DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

From Detection to Disclosure in 60 Seconds: Our Automated Abuse Reporting Pipeline

Patrick Duggan
Dec 19, 2025
3 min read

Earlier today, we published our analysis of an automated phishing campaign abusing six cloud platforms simultaneously. Within an hour of that post going live, we had sent professional abuse reports to every affected platform's security team - complete with rich HTML formatting, IOC tables, and evidence summaries.

Here's how we did it.

The Problem: Speed Matters

When you discover threat actors abusing cloud infrastructure, every hour counts. The faster you report, the faster the takedown. But crafting professional, actionable abuse reports takes time - time that threat actors use to harvest more credentials.

Most security researchers face a choice: quick-and-dirty plain text emails, or slow-and-professional reports. We wanted both.

The Solution: Microsoft Graph API Integration

We built an automated abuse reporting pipeline using the Microsoft Graph API. Here's what it does:

Rich HTML Reports Generated On-Demand

Our reports aren't plain text. They include:

• High-contrast visual design for rapid scanning

• Color-coded severity badges

• IOC tables with domain, target, and category columns

• Evidence boxes with technical indicators

• Stats dashboards showing campaign scope

• Direct links to our STIX feeds for machine-readable IOCs

The security analyst receiving our email gets everything they need to take action without asking follow-up questions.

OAuth 2.0 Authentication via Azure Key Vault

Credentials never touch disk. Our Graph API client authenticates using:

• Azure AD application credentials stored in Key Vault

• Client credentials flow (no user interaction required)

• Automatic token refresh

This means we can trigger reports from scripts, cron jobs, or in response to detection events.

One Command, Multiple Platforms

Today's campaign hit GitHub Pages, Vercel, Netlify, Firebase, Heroku, and Glitch. Sending to all of them was trivial:

for platform in [email protected] [email protected] [email protected]; do
  node graph-email-notifier.js --type security --html report.html --to $platform
done

Four platforms notified in under 30 seconds.

What the Reports Look Like

Our abuse reports include:

Executive Summary A two-sentence overview that security teams can forward to leadership without modification.

IOC Tables Every malicious domain with its target brand and threat category, formatted for easy copy-paste into blocklists.

Evidence of Automation Technical indicators that prove this is a coordinated campaign, not isolated incidents: - Sequential domain numbering (loop variables in deployment scripts) - Multi-platform simultaneous deployment - Consistent burn rates across infrastructure

Recommended Actions Specific, actionable steps tailored to each platform's capabilities.

Reporter Credentials Our organization, contact info, public threat intel feeds, and blog writeup links - everything needed to verify we're legitimate researchers.

The Outcome

Within hours of discovery:

• Blog post published documenting the campaign

• OTX pulse created with IOCs

• STIX feed updated with new indicators

• Abuse reports sent to GitHub, Vercel, Netlify, and Glitch

• All reports formatted identically, professionally, and actionably

The phishing infrastructure was already being taken down before we finished writing this post.

Why This Matters

Threat actors have automated their offense. They spin up hundreds of phishing domains across multiple platforms with scripts. If defenders respond manually, we lose the race every time.

But automation works both ways.

When we can go from detection to disclosure in 60 seconds, the economics flip. Phishing infrastructure becomes more expensive to maintain because it gets reported faster than it can generate ROI.

That's the game we're playing. And today, we scored.

*Our STIX 2.1 feed and abuse reporting templates are available to security teams. Contact [email protected] for collaboration.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]