DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Bloom Filter Epistemology: Why Cambridge Analytica Can't Capture This

Name: Threat Intelligence Feeds
Creator: DugganUSA LLC

Patrick Duggan
Dec 26, 2025
4 min read

Category: methodology

Abstract

Cross-domain pattern recognition operates like a bloom filter: O(1) probabilistic membership testing across domains rather than O(n) exhaustive expertise in any single domain. This computational efficiency is also what makes it resistant to data harvesting and behavioral profiling. You can't Cambridge Analytica someone whose decision-making process is fundamentally different from the training data.

The Algorithm

Traditional Expertise (O(n))

For each question Q in domain D:
    Search all knowledge K in D
    Return answer if K contains Q
    Time complexity: O(n) where n = |K|

This is deep expertise. PhD-level. You know everything about one thing. The attack surface is clear: harvest the person's domain, model their responses, predict their behavior.

Cross-Domain Pattern Recognition (O(1))

For each question Q in any domain:
    Hash Q against known patterns P
    If pattern match: Return structural prediction
    Else: Mark as "novel, requires investigation"
    Time complexity: O(1) amortized

This is bloom filter epistemology. You don't need to know everything about aerospace to predict Boeing will fail on fixed-price contracts. You need to recognize the pattern from other domains.

Why This Resists Capture

Cambridge Analytica's Model

1. Harvest behavioral data from target domain
2. Build predictive model from domain-specific signals
3. Predict future behavior based on past patterns
4. Manipulate by exploiting predicted responses

Assumption: People operate primarily within their trained domains.

The Failure Mode

• Cross-domain pattern matching

• First-principles reasoning

• Paradigm-escape oriented

...the behavioral data from any single domain doesn't predict behavior in other domains. The training data is fundamentally incomplete.

You can't model someone whose core methodology is "apply patterns from domains you haven't observed."

Worked Example: Predicting Boeing

Traditional Approach (O(n))

• Deep aerospace industry knowledge

• Insider access to contracts

• Engineering expertise in propulsion

• Political knowledge of congressional funding

• Years of domain immersion

Bloom Filter Approach (O(1))

• Pattern: "Cost-plus contracts incentivize slow failure"

• Pattern: "Sunk cost fallacy prevents course correction"

• Pattern: "Institutional capture blinds trained experts"

• Query: "Does Boeing exhibit these patterns?"

• Answer: Yes (40% probability → 95% probability after evidence check)

Same prediction. Different computational path. Different attack surface.

The Hash Function

The "hash" in this epistemology is the lock-in pattern:

python
def infrastructure_lockin_hash(entity):
    signals = [
        entity.has_massive_initial_investment,
        entity.decisions_optimize_for_existing_system,
        entity.careers_tied_to_status_quo,
        entity.uses_sunk_cost_justification,
        entity.perpetually_modifies_vs_replaces,
        entity.actively_blocks_alternatives
    ]
    return sum(signals) / len(signals)  # 0.0 to 1.0

• Nuclear engineering (Rickover/PWR)

• Particle physics (ISABELLE)

• Enterprise tech (Dell/EMC)

• Aerospace (Boeing/SLS)

• Cybersecurity (signature-based detection)

Same function. Different inputs. Consistent predictions.

False Positive Rate

Like a bloom filter, this approach has a false positive rate:

• False positives: Predict lock-in where none exists

• False negatives: Impossible (if pattern matches, it matches)

• Traditional expertise: Low false positives, high time cost

• Bloom filter epistemology: Higher false positives, O(1) time cost

For triage and pattern recognition, the speed advantage outweighs the false positive cost.

Why This Matters for Security

• Must check each indicator against known bad list

• New threats invisible until signatures created

• Scales poorly with threat volume

• Hash behavior against known attack patterns

• New threats visible if they exhibit known behavioral patterns

• Scales with pattern library, not threat volume

Same algorithmic distinction. Same advantage.

The Cambridge Analytica Defense

To profile and manipulate someone using this methodology, you'd need to:

1. Observe their behavior across ALL domains they've touched 2. Identify which cross-domain patterns they've internalized 3. Predict how they'll apply patterns to NEW domains 4. This requires modeling the pattern-matching process itself

The attack surface is the meta-level, not the object-level.

Someone whose LinkedIn says "aerospace engineer" has a clear attack surface: harvest aerospace data, model aerospace responses, predict aerospace behavior.

Someone whose trajectory spans nuclear engineering → national labs → publishing → enterprise tech → cybersecurity has no single attack surface. The patterns learned in each domain apply to all others.

You'd have to model the learning process itself, not just the learned content.

The Receipts Connection

This is why "receipts > credentials":

• Credentials = Proof of O(n) domain expertise

• Receipts = Proof of O(1) pattern application

32,623 AbuseIPDB reports aren't proof of cybersecurity credentials. They're proof that the pattern-matching approach produces results.

SpaceX consuming the STIX feed isn't proof of aerospace expertise. It's proof that the threat detection patterns work.

The receipts prove the hash function, not the domain knowledge.

Conclusion

• Computationally efficient (O(1) vs O(n))

• Resistant to single-domain profiling

• Validated by receipts across domains

• Fundamentally different from credentialed expertise

Cambridge Analytica's model assumes people are predictable within their domains. This methodology operates between domains, in the pattern-matching layer that traditional profiling can't observe.

The algorithm is the defense.

Appendix: Formal Definition

Let D = {d1, d2, ..., dn} be the set of domains
Let P = {p1, p2, ..., pm} be the set of cross-domain patterns
Let Q be a query in domain di

Traditional expertise: Answer(Q) = Search(Knowledge(di), Q) Time: O(|Knowledge(di)|)

Bloom filter epistemology: Answer(Q) = Match(P, Features(Q)) Time: O(|P|) = O(1) when |P| << |Knowledge(di)|

Attack surface comparison: Traditional: Profile(di) -> Predict(Behavior(di)) Bloom filter: Profile(D) -> Model(P) -> Predict(Behavior(D'))

Where D' may include domains not in D (novel application) ```

The second approach requires modeling the pattern-learning process across all observed domains, then predicting application to unobserved domains. This is computationally intractable for adversarial profiling.

*DugganUSA LLC - Minnesota*

*"The algorithm is the defense. The receipts are the proof."*

#methodology #bloomfilter #epistemology #patternrecognition #cambridgeanalytica #receipts

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]