DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Free Threat Intelligence for Palo Alto Cortex XDR Users: DugganUSA STIX 2.1 Feed

Patrick Duggan
Nov 13, 2025
3 min read

Published: November 13, 2025 Category: Threat Intelligence Vendor: Palo Alto Networks Cortex XDR

The Value Proposition

DugganUSA discovered 244 threats that billion-dollar vendors (AbuseIPDB, VirusTotal, ThreatFox) scored as ZERO.

63% unique discovery rate. Multi-source correlation. Free.

Your Cortex XDR platform is excellent. Our STIX 2.1 feed makes it better.

What You Get

• Free STIX 2.1 threat intelligence feed

• Real-time updates from production security operations

• MITRE ATT&CK mapped indicators

• Zero cost - Democratic Sharing Law (Judge Dredd D6: 99.5% public)

• 244+ unique discoveries missed by major threat intel vendors

Feed URL: `https://analytics.dugganusa.com/api/v1/stix-feed`

Cortex XDR Integration

Step 1: Access Threat Intelligence Management

1. Log into Cortex XDR Console 2. Navigate to Response → External Dynamic Lists 3. Click + New List

Step 2: Configure STIX Feed

List Type: Threat Intelligence
Name: DugganUSA STIX 2.1 Feed
Description: Free threat intel - 244 unique discoveries
Source URL: https://analytics.dugganusa.com/api/v1/stix-feed?days=30&min_confidence=70
Format: STIX 2.1
Update Frequency: Hourly
Authentication: None
Certificate Validation: Enabled

Step 3: Create IOC Rule

Navigate to Response → IOC Rules → + New Rule

Rule Name: Block DugganUSA High-Confidence Threats
Description: Auto-block IPs from unique discovery feed
Source: DugganUSA STIX 2.1 Feed
Severity: High
Action: Block
Scope: All endpoints

Step 4: XQL Queries for Hunt

Find Communications with Unique Discoveries

xql
dataset = xdr_data
| filter event_type = STORY and event_sub_type = NETWORK_STORY
| alter remote_ip = arrayindex(regextract(action_remote_ip, "(\d+\.\d+\.\d+\.\d+)"), 0)
| join type=left (
    dataset = threat_intel_feeds
    | filter feed_name = "DugganUSA STIX 2.1 Feed"
    | alter indicator_ip = indicator_value
  ) indicator_ip = remote_ip
| filter isnotnull(indicator_value)
| fields agent_hostname, remote_ip, indicator_value, threat_score, unique_discovery

Alert on Vendors-Missed Threats

xql
config case_sensitive = false
| dataset = network_story  
| join type=inner (
    dataset = threat_intel_feeds 
    | filter feed_name contains "DugganUSA"
    | filter unique_discovery = true
  ) dst_ip_v4 = indicator_value
| alter 
    missed_by = json_extract_scalar(custom_properties, "$.x_dugganusa_discovery.sources_with_zero_score"),
    confidence = json_extract_scalar(custom_properties, "$.confidence")
| fields _time, src_host_name, dst_ip_v4, confidence, missed_by

Prevention Policy Rules

Bioc Rule: Block High-Confidence Malicious IPs

// Navigate to Response → BIOC Rules
config case_sensitive = false
| dataset = network_story
| join type=inner (
    dataset = threat_intel_feeds
    | filter feed_name = "DugganUSA STIX 2.1 Feed"
    | filter confidence >= 85
    | filter indicator_types contains "malicious-activity"
  ) dst_ip_v4 = indicator_value
| alter threat_name = indicator_name
| fields agent_hostname, dst_ip_v4, threat_name, confidence

Action: Terminate network connection + Alert

Feed Parameters

Customize for your environment:

# High confidence only (recommended for prevention)
https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=90

Why This Matters

Cortex XDR has the visibility. We have the correlation.

You see network traffic, endpoint behavior, cloud activity. We see 5 threat intelligence sources simultaneously.

When every major vendor scores an IP as benign, but we blocked it at 95% confidence — that's the indicator your XDR needs.

244 unique discoveries that would have slipped through vendor-only threat feeds.

Integration with AutoFocus

1. Navigate to Threat Intelligence → AutoFocus 2. Create custom tag: `DugganUSA_UniqueDiscovery` 3. Import our STIX feed as tag source 4. Enable automatic tagging for sessions matching our indicators

Result: Enrich AutoFocus sessions with our unique discovery intelligence.

Democratic Sharing Law

This feed is free because hoarding threat intelligence is bullshit.

Zero marginal cost to share digital goods. We publish openly because that's how you prove you're not lying about your discoveries.

Judge Dredd Dimension 6 (Democratic Sharing): 99.5% public (4,780 files tracked).

7.1x evidence-to-claims ratio. We show receipts.

Technical Details

• Format: STIX 2.1 Bundle

• Attribution: `created_by_ref: identity--dugganusa-llc-f4a8c3d2-1b9e-4f7a-8c2d-9e3f5b6a7c8d`

• Update Frequency: Real-time from production auto-blocking

• License: CC0-1.0 (Public Domain)

• Contact: [email protected]

Support

Questions? Email [email protected]

API health: `https://analytics.dugganusa.com/api/v1/stix-feed/info`

Documentation: `https://analytics.dugganusa.com/docs/stix-feed.md`

Your security is our problem now.

— DugganUSA LLC (Minnesota)