DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

From 5 Clicks to 800: What Happens When You Build a Search Engine Instead of a Blog

Patrick Duggan
Feb 18
4 min read

# From 5 Clicks to 800: What Happens When You Build a Search Engine Instead of a Blog

Four months ago, Google Search Console recorded 5 clicks to dugganusa.com in 28 days. Today it recorded 812, with 900 in sight. We didn't hire an SEO agency. We didn't buy ads. We built a search engine with 5.9 million documents behind it, and Google noticed.

The Curve That Wasn't Supposed to Happen

On October 20, 2025, we were nobody. A security blog on Wix running three Azure container apps for $76 a month. Five clicks meant five humans found us through Google Search and thought we were worth clicking on.

By February 2, we hit 60. By February 3, 100. By February 8, 500. By February 16, 800. The milestones that used to take weeks started falling daily.

This isn't a growth hack story. There's no trick. The only thing that changed was the depth of what sat behind each blog post.

The Platform Nobody Sees

Every post we publish is backed by a searchable corpus:

- 1,785,560 offshore entity records from the Panama and Pandora Papers

- 1,246,999 federal security decisions

- 869,601 threat indicators with country attribution and malware family classification

- 329,473 DOJ-produced Epstein documents with extracted names, locations, and aircraft

- 641,042 blocked threat events with abuse scoring and MITRE technique mapping

- 499,687 tracked search queries showing what the world is looking for

Total: 5.9 million documents. 24 GB. Three services. Seventy-six dollars a month.

When we write about a threat actor, we're not summarizing someone else's research. We're querying our own corpus, cross-referencing indicators across indexes, and publishing findings that can be independently verified. Google's algorithm can tell the difference between a blog post that cites sources and a blog post that *is* a source.

275 STIX Consumers in 46 Countries

The blog is the visible layer. Underneath it, we operate a STIX/TAXII threat intelligence feed that 275+ security operations centers consume in 46 countries. We've published 279 OTX pulses containing over a million indicators.

The feed runs autonomously. New indicators flow in from multiple sources, get scored, get classified, and get published. SOCs in Paris, Berlin, Tokyo, and Sao Paulo pull our data into their SIEMs every day. They don't read the blog. They consume the structured data.

This matters for SEO because it means our threat intelligence isn't performative. When we publish a blog post about a supply chain attack pattern, the underlying indicators are already in production security tooling worldwide. The post is documentation of work that's already happening.

Who's Scanning Your Threat Feed (And Why We Had to Gate It)

In January 2026, we noticed something odd. API capacity was at 92%. But our legitimate users — the researchers, the journalists, the SOC analysts — weren't responsible.

LinkedIn scanning tools were hammering our Epstein document search API with bulk name lookups. Zero-result queries. Thousands of them. Someone was running the guest lists through our index to see who appeared in the DOJ files.

We didn't block them. We gated the API. Free registration, 30 seconds, and you get an API key with rate limits. Authenticated users get better performance. Abusers get blocked without affecting legitimate researchers.

The scanning hasn't stopped. It's just accountable now. And the pattern itself became a data point — who is bulk-querying names against the Epstein corpus, and what are they looking for?

The $76 Question

People ask how we run this for $76 a month. The answer is architectural discipline.

Three container apps on Azure. One handles heavy compute — the STIX feed, threat enrichment, MITRE mapping, cross-index correlation. One handles the lightweight UI and security operations. One runs Meilisearch with 24 GB of indexed, embedded, searchable documents.

No Kubernetes. No load balancers. No managed database service at $400 a month. Just containers, a search engine, and a Key Vault. The complexity is in the data pipeline, not the infrastructure.

We've maintained 99.99% uptime since launch. AWS had an outage and we didn't notice. Azure had an outage and we didn't notice. When your architecture is simple enough that a single developer and an AI can maintain it, resilience comes from clarity, not redundancy.

What Google Actually Rewards

Here's what we think is happening with the search curve. Google's algorithm has gotten very good at distinguishing between three types of content:

Content that summarizes other content. Content that adds original analysis. And content that *is* the primary source.

We're in the third category. When someone searches for an Epstein-related name, our index has the actual DOJ documents — not a news summary of what the documents contain. When someone searches for a threat indicator, our feed has the raw IOC data with attribution and confidence scoring.

You can't fake depth. You can optimize title tags and meta descriptions — and you should, we just fixed ours today — but the hockey stick comes from having something worth clicking on when someone arrives.

684 posts. 5.9 million documents. The curve is still going up.

Merci Beaucoup

We want to close with something we didn't expect. The engagement on this work is international.

Our STIX feed reaches 46 countries. Our Bluesky audience includes researchers and analysts from France, Sweden, Spain, Germany, and Brazil. Today a French security researcher replied to one of our posts with "Magnifique! Merci pour votre travail." A Greek analyst said "Nicely done, I will use this." A Swedish academic reposted our Epstein findings.

This isn't a Minneapolis story. This isn't even an American story. Institutional accountability, financial transparency, and open-source threat intelligence are universal concerns. The documents are in English, but the interest is global.

To everyone following this work from outside the United States — we see you, we appreciate you, and we're not stopping.

Merci beaucoup.

*Built by DugganUSA LLC. $76/month. 5.9 million documents. 275+ STIX consumers in 46 countries. The search engine is at epstein.dugganusa.com. The threat feed is at analytics.dugganusa.com/api/v2/stix/taxii2.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*