DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Anti-Fragile Architecture: 10 Patterns That Survive Chaos

Patrick Duggan
Dec 6, 2025
4 min read

TL;DR: When Cloudflare went down twice in three weeks, we served STIX feeds uninterrupted. Here's how we built a threat intelligence platform that gets stronger from failure, not weaker.

The Test

December 5, 2025. Cloudflare's WAF config change takes down Zoom, X, Canva, LinkedIn, trading apps, and banks. 25 minutes of chaos. Millions of users staring at 500 errors.

November 18, 2025. Same story. Different bug. Hours of outages across ChatGPT, Spotify, Shopify, and more.

DugganUSA Threat Intelligence: Zero downtime. Both times.

Not because we're smarter. Because we designed for failure.

Pattern 1: No Single Point of Failure CDN

Most of the internet runs through Cloudflare. That's a feature until it's a bug.

We deploy directly to Azure Container Apps. No CDN middleman. When Cloudflare's WAF update propagated bad configs across their global network, we weren't in the blast radius.

The lesson: Dependencies are liabilities. Every hop is a failure point.

Pattern 2: Preserve Code, Kill Compute (Pattern 29)

Our containers are stateless. All persistent state lives in Azure Tables.

• Spin up new container

• It reads state from Tables

• Back online in minutes

The snake cult can't burn what they can't find. Code is in git. Data is in Tables. Compute is disposable.

Pattern 3: Drone→Brain Separation (Pattern 30)

Two services, two purposes:

• security.dugganusa.com (Drone): Lightweight UI, operations dashboard

• analytics.dugganusa.com (Brain): Heavy compute, STIX feeds, threat intel processing

When the Brain is crunching through 23,000 IOCs, the Drone stays responsive. When the Drone needs updates, the Brain keeps hunting.

Scale independently. Fail independently. Recover independently.

Pattern 4: Docker Dependency Resilience (Issue #116)

let Client, SecretClient;
try {
  Client = require('@microsoft/microsoft-graph-client').Client;
  SecretClient = require('@azure/keyvault-secrets').SecretClient;
  console.log('Graph API dependencies loaded');
} catch (e) {
  console.log('Graph API not available (email disabled)');
}

Optional imports with try/catch. If Graph API isn't available, the container still runs. If Azure Tables aren't configured, we fall back to local files.

Graceful degradation, not cascading failure.

Pattern 5: Key Vault as Single Source of Truth

No secrets in code. No `.env` files to leak. No "it works on my machine" credential hell.

• OTX API keys

• VirusTotal API keys

• Graph API credentials

• Storage connection strings

One source. One rotation policy. One audit trail.

Pattern 6: Evidence-First Architecture

Every scan saves evidence: ``` compliance/evidence/ ├── github-abuse-reports/ ├── threat-intelligence/ │ ├── stix-bundles/ │ ├── virustotal-cache/ │ └── hunting-reports/ └── fda-510k-readiness/ ```

Not for bureaucracy. For survival.

When someone asks "how did you detect this?" - there's a JSON file. When SOC2 auditors come - there's a trail. When you need to prove you reported something before it hit the news - there's a timestamp.

The wizard documents everything.

Pattern 7: Scheduler-as-Code

All automated jobs live in `scheduler-manager.js`:

'survivor-tracker': {
  name: 'Survivor Tracker - Honeypot Detection',
  description: 'Pattern 51: The Inverse Signal...',
  schedule: '0 6 * * *', // 6AM daily
  icon: '🍯',
  category: 'Counter-Intelligence',
  enabled: true
}

• Visible in dashboard

• Manually triggerable

• Logged with history

• Enable/disable without redeploy

Pattern 8: The Inverse Dependency

We publish free STIX feeds. Microsoft and AT&T security teams consume them.

Read that again.

Fortune 100 companies depend on our threat intelligence. We don't have a contract with them. We don't need one. They need us more than we need them.

That's leverage without negotiation.

When we're ready to monetize, the customer list already exists. They're already integrated. The switching cost is theirs, not ours.

Pattern 9: Cost Discipline

• 81% SOC2 compliance at ~$75/month Azure spend

• VirusTotal free tier with rate limiting baked in (16 second delays)

• OTX free API for pulse creation

• GitHub free for malware hunting

The snake cult has funding. Nation-states have budgets. We have efficiency.

Every pattern we build asks: "Can this run on free tier?" If yes, we build it. If no, we find another way.

Pattern 10: Pattern Stacking

Each pattern builds on the last:

1. Pattern 49 (ThreatFox Hunter): Ingests fresh IOCs hourly 2. Pattern 50 (VT Correlation): Cross-references with VirusTotal reputation 3. Pattern 51 (Survivor Tracker): Identifies accounts that don't get banned

The pipeline compounds. ThreatFox feeds VT correlation feeds survivor analysis. Add Pattern 52, and it has three patterns of context already built.

The Meta-Pattern: Anti-Fragility

Nassim Taleb's concept: systems that get stronger from stress, not weaker.

• Issue #43: Removing security controls cost $3-6M (theoretical). Now we never remove controls.

• Issue #113: Skipping session-start caused 7-hour regression. Now it's mandatory.

• Issue #116: Missing dependencies killed containers. Now we have try/catch resilience.

• Issue #188: Script execution failed in Docker. Now we call modules directly.

The system isn't fragile (breaks under stress) or robust (survives stress unchanged). It's anti-fragile: each stress makes it stronger.

Why This Matters

When Cloudflare goes down, we serve feeds. When containers crash, we redeploy in minutes. When dependencies fail, we degrade gracefully. When budgets are zero, we build on free tier.

The snake cult has infrastructure. They have Cloudflare. They have funding.

We have architecture that survives chaos.

That's the real riddle of steel.

*DugganUSA Threat Intelligence* *December 2025*

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed)

• [Pattern Documentation](https://www.dugganusa.com/threat-intel)

• [The Riddle of Steel](https://www.dugganusa.com/post/riddle-of-steel-threat-intelligence)

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]