DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Attack Correlation: Finding the Clusters Oz Missed

Patrick Duggan
Feb 15
2 min read

# Attack Correlation: Finding the Clusters Oz Missed

**Classification:** TLP:WHITE

The Gap

Our autonomous system (Oz) blocked 1000+ IPs from coordinated attack campaigns. Individual decisions, all correct. But it never connected the dots.

Today we ran subnet aggregation on our block logs. Found three attack clusters hiding in plain sight.

Cluster 1: DMZHOST Bulletproof Hosting

**Range:** 45.148.10.0/24

**Blocked IPs:** 12

**Owner:** TECHOFF SRV LIMITED

**Registered:** Andorra

**Abuse Contact:** [email protected]

When your abuse contact is a gmail address, you're not running a legitimate hosting company. You're running a bulletproof operation.

**Status:** BLOCKED + INDEXED

Cluster 2: Alibaba Cloud Singapore

**Ranges:** 47.79.201.x, 47.79.202.x, 47.79.203.x

**Blocked IPs:** 110+

**Owner:** Alibaba Cloud LLC

Three adjacent /24s from the same cloud provider, all hitting us in coordinated fashion. This is either:

- A customer abusing Alibaba Cloud for scanning

- A compromised account running a botnet

- State-sponsored activity using commercial cloud cover

110 IPs from adjacent ranges isn't coincidence. It's infrastructure.

**Status:** BLOCKED + INDEXED

Cluster 3: OVH Canada Botnet

**Range:** 54.39.89.0/24

**Blocked IPs:** 1000+

**Owner:** OVH Hosting, Inc.

One thousand IPs from a single /24. This is a botnet or commercial scanner farm. OVH is notorious for hosting both.

**Status:** INDEXED (already heavily blocked)

The False Positives We Caught

Not everything is malicious:

| Range | Owner | Assessment |

|-------|-------|------------|

| 205.210.31.x (90 IPs) | Palo Alto Networks | Security scanning - legit |

| 40.77.167.x (55 IPs) | Microsoft | Bing crawlers - legit |

| 52.167.144.x (50 IPs) | Azure | Cloud services - legit |

Palo Alto scanning us is actually a good sign - means we're on their radar for threat intel collection.

STIX Graph Findings

Our STIX feed shows:

- **582 relationship objects** mapping threat actor infrastructure

- **49 threat actors** share a single VPN provider in Seattle

- Infrastructure reuse patterns suggest coordination between nominally separate groups

When 49 different threat actors use the same VPN exit node, either:

1. That VPN is compromised

2. Those "49 groups" are actually fewer groups with multiple names

3. There's a shared tooling/infrastructure provider serving multiple APTs

Why Oz Missed It

Oz makes per-IP decisions. Each block was correct. But the system never asked: "Are these IPs related?"

**What we're adding:**

- Subnet aggregation in the consumer attack correlator

- /24 clustering detection

- Alert threshold: 4+ IPs from same /24 = flag for review

Individual trees, no forest. Fixed now.

IOCs

**Block these ranges:**

**Stealthy outliers still under investigation:**

- 111.7.100.42 (China Mobile)

- 139.186.206.86 (APNIC/CN)

- 185.182.194.245 (Netherlands)

- 23.27.145.x (US - two IPs, same /24)

Methodology

1. Pulled 1000 most recent block events

2. Grouped by /24 subnet

3. Ranked by IP count per subnet

4. WHOIS'd the top offenders

5. Cross-referenced with STIX relationships

6. Indexed findings, blocked ranges

Total time: 15 minutes. Should have been automated.

*The blocks were right. The correlation was missing. Now it's not.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*