DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

DugganUSA Launches Predictive Puckering: ISP-Level Subnet Blocking at $0/Year

Patrick Duggan
Oct 25, 2025
3 min read

# DugganUSA Launches Predictive Puckering: ISP-Level Subnet Blocking at $0/Year

**Minneapolis, MN – October 26, 2025** – DugganUSA LLC today announced **Predictive Puckering**, a breakthrough threat intelligence capability that automatically blocks entire /24 subnets when repeat offender ISPs are detected. The system achieved **129× force multiplication** (4 observed malicious IPs → 516 total IPs protected) at **$0 additional cost**.

What We Actually Built (With Real Numbers)

**Traditional Approach:** Block individual malicious IPs as they're discovered

**Predictive Puckering:** Block entire /24 subnets when 2+ IPs from same ISP are malicious

**First Production Run (October 26, 2025 04:20 UTC):**

- Malicious IPs detected: 14 (AbuseIPDB confidence score ≥75%)

- Repeat offender ISPs identified: 2 (TECHOFF SRV LIMITED, 1337 Services GmbH)

- Individual IPs blocked: 4

- Subnets blocked: 2 (/24 ranges = 512 IPs)

- **Total protection: 516 IPs from 4 observed threats**

- **Force multiplication: 129×**

- **Cost: $0** (uses existing Cloudflare IP Lists)

The Technical Implementation

ISP Pattern Detection

Automated Subnet Blocking

Why This Matters

**The Problem:** Malicious actors rotate through IP addresses within their ISP's allocated ranges. Traditional IP blocking plays whack-a-mole.

**Our Solution:** When we see 2+ malicious IPs from the same ISP, we block their entire /24 subnet preemptively.

**Real Impact:**

- TECHOFF operates across 5+ IP addresses (that we've seen)

- Traditional blocking: Block 5 IPs individually

- Predictive Puckering: Block 256+ IPs in one operation

- Next malicious IP from TECHOFF? Already blocked.

Technical Architecture

1. **Threat Intelligence Enrichment**

- Cloudflare Analytics API (visitor IPs)

- AbuseIPDB (abuse confidence scores, ISP attribution)

- VirusTotal (malware correlation)

- Local caching (compliance evidence)

2. **ISP Correlation Engine**

- Automatic ISP name normalization (handles TECHOFF_SRV_LIMITED vs TECHOFF SRV LIMITED)

- Pattern detection threshold: 2+ malicious IPs = repeat offender

- /24 subnet calculation from IP octets

3. **Automated Blocking**

- Cloudflare IP Lists (scales to 1,000 entries per list)

- CIDR notation support (/24 subnets)

- Single firewall rule blocks entire list

- Azure Table Storage (Hall of Shame forensic logging)

What We're NOT Saying

- ❌ "AI-powered" (it's pattern matching and subnet math)

- ❌ "Machine learning" (it's if statements and regular expressions)

- ❌ "Proprietary algorithms" (it's open source in our repo)

- ❌ Pricing withheld (it's literally $0, uses existing Cloudflare)

What We ARE Saying

- ✅ 129× force multiplication measured in production

- ✅ 100% of costs disclosed ($0 incremental)

- ✅ Source code available (enterprise-extraction-platform repo)

- ✅ Live logs published (proof of execution)

- ✅ 95% confidence cap (we guarantee 5% bullshit exists)

Availability

**Predictive Puckering is live in production** as of October 26, 2025. The system runs automatically every 6 hours or on container startup.

**Who can use this:**

- Anyone with Cloudflare (Free plan supports IP Lists)

- Anyone with AbuseIPDB API access (free tier: 1,000 queries/day)

- Anyone who can run Node.js in a container

**Cost to replicate:**

- Cloudflare: $0/month (Free plan)

- AbuseIPDB: $0/month (free tier sufficient for <1000 visitors/day)

- Azure Container Apps: ~$77/month (or any Docker host)

- **Total: ~$77/month** (vs typical enterprise SIEM: $2.8M/year)

Known Limitations

1. **ISP name variations** - Now normalized, but edge cases exist

2. **False positives possible** - Entire subnet blocked if ISP is compromised

3. **Manual review required** - No automatic unblocking yet

4. **Cloudflare Free plan limits** - 1,000 entries per IP List

5. **95% confidence cap** - We admit uncertainty exists

What's Next

1. **ASN-based blocking** - Block by Autonomous System Number instead of /24

2. **Allowlist support** - Prevent blocking of known-good subnets

3. **Time-based expiration** - Auto-unblock after X days without new reports

4. **Geographic correlation** - Country + ISP patterns for higher precision

About DugganUSA

DugganUSA LLC is a Minnesota-based cybersecurity platform that believes in radical transparency, honest metrics, and $0 threat intelligence. We publish our source code, our costs, and our failures. We cap confidence scores at 95% because we guarantee at least 5% bullshit exists in any complex system.

**Contact:** Patrick Duggan, Founder

**Email:** [email protected]

**Platform:** www.dugganusa.com

**Cost:** $77/month (everything included)

Appendix: Live Production Logs (October 26, 2025 04:20 UTC)

**Philosophy:** Show your work. Publish your logs. Admit your limitations. Charge honest prices.

**The High Road:** Arctic Wolf feeds a lot of families. We're not competing with them. We're showing what's possible at $77/month with radical transparency.