Aegis Pre-Alpha: We Deliver What Others Promise. True Brand Protection Live At analytics.dugganusa.com/brands-under-attack — The Methodology That Flagged Medtronic 39 Days Early.

May 8, 2026 · DugganUSA LLC

We deliver what others promise.

Tonight we shipped the pre-alpha of Aegis — the public launch of true brand protection. Not the takedown-after-the-fact that the brand-protection vendors sell. The structural-prediction product they promised. Live page at https://analytics.dugganusa.com/brands-under-attack.html. Public API at /api/v1/watch-list. Free read access, no login, refreshes every sixty seconds.

This post is the announcement and the receipt.

What Aegis Is

Aegis is a public live watch list of brands at structural risk of breach, scored by the same methodology that flagged Medtronic on March 16, 2026. Six weeks later, ShinyHunters posted nine million Medtronic records on a dark-web forum. SEC Form 8-K disclosure followed within the week. The 39-day lead time on the Medtronic warning was not luck. It was the matrix.

The matrix produced two thresholds that have held against actual breach outcomes in the medical-device vertical: companies with more than two hundred dev/test subdomains have a one-hundred-percent breach rate (Stryker at 315, breached March 11; Medtronic at 239, breached April 17). Companies under fifteen dev/test subdomains have a zero-percent rate (Boston Scientific, Intuitive Surgical, Datavant). The threshold rule is empirical, not theoretical, and the page applies it live to today's candidate set every time a visitor loads the URL.

The page itself is a brand cloud — Fortune 500 logos arranged by size of structural risk, pulsing when the actor cluster has pre-registered a target-shaped phishing domain in our public STIX feed. Click any logo and you get the full structural breakdown — subdomain count, dev/test ratio, VPN/access portal exposure, API endpoint surface, healthcare-specific endpoints, plus the real-time strict-match IOC count from our index that hour. The methodology comparison vs Medtronic and Stryker sits next to each candidate so the math is legible.

The first cohort visible on the page tonight: CVS Health (978 subdomains, 389 dev/test — exceeds Medtronic by a meaningful margin), Kaiser Permanente (967 subs, 96 VPN/access portals — highest in our scan, exceeds Medtronic's 77 by twenty-five percent), Optum (586 subs, 213 dev/test, 350 API endpoints — the integration spine that ShinyHunters' demonstrated TTP family is built to exploit), CVS (cvs.com, 723 subs, 231 dev/test). Plus three Tier-2 names where the actor has already pre-registered a target-shaped phishing domain even though the structural footprint is lighter — Moderna, Nike, and Comcast all have actor-registered lures cataloged in our public STIX feed.

Not What Doppel Sells

The brand-protection category as currently sold is dominated by a vendor whose product is the takedown notice. They scan for brand impersonation domains, file legal notices, and bill the customer roughly two hundred thousand dollars per year for the service. The takedown is the deliverable. The breach has already happened by the time the takedown lands.

Aegis is the inversion. The takedown is the wrong endpoint. The right endpoint is the structural prediction that says this brand is sitting on a Medtronic-shaped attack surface and is going to be hit by an actor cluster whose pre-staging is already visible in our public STIX feed. The action is to harden before the breach, not to file paperwork after.

The substance under the brand-protection term is the prediction. Doppel sells the term. Aegis sells the substance. Their tier costs two hundred thousand dollars per year to do the wrong thing. Our Pro tier costs ninety-nine dollars per month to do the right thing, with promo code RESCUEME bringing the first month to fifty-nine dollars and forty cents.

This is not metaphorical. Earlier this week we received a takedown notice from the brand-protection vendor in question, citing a USPTO trademark whose registered scope was Class 044, "temporary rental of surgical and medical equipment." We had written critical commentary about a publicly-disclosed SEC Item 1.05 breach event affecting one of their customers. The takedown notice was filed during the active disclosure window, on the basis of a trademark scope that did not even cover cybersecurity content. That is what the brand-protection product sounds like in practice. Aegis sounds different.

The Methodology, Plain English

Five signals, applied together:

One: subdomain sprawl with high dev/test ratio. Public DNS data, observable via Shodan. Dev, test, staging, UAT, sandbox subdomains exposed externally. The two-threshold rule (more-than-two-hundred dev/test = one-hundred-percent historical breach rate, less-than-fifteen = zero) is the load-bearing signal.

Two: VPN/access portal sprawl. Each portal is a candidate target for SSO-impersonation phishing. Medtronic was at seventy-seven access portals, the highest in the medical-device vertical at flag time, and was breached. Kaiser Permanente is at ninety-six tonight.

Three: API surface. Optum's three hundred fifty API endpoints is the largest API footprint we have ever scanned. ShinyHunters' Salesforce-Multi-Org-Fetcher TTP family is specifically built to exploit integration-spine-shaped targets. The API count is a leading indicator for that adversary surface.

Four: actor pre-registration of phishing infrastructure. The ShinyHunters cluster has registered target-shaped phishing domains in our public STIX feed for Moderna, Nike, Comcast, and others. The phishing kit is the planning artifact — the actor pre-registers target-specific lures before deployment. Independent of structural rank.

Five: AIPM presence gap and identity-provider concentration. Workday plus Okta plus Microsoft plus SharePoint is the identity-provider quadrant the actor cluster has demonstrated TTP against. Customers with concentrated identity-provider footprints in that quadrant are operating at higher risk.

What Aegis does NOT use, explicitly: IOC fuzzy-substring counts. An earlier methodology iteration this week ranked candidates by IOC counts that turned out to be substring matches against the target name (yex.express, maco-express.com — none of which are actual targets). Strict-match verification returns near-zero IOCs even for confirmed-breached comparators like Medtronic. The IOC count column was decorative; structural data is the load-bearing signal. Aegis's methodology version 1 is now structural-only with strict-match IOC count as a secondary live signal.

Pricing

The conversion path is closed-loop and works as of tonight:

Source of truth: https://analytics.dugganusa.com/stix/pricing. Stripe checkout on the same page. Regional purchasing-power adjustment is automatic at checkout.

Why "Aegis"

The Aegis was the shield of Zeus and Athena in Greek myth. Bearer's protection — the shield carried into battle, not the legal letter sent afterwards. The translation is direct: Aegis is the structural shield against the breach that has not happened yet. Brand protection as a category is meaningful when it shields. The takedown letter sent after the fact is the bandage. Aegis is the shield.

The four words that hold the whole product, including the pricing model and the methodology and the public deliverable: we deliver what others promise. The category vendors charge two hundred thousand dollars per year and promise structural protection of the brand. They deliver the takedown notice. We charge ninety-nine dollars per month and ship the structural protection itself, live, public, refreshing every sixty seconds. Same active ingredient. Different product. Different price. Different category, frankly — the takedown product is regulatory paperwork; the prediction product is the actual job.

What Pre-Alpha Means

Pre-alpha means the methodology is live and the receipts are real, but the next iteration may shift things based on what the data says next week. The current candidate set is seven names plus two breached comparators. The next iteration will probably add more healthcare and financial-services names, refine the structural-risk weighting, and ship a daily refresh cron so the structural data updates automatically rather than via the current twenty-four-hour cache.

What is locked: the public API at /api/v1/watch-list, the methodology version in the response body, the 95% epistemic cap on every numeric claim, the Pro tier at ninety-nine dollars per month with the RESCUEME promo. What may evolve: the candidate set, the band thresholds, the visualization treatment, the per-target detail page schema. Pre-alpha is the honest label for that posture.

The Conversion Math

If you operate security at a Fortune 500 organization that appears on the watch list, the per-target outreach is on its way through whatever PSIRT channel exists for your org. We are reachable at [email protected] for same-business-day cross-check on the structural data, the methodology, and the recommended action sequence (rotate Workday + Okta + Microsoft + SharePoint integration credentials, force MFA enrollment, hunt thirty days of IDP authentication logs, scan SaaS-integrated tools for unauthorized configuration changes, pull our public STIX feed and cross-reference your environment).

If you operate security at an organization not on the list and you would like the same kind of structural assessment against your own footprint, that is a paid engagement at the Enterprise tier or above. Custom-scoped via [email protected].

If you are a defender at any size of organization and you want to validate the methodology by running it against a brand you operate or care about, the public Free tier is twenty-five queries per day, permanent, no login. Same active ingredient as every paid tier — the load-bearing signal is structural, the secondary signal is the actor pre-registration in our public STIX feed, and both are visible to anyone with twenty-five queries per day to spend.

Summary For The Person Reading This At 11pm

Aegis is the brand-protection product Doppel promised and did not ship. It is live tonight as a pre-alpha public surface at https://analytics.dugganusa.com/brands-under-attack.html. The methodology produced the Medtronic prediction six weeks before the ShinyHunters disclosure; the same methodology is applied live to today's candidate set on every page load. Pro tier is ninety-nine dollars per month with RESCUEME promo bringing the first month to fifty-nine dollars and forty cents. The conversion pipe is closed-loop; the prior six-day Pro-checkout outage was fixed in tonight's deploy.

We are reachable at [email protected].

— Patrick Duggan

DugganUSA LLC, Minneapolis

Aye.

Receipts

• Pre-alpha launch URL: https://analytics.dugganusa.com/brands-under-attack.html

• Public API: GET /api/v1/watch-list and GET /api/v1/watch-list/target/:domain (anonymous, no auth, CF-cacheable)

• Methodology version: structural-attack-surface-v1

• Validation comparator anchors: Stryker (920 subs / 315 dev/test → breached March 11, 2026 by Iran/Handala), Medtronic (915 subs / 239 dev/test / 77 VPN portals → breached April 17, 2026 by ShinyHunters)

• Tier 1 Aegis candidates: CVS Health, Kaiser Permanente, Optum, CVS

• Tier 2 (named in cataloged ShinyHunters phishing): Moderna (modernatx-zoom.com), Nike (workday-nike.com), Comcast (sharepoint-comcast.com)

• Methodology defect explicitly NOT used: IOC fuzzy-substring counts. Caught and corrected in the same week the watch-list-publication methodology was first iterated.

• Public STIX feed: analytics.dugganusa.com/api/v1/stix-feed (25 queries/day free)

• Pricing source of truth: analytics.dugganusa.com/stix/pricing

• 95% epistemic cap applies to every claim above. Pre-staging volume does not equal certainty of breach. Some Tier 1 names may not be hit; some not on this list will be. The historical thresholds hold against the scanned-and-confirmed set, not the universe.

• Aegis: shield of Zeus and Athena. Greek myth. The translation is the product positioning.

• Reach us: [email protected]

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.