DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

DHS Is Shut Down While a Nation-State Has F5 Source Code. That Is Not a Coincidence — It Is a Consequence.

Patrick Duggan
Mar 3
3 min read

# DHS Is Shut Down While a Nation-State Has F5 Source Code. That Is Not a Coincidence — It Is a Consequence.

Kristi Noem testified before the Senate Judiciary Committee today. The hearing covered Minneapolis killings, $220 million in self-promotional TV ads, and a remark about making sure "the right people voting" are "electing the right leaders." All of that will dominate the news cycle. None of it is the most dangerous thing happening at DHS right now.

The most dangerous thing is this: the Department of Homeland Security has been partially shut down since February 14, 2026. That is 17 days and counting. Inside that department sits the Cybersecurity and Infrastructure Security Agency — CISA — the federal government's lead agency for defending civilian networks against cyberattack.

CISA issued Emergency Directive 26-01 ordering federal agencies to patch F5 BIG-IP devices after a nation-state actor compromised F5's systems and stole proprietary source code, undisclosed vulnerability data, and embedded credentials. The BRICKSTORM backdoor ties this to UNC5221, a China-nexus threat actor. There are 260,000 exposed F5 systems globally.

The agency responsible for coordinating the federal response to this is operating on reduced capacity because Congress cannot agree on immigration enforcement funding.

Let that sit for a moment.

What the Threat Actor Got

This was not a smash-and-grab. The attacker exfiltrated BIG-IP source code — the proprietary codebase behind load balancers, application delivery controllers, and access policy managers that sit in front of the most sensitive networks in the federal government and Fortune 500.

With source code, you do not fuzz for vulnerabilities. You read. You perform static analysis. You find logic flaws that no external researcher would ever discover. You build exploits that bypass every detection signature because nobody has ever seen the attack pattern before.

F5 released 44 CVEs in one patch bundle. Twenty-seven rated High. But those are the ones they found. The ones the threat actor found — and kept — are the ones that matter.

What CISA Cannot Do Right Now

During a normal emergency directive cycle, CISA coordinates with agencies to verify patching, provides technical assistance, deploys hunt teams, and monitors for exploitation. ED 26-01 requires agencies to take specific actions within tight timelines.

During a partial shutdown, CISA operates with reduced staff. Non-essential personnel are furloughed. Coordination slows. Hunt teams shrink. The gap between directive and compliance widens.

Meanwhile, across our threat intelligence corpus:

> 952,251 indicators of compromise indexed and growing

> 8,357 hits for C2 infrastructure including active Cobalt Strike beacons

> Ransomware hitting healthcare (87,000 cancer research participants), telecom (1 million+ Brightspeed customers), and water systems (Peru's National Water Authority, 2TB stolen)

> Four China-nexus APT groups actively targeting critical infrastructure

The threat landscape does not pause for congressional negotiations.

The $220 Million Question

Senator Kennedy asked Noem how she squares concern about government waste with $220 million spent on television advertisements featuring herself prominently. That is a fair question. Here is a better one: what is the cybersecurity budget for the agency inside her department that is responsible for defending every federal civilian network against nation-state attack, and is it funded right now?

CISA's budget has been a political football for years. The agency that protects election infrastructure, coordinates vulnerability disclosure, and runs the Known Exploited Vulnerabilities catalog — 1,513 entries and counting — operates at the mercy of continuing resolutions and partisan standoffs over unrelated policy.

The F5 emergency directive will not enforce itself. The nation-state actor who stole that source code is not waiting for Congress to fund DHS. And the 260,000 exposed F5 systems are not less vulnerable because Kristi Noem is testifying about whether Minneapolis protesters were "domestic terrorists."

What We Track

At DugganUSA, we index threat intelligence because nobody should have to wait for a functioning federal agency to know what is attacking them. Our STIX feed serves 275+ consumers in 46 countries. Our IOC index crosses toward one million indicators. Our PreCog system catches novel C2 domains before they appear in any public feed.

We do this at a fraction of what DHS spends on television ads.

The government's own data — CISA directives, CVE disclosures, emergency orders — made searchable and actionable. Because when the government shuts itself down, somebody still has to watch the nets.

952,251 indicators. 350 named adversaries. 43.5 GB. No shutdown.

DugganUSA is a threat intelligence company. We index government documents, map networks, and publish what we find. STIX feed and threat intelligence at https://analytics.dugganusa.com. Epstein document index — 398,525 DOJ files — searchable at https://epstein.dugganusa.com.

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

DHS Is Shut Down While a Nation-State Has F5 Source Code. That Is Not a Coincidence — It Is a Consequence.

What the Threat Actor Got

What CISA Cannot Do Right Now

The $220 Million Question

What We Track

Recent Posts

Comments