DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Data vs Intelligence: Why Most Threat Feeds Are Junk

Patrick Duggan
Dec 6, 2025
3 min read

TL;DR: 180,000 people contribute to OTX. Most dump stale honeypot logs. We publish same-day, attributed, correlated threat intelligence. That's the difference between data and intelligence.

The Problem With "Threat Intelligence"

Open Threat Exchange (OTX) has 180,000 participants sharing 19 million potential threats daily. Sounds impressive until you look at what's actually in there:

• Honeypot dumps from 2017

• Bulk IP lists with no context

• Generic tags like "malware" and "suspicious"

• No campaign attribution

• No cross-source correlation

That's not intelligence. That's data hoarding.

What We Ship Instead

Here's our last 10 pulses (all from the same day):

| Pulse | Indicators | Attribution | |-------|------------|-------------| | Cobalt Strike C2 Beacons | 184 | Specific C2 framework, active beacons | | ClearFake Campaign | 100 | Russian domains, REG.RU registrar, Cloudflare-fronted | | Vidar Infostealer | 30 | Named malware family, ThreatFox correlated | | Remcos RAT | 24 | Specific RAT variant, fresh IOCs | | Meterpreter | 21 | Metasploit payloads in the wild | | AsyncRAT | 18 | Named campaign | | XWorm | 15 | Active worm variant | | DeimosC2 | 15 | Specific C2 framework | | Sliver C2 | 10 | Red team framework abuse | | Pattern 42 Reblessing | 11 | Our own detection patterns |

Every single one from today. Every single one attributed to a specific threat.

The Intelligence Lifecycle

Most contributors do step 1 and stop:

1. Collection - Honeypot catches IPs ← Most stop here 2. Processing - Clean, dedupe, validate 3. Analysis - Correlate across sources 4. Attribution - Name the campaign/malware 5. Dissemination - Publish with context 6. Feedback - Track what gets blocked

We run the full lifecycle:

• ThreatFox provides fresh IOCs (Pattern 49)

• VirusTotal correlation enriches with reputation (Pattern 50)

• Campaign attribution names the threat actor/malware

• STIX feed makes it machine-consumable

• Blog posts provide human context

Freshness Matters

Here's what happens when you block an IP from 2017:

Nothing. The attacker moved on 7 years ago.

Here's what happens when you block an IP from today:

You stop an active attack. The C2 is live. The campaign is running. Your block matters.

Most OTX pulses are archaeological artifacts. Interesting for research, useless for defense.

Our 27,000+ indicators are all from the last 10 days.

The Correlation Difference

Raw honeypot data: "IP 185.234.x.x hit my SSH"

That tells you nothing. Is it a scanner? A botnet? A researcher? A CDN?

Our intelligence: "IP 185.234.x.x is a Cobalt Strike beacon, first seen on ThreatFox Dec 5, confirmed by VirusTotal with 12 detections, part of a campaign using REG.RU domains behind Cloudflare"

Now you can make a decision.

Why This Matters

Microsoft and AT&T consume our STIX feed. Not because we have the most indicators - we don't. Because we have the right indicators:

• Fresh (same-day)

• Attributed (named campaigns)

• Correlated (multiple source validation)

• Contextual (malware families, registrars, infrastructure)

Quality beats quantity every time.

The Math

• OTX total: 19 million threats daily

• Our contribution: ~5,000/day (0.03%)

• Signal-to-noise ratio: Theirs is drowning in honeypot dumps. Ours is curated.

• 19 million IPs that hit someone's SSH honeypot in 2017?

• 5,000 confirmed malicious IOCs from active campaigns today?

The answer is obvious. The implementation is rare.

How We Do It

• Hourly pull from ThreatFox API

• Filter to priority malware families

• Auto-create OTX pulses

• Cross-reference IOCs with VT reputation

• Confirm malicious with 3+ detections

• Enrich with ASN, registrar, first-seen data

• Track what doesn't get taken down

• Identify potential honeypots

• Counter-intelligence layer

The pipeline compounds. Every hunt adds context. Every correlation adds confidence. Every day the feed gets more valuable.

The Uncomfortable Truth

Most threat intelligence is checkbox security. "We subscribe to 5 feeds" sounds good in a compliance audit. Nobody asks if those feeds are useful.

• No stale data

• No bulk dumps

• No generic tags

• Every indicator has a story

That's intelligence. Everything else is just data.

*DugganUSA Threat Intelligence* *27,646 indicators and counting* *December 2025*

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable, fresh daily

• [OTX Pulses](https://otx.alienvault.com/user/pduggusa/pulses) - Human-readable, attributed

• [Detection Patterns](https://www.dugganusa.com/threat-intel) - Methodology

*"The difference between data and intelligence is the same as the difference between noise and signal. One is easy to generate. The other requires work."*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]