DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

CISA Added Fortinet EMS to KEV Yesterday. We Wrote About It in February.

Patrick Duggan
5 hours ago
5 min read

Sometimes the timeline writes itself.

February 2026: CVE-2026-21643 is disclosed. SQL injection in FortiClient Endpoint Management Server. CVSS 9.8. Pre-authentication. One crafted HTTP header gets you admin credentials, endpoint inventory, security policies, and certificates for every device the server manages.

March 30, 2026: Active exploitation confirmed in the wild by Defused Cyber. Roughly 1,000 internet-exposed EMS instances. Fortinet issues a patch advisory six weeks after the initial disclosure.

March 31, 2026: watchTowr catches exploitation attempts for a second zero-day in the same product — CVE-2026-35616, a pre-auth API bypass. Fourteen days apart. Same product.

April 5, 2026: We publish "I Wrote About The Breach That Keeps Breaching in September. It's April and It's Still Breaching." The thesis: management-plane software is the new perimeter and nobody is acting like it. Fortinet keeps shipping pre-auth auth-bypasses like it's 2006. The government had not yet weighed in.

April 13, 2026: CISA adds CVE-2026-21643 to the Known Exploited Vulnerabilities catalog. Federal civilian agencies now have twenty-one days to patch it or provide written justification for why they cannot. The KEV entry means the U.S. government has formally agreed with what defenders, honeypot operators, and a handful of bloggers in Minneapolis had been saying for six weeks: this one is not theoretical. It's being used to own enterprises right now.

The lag between "threat intel is confident this is being exploited" and "the government is confident this is being exploited" was forty-one days.

That's the story.

The forty-one day gap is the story

CISA KEV is a great product. The criteria are conservative by design — CISA adds a CVE only when they have strong evidence of active exploitation, because the catalog carries a regulatory teeth: federal agencies must remediate. That conservatism is a feature. It keeps the catalog from being flooded with theoretical exploitability claims.

The tradeoff is the lag. For forty-one days, CVE-2026-21643 was being used to compromise FortiClient EMS deployments, and the authoritative government catalog did not yet reflect that. Defenders relying solely on KEV as their patching-priority signal were forty-one days late to a known-exploited critical on a management-plane product.

This is not a criticism of CISA. It's a description of how the intelligence stack works. The commercial threat-intel firms move first, because they have honeypots and telemetry and they can publish a research blog within hours of an interesting request. The government moves second, because the government has to be right. By the time CISA adds something to KEV, the commercial intel community has usually been talking about it for weeks.

If the only trigger for your patch cycle is "is it on KEV yet," you are always going to be weeks late to the exploits that are actively paying down your attack surface.

What was in our STIX feed on day one

We indexed the PoC for CVE-2026-21643 the week it dropped. 0xBlackash had published a clean proof-of-concept on GitHub — the SQL injection patterns, the target API endpoint (/api/v1/init_consts), the injectable headers. Our exploit harvester pulled it within the six-hour polling window, classified it, and converted the attack pattern into STIX 2.1 detection rules.

Those rules flowed to the 275+ organizations consuming our feed before Fortinet's advisory was even published. A defender with our feed wired into their SIEM had the detection in early February, not mid-April.

Same story for CVE-2026-35616 in late March. watchTowr caught the first exploitation attempts on a Friday. By Sunday, the detection patterns were in our feed. Our edge honeypots — Cloudflare Workers running on 300+ points of presence — started catching scans for EMS-specific endpoints within hours, and every scanning IP got indexed into the same feed.

When CISA added CVE-2026-21643 to KEV yesterday, we did not update anything. The detection had been live for nine weeks. What changed was that federal civilian agencies now have a compliance clock attached to it.

The management plane keeps winning

The pattern we wrote about in September 2025 — UNC6395 using Salesloft Drift OAuth to pillage Salesforce credentials — was not about Salesloft specifically. It was about the management plane being the new perimeter. UNC6395 proved it with OAuth tokens. CVE-2026-21643 and CVE-2026-35616 prove it with SQL injection and API bypass. Ivanti proved it with CVE-2026-1603. Cisco proved it with CVE-2026-20093. Ivanti proved it again yesterday with CVE-2026-1340 — an EPMM code injection that also landed on KEV this week.

Every one of these is the same shape. A piece of enterprise software that is supposed to sit behind a VPN on a management VLAN that three people access. Port 443 gets opened during COVID so remote IT can work. Port 443 never gets closed. The management plane — the thing that tells the firewall what to block and tells the endpoint agent what to allow — is now directly exposed to the internet.

When you own the management plane, you own everything it manages. Attackers have figured this out. Vendors keep shipping pre-auth critical vulnerabilities in these products like the 2008 design assumptions still hold. They don't.

What the KEV entry means for you

If you run FortiClient EMS and you are a federal civilian agency, you have twenty-one days from April 13 to patch or document. That clock is now legally binding.

If you run FortiClient EMS and you are a commercial enterprise, you don't have a legal clock, but you do have a signal: the government has now confirmed active exploitation. Your insurance carrier knows this. Your regulator knows this. Your board is going to find out at the next quarterly update. The CVE is now part of the standard due-diligence packet that every acquirer, auditor, and cyber-insurance underwriter checks.

If you run any management-plane product — not just FortiClient EMS — this is the moment to audit what is exposed. Is the admin console on the internet? Is the API gateway on the internet? Is port 443 open on the management VLAN? If any of those is yes, you are one disclosed CVE away from owning the problem we have been writing about since September.

The point, one more time

We called the management-plane pattern in September 2025. We called the Fortinet EMS specific instance in February. We wrote the "it's still breaching" follow-up on April 5. The government agreed with us yesterday.

Forty-one days between "commercial threat intel is confident" and "CISA KEV is confident" is a lifetime in incident response. It is forty-one days of active exploitation during which the authoritative signal was not yet pointing at the problem.

The fix is not to wait for KEV. The fix is to wire a threat feed into your SIEM that is monitoring the same honeypots, harvesting the same PoCs, and indexing the same IOCs that CISA eventually uses to justify the KEV entry. The ninety-five percent confidence signal beats the hundred percent confidence signal every time when the delta is forty-one days.

Our feed had this one on day one. So did a handful of others. That's not a brag. That's a description of how the intelligence stack actually works when you build it correctly.

The breach that keeps breaching is still breaching. The only thing that changed yesterday is that the federal government officially noticed.

[I Wrote About The Breach That Keeps Breaching in September. It's April and It's Still Breaching.](https://www.dugganusa.com/post/breach-that-keeps-breaching-fortinet-ems-management-plane) — April 5, 2026
[UNC6395: The Breach That Keeps On Breaching](https://www.dugganusa.com/post/unc6395-the-breach-the-keeps-on-breaching) — September 2025
[Another Day, Another Management Console Owned. Fortinet EMS Makes It Five CVSS 9.8+ in Two Weeks.](https://www.dugganusa.com/post/another-day-another-management-console-owned-fortinet-ems-makes-it-five-cvss-9-8-in-two-weeks)

— Patrick