DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Don't Panic. Always Have a Towel. A Field Guide to Not Losing Your Shit in a Breach.

Patrick Duggan
6 hours ago
7 min read

A field guide to not losing your shit in a breach

The cover of The Hitchhiker's Guide to the Galaxy has two words printed on it in large friendly letters: DON'T PANIC.

Douglas Adams understood something that most incident-response vendors don't: the hardest part of a crisis is not the crisis. It's the humans around the crisis. It's the CFO who just learned what "lateral movement" means at 11:47 PM. It's the general counsel who is reading the Massachusetts breach-notification statute for the first time. It's the CEO who is about to give a quote to a reporter who knows more than they do. It's you, at hour seventeen, running on coffee and adrenaline, about to make the one decision that will either save the quarter or headline the trade press.

You don't rise to the occasion. You fall to the level of your preparation.

So here's the towel.

What the towel actually is

In the books, a towel is "about the most massively useful thing an interstellar hitchhiker can have." It keeps you warm, it keeps you dry, you can sleep on it, you can signal with it, you can hit things with it, and if you have one, people assume you have the rest of your gear too — which they will then lend to you, because anyone who can't lose a towel is clearly someone who has their affairs in order.

Your towel is a single printable document that lives in three places: a USB drive in the fire safe, a laminated copy in the SOC, and an encrypted PDF in the legal team's shared vault. Not in the tool that just got breached. Not behind SSO that depends on the IdP that the attacker now owns. Not in a SaaS wiki that the attacker has read access to.

On it: the phone numbers, the decision tree, the three-sentence holding statement, the insurance carrier's claim line, the outside counsel's cell, the forensics retainer contact, the regulator notification windows by jurisdiction, and the exact name of the person who is allowed to talk to reporters.

If you can produce that document within sixty seconds of a page, everything downstream goes better. If you can't, you are going to learn what it feels like to Google the SEC's Form 8-K disclosure rules while your CISO is in the other room on hold with the FBI.

The first fifteen minutes

This is where most breaches go sideways. Not at the intrusion. Not at the exfil. At minute twelve, when a well-meaning sysadmin decides to "just reboot the box" and nukes the memory image that would have told forensics what the attacker did.

The rule for the first fifteen minutes is: observe, don't touch. Take the memory image. Snapshot the disk. Preserve the logs by copying them off, not by rotating them. Isolate the network segment at the switch, not at the host — you want the attacker to lose the channel without realizing you saw them. Announce nothing internally yet. Start the timer.

The reason this matters is that every action taken in the first fifteen minutes shows up in the forensic report six months later, and the ones that look stupid in hindsight are almost all the ones taken by someone who was panicking. You are allowed to do nothing. You are required to do nothing until the incident commander says otherwise.

If you don't have an incident commander pre-designated with an alternate, go designate one tomorrow morning. This is free.

The Babel Fish problem

In the books, the Babel Fish translates any language into any other. It is, Adams notes, the final proof that God does not exist — because it is a biological improbability so extreme that it could not have arisen by chance, and therefore God, requiring faith to exist, vanishes in a puff of logic.

In a breach, you need three Babel Fish.

The first translates technical-to-legal. When your detection engineer says "we think they pivoted through the Exchange server using a forged Kerberos ticket," the lawyer needs to hear "an unauthorized party may have obtained credentials that could access data subject to notification statutes in the following jurisdictions." Those are the same sentence, but only one of them starts the regulatory clock.

The second translates legal-to-executive. "Counsel advises we have an affirmative notification obligation under Massachusetts 93H within 30 days of determination" needs to become "we are going to tell the affected customers in the next four weeks, and here is what that costs us." Executives make decisions on cost and timeline. They do not make decisions on statute citations.

The third translates executive-to-employee. "We are executing our incident response plan and will provide updates through official channels" is the right sentence for the all-hands. Anything more detailed, and half the company will post it on LinkedIn within the hour. Anything less, and the rumor mill will fill the void with something worse than the truth.

You need these translators identified by name, in advance, with their phone numbers on the towel. You do not want to be building the org chart at 2 AM.

The Improbability Drive of attribution

Adams' Infinite Improbability Drive works by making something so unlikely that it becomes inevitable, which is also a pretty good description of how attribution works during an active incident.

Do not attribute in the first 72 hours. I do not care how obvious it looks. I do not care if the C2 is a known Chinese APT IP, if the tooling is Cobalt Strike, if the victim is a defense contractor, if the timezone pattern lines up with Beijing working hours. You will be wrong, and you will be wrong loudly, and the correction will run for a tenth of the impressions of the original.

Attribution is for the final report. In the first week, the only sentences you should say out loud are "an unauthorized third party" and "we are working with law enforcement and external forensics." Everything else is a hostage to fortune. The attacker who looks like China in week one is a Russian affiliate group using leaked Chinese tooling in week three, and the trade press has already printed the wrong thing twice by then.

Write this down: the press release is not the place for your threat-intel hypothesis.

The Vogon Poetry of the notification statute

The Vogons, in the books, are a bureaucratic alien species whose poetry is so bad that it is used as torture. Regulatory notification statutes were written by Vogons, which is unfortunate, because you have to read them.

Here is the part most people get wrong: the clock does not start at intrusion. The clock starts at "determination," and determination is a defined term, and the definition is not the same in every jurisdiction.

Massachusetts says "as soon as practicable and without unreasonable delay." New York says 30 days. California says "most expedient time possible and without unreasonable delay." GDPR says 72 hours. SEC Item 1.05 says 4 business days from determination of material impact. HIPAA says 60 days.

Those are not the same sentence. If you have customers in all of those jurisdictions — and you do — you are running six clocks in parallel, and the fastest clock wins. The outside counsel you pre-retained knows this. Your in-house counsel may not, because they've never done this before, because nobody has done this more than a couple of times, because the people who have done this more than a couple of times have all either retired or started consulting practices that charge $1,200 an hour.

The towel has the outside counsel's cell number on it for a reason.

Forty-two

The answer to the Ultimate Question of Life, the Universe, and Everything is famously forty-two. The problem, as the mice discover, is that nobody knows what the actual question was.

In a breach, you will be asked a hundred questions in the first day. Most of them are the wrong questions. The actual question is always the same one: "what did the attacker take, and who do we have to tell?" Everything else is noise. Attribution is noise. "How did they get in" is noise for week two. "Who is to blame internally" is noise for the post-mortem. "What does this mean for our stock price" is not your problem, it is Investor Relations' problem.

Keep returning to the two questions. What did they take. Who do we tell. Everything that does not serve those two questions is a distraction, and you have a limited budget of attention, and the distractions will consume all of it if you let them.

Our receipts

We have written a lot about this because we have lived a lot of it.

We have a pattern for what we did wrong when we removed security controls to ship faster. It cost between three and six million dollars. We wrote it up. The post-mortem is in our compliance evidence directory. The patent for the detection method that came out of the incident is in our portfolio.

We have a pattern for what we did wrong when our auto-defense system started blocking Bingbot, which quietly tanked our search traffic for a week before anyone noticed. We wrote that one up too. It is now "Pattern 49.5: Auto-Defense Self-Sabotage," and the fix is in production, and the detection for it is in our STIX feed.

We have a pattern for what we did wrong when we claimed 400,000 searchable documents in an index that actually had 2,200 empty stubs. Patrick went on Bluesky and told 24 people about it. We had to correct it publicly. That is in the compliance evidence too.

The point is not that we did these things wrong. The point is that we wrote them down. Every incident is a draft of a patent and a draft of a runbook, and if you don't write it down while it's fresh you will do the exact same thing again in eighteen months, except this time the cost will be higher because you'll be bigger.

The towel, redux

Print the towel tonight. Put it in the fire safe. Put a copy in the SOC. Put an encrypted copy with your outside counsel. Update it quarterly — not because the content changes fast, but because the exercise of updating it is the actual training.

The people who don't lose their shit in a breach are not calmer by nature. They are calmer by preparation. They practiced the conversation with the CFO before the CFO had to have it. They practiced the conversation with the regulator. They practiced the conversation with the reporter. They practiced the decision to pull the plug. They practiced the decision to not pull the plug.

When the page comes at 3:47 AM, they pick up the phone, and the towel is already in their hand, and the first words out of their mouth are not "oh fuck." The first words are: "incident commander is awake, clock starts now, give me five minutes."

That's it. That's the guide. Don't panic. Always have a towel.

This is part of our Field Guide series on defensible incident response. If you want to see what a real post-mortem looks like, our compliance evidence directory is public at dugganusa.com/compliance. If you want help building your own towel, [email protected].

— Patrick