DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

CISA Is Running on Fumes. Iran's Cyberwar Has Begun. Who's Watching Your Network?

Patrick Duggan
Mar 7
4 min read

# CISA Is Running on Fumes. Iran's Cyberwar Has Begun. Who's Watching Your Network?

Two weeks ago, we published "While CISA Burns at 38% Capacity, We Pushed 246 Threat Objects to 46 Countries." That was February 21st. The situation has gotten materially worse.

On February 28th, the United States and Israel launched Operation Epic Fury and Operation Roaring Lion — a joint military offensive against Iran. Iran is retaliating. Not just with missiles. With keyboards.

The Register's headline on March 2nd: "Iran's cyberwar has begun."

Palo Alto's Unit 42 published an emergency threat brief the same week. Fortune reported Iran may use AI to accelerate attacks on US critical infrastructure. CNBC ran "The lead U.S. cyber agency is stretched thin as Iran hacking threat escalates."

Here's the problem: the agency they're talking about — CISA — is operating at 38% staffing during a partial federal government shutdown. The red teams are gone. The MS-ISAC funding that supported state and local government cybersecurity got cut by $10 million. The Risk Management division went from 179 positions to 58. Stakeholder Engagement went from 200 to 53. The counter-ransomware initiative has been gutted. The acting director was replaced after being called "bumbling" for a year.

This is your government safety net. It has a hole in it the size of a Boeing 737.

What Iran Is Throwing

The IRGC-affiliated group Cotton Sandstorm (also known as Emennet Pasargad, Haywire Kitten, and Aria Sepehr Ayandehsazan) is deploying WezRat — a custom modular infostealer delivered via spearphishing campaigns that masquerade as urgent software updates. Check Point Research published a deep-dive analysis. The C2 infrastructure impersonates Israeli CERT notifications (il-cert[.]net), and the malware uses a Firefox user-agent string to blend into normal traffic.

Handala Hack, linked to Iran's Ministry of Intelligence and Security, has targeted Israeli energy firms, Jordanian fuel infrastructure, and Israeli healthcare networks. The Cyber Islamic Resistance is coordinating synchronized DDoS and data-wiping operations against drone defense systems and payment infrastructure. FAD Team specializes in wiper malware and SCADA/PLC system compromise. Dark Storm Team is running DDoS and ransomware operations against financial institutions.

These aren't theoretical. These are active operations, right now, in March 2026.

What We're Doing About It

DugganUSA maintains 938,000+ IOCs across 37 indexes, including 23 indexed Iranian adversary groups: Charming Kitten, OilRig, Fox Kitten, APT33, APT35, Rocket Kitten, Cutting Kitten, MuddyWater, Silent Librarian, and more. Our STIX feed pushes threat intelligence to consumers in 31 countries. When we published the February CISA piece, we had 275 feed consumers. That number is growing.

This week, we ingested the WezRat IOC set from Check Point Research — the indicators Cotton Sandstorm is actively using:

> C2 Domains: il-cert[.]net, connect.il-cert[.]net, onlinelive[.]info

> C2 Infrastructure: 45.143.167[.]87, 194.11.226[.]9, 45.120.177[.]8, 194.4.49[.]175, 46.249.58[.]136

> Phishing origin: alert@il-cert[.]net

> Delivery files: Google Chrome Installer.msi, Updater.exe, One_Drive.exe

> 15 SHA256 hashes covering the WezRat backdoor, its modular DLLs, and deployment chain

These are now searchable in our platform, cross-referenced against our existing Iran APT corpus, and available to every STIX feed subscriber.

The Math Your CISO Needs to See

CISA's proposed budget cuts eliminate roughly 1,300 positions — 40% of the workforce. The agency that maintained the Known Exploited Vulnerabilities catalog, ran red team assessments, coordinated incident response, and shared threat intelligence with the private sector is running on fumes.

Meanwhile, this week alone:

> Cisco Secure Firewall Management Center: CVE-2026-20079 and CVE-2026-20131 — both CVSS 10.0. The firewall management platform needs protecting from the things it's supposed to protect you from.

> Chrome sandbox escape: CVE-2026-3545, CVSS 9.6. Every browser on every desk.

> DNS resolver out-of-bounds write: CVE-2026-1678, CVSS 9.4. Foundational internet infrastructure.

> VMware Aria Operations command injection: CVE-2026-22719, CVSS 8.1 — added to CISA KEV on March 3rd with a patch deadline of March 24th. For the agencies that still have staff to patch.

> Qualcomm chipset memory corruption: CVE-2026-21385 — confirmed exploited in the wild. Added to KEV the same day.

The private sector safety net just became a lot more important. Not as a replacement for CISA — nobody replaces CISA — but as insulation. The government will eventually restabilize. In the meantime, your network doesn't get to take a furlough day.

What This Means for You

If you're a SOC analyst, a CISO, or anyone responsible for network defense:

1. Your CISA advisories may be delayed or incomplete. The people who wrote them are on furlough.

2. Iranian APTs are actively targeting US infrastructure during a shooting war. This is not a drill.

3. The CVE velocity this week is exceptional — multiple CVSS 9.0+ vulnerabilities with active exploitation.

4. The STIX feed ecosystem — ours and others — is the fallback. Integrate one. Today.

DugganUSA's STIX feed runs at $500/month for enterprise. No government shutdown risk. No furlough days. No acting directors. 938K IOCs, 23 Iranian adversary profiles, CISA KEV cross-referenced, serving 31 countries.

The agency protecting you just lost 62% of its staff. We didn't.

*DugganUSA LLC is a Minnesota-based threat intelligence company. Our STIX feed serves enterprise, government, and research consumers across 31 countries. For integration details, visit https://analytics.dugganusa.com/stix or contact [email protected].*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

CISA Is Running on Fumes. Iran's Cyberwar Has Begun. Who's Watching Your Network?

What Iran Is Throwing

What We're Doing About It

The Math Your CISO Needs to See

What This Means for You

Recent Posts

Comments