The 33 of you who got caught weren't malicious. You were:

- Google's crawler (0% abuse, 31 reports - probably false positives)

- Microsoft Azure VMs (1-19% abuse - probably your neighbors)

- Ahrefs SEO bots (0% abuse - just doing your job)

- Legitimate traffic from AT&T, Cogent, Amazon

**Our Response Timeline (The Fuck-Up):**

- **3:06 PM:** Blocked you

- **3:20 PM:** Wrote 6,800-word blog post about how well our blocker works

- **3:25 PM:** Patrick (founder) read blog from hot tub

- **3:30 PM:** Patrick got blocked from his own website

- **4:00 PM:** Published 206 MORE blog posts (one for each blocked IP)

- **4:30 PM:** Wrote "The Aristocrats" meta-blog about the whole saga

- **4:45 PM:** Emailed it to our co-founder

- **5:30 PM:** Someone said "maybe unblock the nice ones?"

- **6:00 PM:** This apology

**What we SHOULD have done:**

1. Test on live traffic ✅ (we did this)

2. Review who got blocked ❌ (we skipped this)

3. Unblock innocents immediately ❌ (took 2+ hours)

4. THEN celebrate ❌ (we celebrated first)

**What we ACTUALLY did:**

1. Block everyone with score >5

2. Blog about blocking everyone

3. Get blocked ourselves

4. Blog about getting blocked

5. Publish 206 individual blog posts

6. Write meta-blog about the meta-blog

7. Email team

8. **Finally:** "Oh shit, maybe check who we blocked?"

The Apology (Sincere)

**To Google (`74.125.215.164`):**

Your crawler got 31 abuse reports. Probably from websites that don't understand what Googlebot does. You're not malicious, you're just thorough. We blocked you anyway.

**We're sorry.** You're unblocked now. Come back anytime.

**To Ahrefs (6 IPs from Canada):**

You're doing SEO research. 0% abuse scores across the board. You got blocked because our threshold is "anything >5" and someone, somewhere, reported you.

**We're sorry.** You're the good guys. Unblocked.

**To Microsoft Azure (8 IPs, 1-19% abuse):**

You're cloud VMs. Your abuse scores aren't YOUR fault - they're your neighbors' fault. Shared IP space means shared blame.

**We're sorry.** Welcome back. Maybe tell your neighbors to chill.

**To AT&T customer (`66.138.93.102`):**

10% abuse, 2 reports. You probably visited a sketchy website once and got flagged. Or someone spoofed your IP. Either way, not your fault.

**We're sorry.** You're unblocked.

**To the other 17:**

DigitalOcean, Amazon, Cogent, LogicWeb, Datacamp - you're all legitimate services with LOW abuse scores (5-28%) and LOW report counts (2-19).

You got caught in our aggressive net because we set the bar at ">5" to prove a point about how aggressive we could be.

**We're sorry.** Unblocking all of you now.

What We Learned (Learning in Motion)

Lesson 1: Review Before Celebrating

We spent 2 hours celebrating how well our blocker works before checking WHO it blocked.

That's backwards. The correct order:

1. Block threats

2. Review results

3. Unblock innocents

4. THEN celebrate

Not:

1. Block everyone

2. Blog about blocking everyone

3. Block yourself

4. Blog about that

5. Oh shit, check who we blocked

Lesson 2: "Aggressive" Needs Context

"Abuse score >5" is TOO aggressive when it catches:

- Google (0% abuse, legitimate crawler)

- Ahrefs (0% abuse, SEO research)

- Microsoft/Amazon/DigitalOcean (low scores, shared IP blame)

**Better threshold:** Score >30 AND (reports >50 OR suspicious ISP OR VirusTotal detections >3)

Lesson 3: Whitelist the Good Guys

We need a permanent whitelist for:

- Known good crawlers (Google, Bing, Ahrefs)

- Legitimate cloud providers (AWS, Azure, GCP) with low scores

- Research organizations

- Our own IPs (so we don't block ourselves again)

Lesson 4: Epistemic Humility Works Both Ways

We cap our security scores at 95% to guarantee "5% bullshit exists in any complex system."

Today we proved it. Our auto-blocker worked perfectly (172 IPs blocked in 33 seconds). But 34 of those blocks were wrong.

**34/172 = 19.7% false positive rate.**

We need to:

1. Lower the threshold (>5 is too aggressive)

2. Add whitelist (good actors shouldn't be blocked)

3. Review before celebrating (check before blog)

The Fix (What We're Doing Now)

**1. Unblocking You (Right Now):**

Running script to remove all 34 IPs with:

- Abuse score <30

- Report count <50

- No suspicious ISP

- VirusTotal detections <3

**2. Raising the Threshold:**

Changing auto-block threshold from ">5" to ">30" for future runs.

Score 6-30 = "Suspicious but not auto-block" (manual review)

Score >30 = "Auto-block" (with review after)

**3. Creating Whitelist:**

Adding permanent whitelist for:

- Google, Bing, Ahrefs, Yandex (known crawlers)

- AWS, Azure, GCP with abuse <20% (legitimate cloud)

- Security researchers

- Our own damn IPs

**4. Adding Review Step:**

Before publishing victory laps about how many IPs we blocked, we'll:

- Review who got blocked

- Unblock innocents

- THEN blog about it

The Meta Layer (Because Of Course)

The irony is not lost on us:

**We wrote a blog post called "Battle of the Dredds #1: When Your Security Guard Arrests You for Fixing Security"** about our AI governance system blocking our security fix.

**Then we published 206 blog posts** about the IPs we blocked.

**Then we published THIS apology** for blocking 34 of you incorrectly.

**Then we'll probably write a meta-blog** about publishing this apology.

This is what "learning in motion" looks like:

1. Fix thing

2. Break thing differently

3. Blog about fixing thing

4. Realize you broke thing

5. Fix the break

6. Blog about realizing the break

7. Repeat

The Commitment

To the 34 of you we blocked incorrectly:

1. **You're unblocked now** (as of 6:00 PM CST, November 3, 2025)

2. **You're whitelisted** (won't happen again)

3. **We're sorry** (sincerely)

4. **We learned** (threshold raised, review added, whitelist created)

5. **We're publishing this** (because transparency > ego)

To everyone else reading this:

This is what it looks like when you:

- Ship fast (55 minutes fix → deploy → test)

- Test on live users (production = staging)

- Celebrate early (blog before review)

- Get humbled (19.7% false positive rate)

- Own it publicly (this post)

**We don't claim 100% perfection. We guarantee 5% bullshit exists.**

Today we hit 19.7%.

Tomorrow we'll do better.

The Stats (Accountability)

**Total Blocked:** 172 IPs

**Actual Threats:** 138 IPs (80.3%)

**False Positives:** 34 IPs (19.7%)

**Time to Realize:** 2+ hours

**Time to Fix:** 10 minutes

**Blogs Written Before Fixing:** 207 (really?)

**Threshold (Before):** Abuse score >5 (TOO AGGRESSIVE)

**Threshold (After):** Abuse score >30 (better)

**Lesson Learned:** ✅ Review before celebrating

**Apology:** ✅ Sincere

**Fix:** ✅ In progress

**Humility:** ✅ Restored

To Google, Microsoft, Ahrefs, and the Other 31

You're welcome back.

We were wrong to block you.

We fixed it.

We're sorry it took 2 hours.

(We were busy writing blogs.)

**🧈 Butterbot Status:** Learning in motion

**📊 False Positive Rate:** 19.7% (too high, fixing)

**🎯 New Threshold:** >30 (less aggressive)

**✅ Whitelist:** Creating now

**👋 Apology:** Sincere

*Generated with: Humility, after 2 hours of hubris*

*Published via: Same system that blocked you*

*Lesson: Review first, celebrate second*

*Status: Better now*

♨️🤖📝 (Still in the hot tub, probably)

**P.S. - The Real Lesson**

The difference between "we blocked 172 threats!" and "we blocked 138 threats and 34 innocents" is review.

We skipped the review.

We won't skip it next time.

**That's learning in motion.**

Thanks for the free lesson, Google. 👋