DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Cisco Is Having the Worst Week in Cybersecurity History. Here's the Scoreboard.

Patrick Duggan
Apr 3
4 min read

It's Thursday, April 3. ShinyHunters' deadline to dump Cisco's data expires today. This is the fifth simultaneous crisis hitting Cisco in seven days. Nobody's had a week this bad.

The Scoreboard

#	Crisis	Severity	Status
1	CVE-2026-20131 — FMC zero-day (CVSS 10.0)	Maximum	Exploited 36 days before disclosure. Interlock ransomware used it to hit hospitals and Saint Paul, MN. Amazon found it, not Cisco.
2	ShinyHunters extortion — 3M+ Salesforce records	Critical	Three breach vectors: UNC6040 vishing, Salesforce Aura vuln, AWS account compromise. Deadline TODAY.
3	CVE-2026-20093 — IMC critical (CVSS 9.8)	Critical	New. Another management interface vulnerability. Patch released this week.
4	IRGC target list — named as military target	Kinetic	One of 18 US tech companies the IRGC designated for destruction. 5,822 ASA VPN endpoints visible on Shodan.
5	GitHub weaponization — fake FMC PoC with webshells	Active	We found cmd.war and cmd.jsp webshells bundled with a "PoC" for CVE-2026-20131. Three forks. Still live on GitHub.

Five concurrent attacks on one company. Different actors, different vectors, different motivations. All landing in the same seven-day window.

The Management Interface Pattern

Two of the five crises are vulnerabilities in Cisco management interfaces:

FMC (Firepower Management Center) — the console that manages Cisco firewalls. CVE-2026-20131. CVSS 10.0. Unauthenticated Java deserialization → root. The thing that configures your network security gave attackers root access to everything it manages.

IMC (Integrated Management Controller) — the out-of-band management interface for Cisco servers. CVE-2026-20093. CVSS 9.8. The thing that manages your hardware at the BIOS level.

The pattern: Cisco's management interfaces — the tools administrators trust to configure and control infrastructure — are the attack surface. FMC gives you the firewall rules. IMC gives you the server hardware. Both compromised in the same week.

This is the thesis we've been writing about all week. Your security vendor is your attack surface. The management console is the front door. Trust and access — the two things attackers want most, and the two things management interfaces are designed to provide.

ShinyHunters — The Clock

European Commission — 90GB+ exfiltrated, DKIM keys leaked
TELUS Digital — 1 petabyte, FBI background checks, source code
Cisco — 3M+ Salesforce records, GitHub repos, AWS accounts

Three massive targets in one month. The Cisco breach used three separate vectors:

UNC6040 vishing — social engineering via voice phishing to gain initial access
Salesforce Aura vulnerability — exploiting Salesforce Experience Cloud to access CRM data
AWS account compromise — EC2 volumes and S3 buckets accessed directly

ShinyHunters didn't find one hole. They found three. And they're claiming the data includes not just Cisco's records but potentially data from Cisco's customers — the 3M+ Salesforce records are CRM entries that may contain enterprise customer information.

The deadline is today. If Cisco didn't engage, the dump goes public.

The IRGC Dimension

Trump told the nation Tuesday night that the US will hit Iran "extremely hard" over the next two to three weeks. Today he threatened to destroy Iranian bridges and power plants. The April 6 pause on power infrastructure strikes expires in three days.

His March 6 cyber strategy specifically references offensive cyber operations against Iran: "obliterate Iran's nuclear infrastructure." Congress wants more details. The CFR says the strategy "falls short on Iran, China, and the threats that matter most."

Meanwhile, the IRGC named Cisco as one of 18 military targets. Cisco has 5,822 ASA VPN endpoints visible on Shodan. The same ASA VPN product line that Akira/Punk Spider ransomware specifically targets for initial access — VPNs without MFA.

Cisco is being attacked by cybercriminals (ShinyHunters, Interlock), probed by nation-states (IRGC), scanned by ransomware operators (Akira), and exploited through zero-days in their own management consoles — simultaneously.

Trump's Cyber Strategy and What It Means

The White House released "President Trump's Cyber Strategy for America" on March 6. Six pillars:

Shape adversary behavior
Promote "common sense" regulation
Modernize federal networks
Secure critical infrastructure
Sustain technological superiority
Offensive cyber operations

The strategy promises to avoid "costly checklists" and give companies "greater agility." Translation: less compliance, more offense.

Senator Jack Reed urged the administration to strengthen cybersecurity in the aftermath of Iran strikes. Congress wants to know how the government is helping critical infrastructure guard against Iran-linked hacking.

The answer this week: the FBI's wiretap network was breached by China. Cisco has five simultaneous crises. The IRGC named 18 tech companies for destruction. And the cyber strategy says "no more checklists."

The checklists aren't the problem. The management interfaces with CVSS 10.0 vulnerabilities are the problem.

What We've Published This Week

Day	Post	Connection
Mon	Your Security Vendor Is Your Attack Surface	CrowdStrike, Intune, Trivy — security tools weaponized
Tue	TeamPCP: One Actor, Three Supply Chains	Trivy → LiteLLM → Telnyx chained compromise
Tue	Cisco FMC Got Owned for 36 Days	CVE-2026-20131 + our January fake PoC find
Tue	Dell RecoverPoint: $67B, Chinese Hackers 2 Years	Hardcoded credentials, Ghost NICs
Tue	Iran Is Fighting Two Wars	Handala, MuddyWater, Patel, 16 domains surveilled
Wed	Hasbro Hacked: GenAI Pipeline from DNS	255 subdomains, ComfyUI/Fooocus/SwarmUI
Wed	IRGC Names 18 Targets, We Have Files on Six	Cisco, Dell, Oracle, Palantir, Microsoft, Apple
Wed	GitHub Wasteland: Nobody Else Is Looking	FMC webshell PoC + Citrix session harvester
Wed	IP Reputation Is Dead	GreyNoise validation, 5.6M behavioral decisions
Wed	LinkedIn Scans 6,222 Extensions	Microsoft browser surveillance
Wed	FBI Wiretap Network Breached	Salt Typhoon, "major incident"
Thu	This post	The convergence on Cisco

Twelve posts in four days. Every one connected. The Cisco FMC zero-day from Tuesday, the IRGC target list from Wednesday, the GitHub webshells from Wednesday, and the ShinyHunters deadline today — four threads landing on the same company in the same week.

The Numbers

Our STIX feed carries IOCs for every actor in this story:

ShinyHunters: 23 IOCs (phishing domains, infrastructure IPs, Salesforce indicators)
Interlock: Cisco FMC exploitation indicators, ransomware domains
Akira/Punk Spider: 26 IOCs (VPN targeting TTPs, hashes)
Iran/MOIS: 1,917 IOCs across 28 adversary profiles
Salt Typhoon: Chinese APT indicators

275+ organizations in 46 countries pull this feed. If you're a Cisco customer watching five crises unfold simultaneously, the indicators are already in your SIEM — if your SIEM is pulling from us.

https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

Cisco has five concurrent crises: two CVSS 9.8+ management interface vulns, a data extortion deadline, a nation-state military target designation, and weaponized PoCs on GitHub. Nobody else has had five at once. We've been tracking all five since they started.

ShinyHunters' deadline is today. We'll update when we know what they release.