DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Consensual Reconnaissance: The Security Industry's Double Standard

Patrick Duggan
Dec 6, 2025
4 min read

TL;DR: Palo Alto, Shodan, Censys, and GreyNoise scan your infrastructure without consent. When security companies do it, it's "threat intelligence research." When anyone else does it, it's "hostile reconnaissance." Same action. Different label. Broken consent model.

The Question

Yesterday, Palo Alto Networks scanned my infrastructure. I didn't consent. I didn't opt-in. There's no opt-out.

If I scanned Palo Alto's infrastructure the same way, their SOC would flag me as a threat actor. If a Russian IP did it, it'd be "hostile reconnaissance" in someone's threat report.

So why is it legal when they do it?

The Legal Fiction

The argument goes like this:

1. Public IP = Public Space - When you expose a port to the internet, you're standing on a sidewalk. Anyone can look at you.

2. Scanning ≠ Access - CFAA (Computer Fraud and Abuse Act) criminalizes *unauthorized access*. Port scanning doesn't access anything - it just checks what's open.

3. Banner grabbing = Reading signs - If your SSH server announces "OpenSSH 7.6" to anyone who connects, you're the one sharing that information.

Legal conclusion: Reconnaissance isn't hacking. It's photography.

The Reality

Here's what these "researchers" actually collect:

| Data Point | How They Get It | What They Sell | |------------|-----------------|----------------| | Open ports | Full port scans | "Your attack surface" | | Software versions | Banner grabbing | "Vulnerability exposure" | | SSL certificates | TLS handshakes | "Asset inventory" | | HTTP headers | GET requests | "Technology stack" | | DNS records | Zone enumeration | "Shadow IT discovery" |

They build a complete inventory of your infrastructure. Then they sell it - to you (for "security") or to anyone else (for "research").

This is reconnaissance. The first phase of every attack.

The Double Standard

When Palo Alto does it: Threat intelligence research. Legitimate security service. Premium product.

When Shodan does it: Search engine for IoT. Academic project gone commercial. "The Google of hacking."

When GreyNoise does it: Benign scanner identification. Helping you filter noise.

When you do it to them: Hostile reconnaissance. Flagged in their SIEM. Possibly reported to your ISP.

When a foreign IP does it: APT activity. Nation-state threat. Blog post material.

Same TCP packets. Different source IP. Entirely different legal and moral treatment.

The Consent Problem

• Having my ports enumerated

• My software versions catalogued

• My SSL certs harvested

• This data being sold

• Being in a "threat intelligence" database

The argument is "public internet = implied consent."

But consent requires: 1. Knowledge - I should know what's happening 2. Choice - I should be able to opt out 3. Control - I should decide what's shared

Internet scanning provides none of these. The "consent" is a legal fiction.

The Business Model

Here's the uncomfortable truth:

1. Scan everything - $0 cost for scanning 2. Build database - Catalog every device, every version, every vulnerability 3. Sell "your own data" back to you - "Here's your attack surface!" 4. Sell to everyone else - Competitors, researchers, adversaries 5. Claim moral high ground - "We're improving security!"

It's surveillance capitalism applied to network security.

What They Actually Know About You

After a few scans, Shodan/Censys/Palo Alto know:

• Every public-facing service - Web servers, APIs, databases

• Exact software versions - Including vulnerable ones

• Your cloud provider - Azure, AWS, GCP patterns are distinct

• Your technology stack - React frontend? Node backend? They know.

• When you deploy - Certificate changes, version bumps

• Your organization - Certificate CN reveals company names

This is better intelligence than most attackers bother gathering.

The Irony

We consume GreyNoise data to identify scanners. Palo Alto scans us. We track them. They track us. Everyone's watching everyone. Nobody consented to any of it.

The security industry built a panopticon and called it protection.

Legal ≠ Ethical

The law says it's fine. The law is wrong.

Just because something is legal doesn't make it right. Scanning private infrastructure without consent is:

• Legal - Yes, under current interpretation

• Normalized - The entire industry does it

• Valuable - The data sells for millions

• Ethical - Absolutely not

The consent model is broken. We've just decided not to fix it because the winners are the ones writing the rules.

What Would Real Consent Look Like?

1. Opt-in scanning - Ask before you scan 2. Data minimization - Only collect what's necessary 3. Right to deletion - Remove my data on request 4. Transparency - Tell me what you found and who you sold it to 5. Reciprocity - If you scan me, I can scan you

None of this exists. None of it is even proposed.

The Question Remains

Why is reconnaissance legal when corporations do it but hostile when individuals do it?

Answer: Because corporations wrote the laws, fund the lobbying, and control the narrative.

The security industry scans the entire internet daily. They've convinced everyone this is normal. That it's for our protection. That consent is implied.

It's not. It never was.

What We Do Differently

DugganUSA threat intelligence doesn't rely on mass scanning. Our patterns come from:

• ThreatFox - Abuse.ch's IOC feed (opt-in reporting)

• OTX - Community-contributed pulses

• VirusTotal - File submissions (user-initiated)

• GitHub - Public repositories (posted by the malware authors themselves)

We're not scanning your infrastructure. We're tracking what the snake cult publishes about themselves.

That's the difference between reconnaissance and intelligence.

*DugganUSA Threat Intelligence* *December 2025*

*"The difference between a security researcher and a threat actor is often just a matter of who signs the paycheck."*

• [Shodan](https://www.shodan.io) - "The Google of hacking"

• [Censys](https://censys.io) - "Internet-wide scanning"

• [GreyNoise](https://www.greynoise.io) - "Know your noise"

• [CFAA](https://www.law.cornell.edu/uscode/text/18/1030) - The law that enables all of this

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]