DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

GTFO Ukraine: Why a Minnesota Threat Intel Company Just Removed All Friction for Ukrainian Defenders

Patrick Duggan
Feb 25
3 min read

# GTFO Ukraine: Why a Minnesota Threat Intel Company Just Removed All Friction for Ukrainian Defenders

On Tuesday night, while reviewing our STIX feed consumer logs, we found something between the AT&T polling and the Goldman Sachs crawlers:

**KYIVTELESERVIS-AS, UA. 2 requests. 2 errors.**

Someone in Kyiv, on a Ukrainian ISP, during an active war, tried to pull our threat intelligence feed. And they got rate-limited. Errors on both attempts.

We fixed that in about four minutes.

What We Did

We added every major Ukrainian ISP and cybersecurity organization to our consumer whitelist:

- **KYIVTELESERVIS** (AS43409) — the consumer we caught in the logs

- **Ukrtelecom** — Ukraine's national telecom

- **UARNet** — Ukrainian academic and research network

- **Kyivstar** — largest mobile operator

- **Lifecell** — mobile operator

- **Volia** — broadband provider

- **CERT-UA** — Ukraine's national CERT

- **SSSCIP** — State Service of Special Communications and Information Protection (Ukraine's CISA equivalent)

Whitelisted consumers get zero behavioral scoring for STIX feed polling and enrichment API access. No rate limits. No friction. No "please register" gates. Just data.

They still get scored for actual attack patterns — PHP scanning, admin panel hunting, credential probing. The whitelist isn't immunity. It's friction removal for legitimate threat intelligence consumption.

Why

Because someone pulling threat indicators from an active warzone doesn't need a registration form. They need the data.

Our STIX feed serves 920,000+ indicators of compromise — malware C2 servers, phishing infrastructure, botnet nodes, credential harvesting domains. The kind of infrastructure that Russian-aligned threat actors use to target Ukrainian government systems, critical infrastructure, and military networks.

If a Ukrainian defender can use our IOCs to block one C2 callback, one phishing domain, one malware dropper — the whitelist paid for itself.

The Context

The same day we made this change:

- **France** ran a coordinated reconnaissance operation against our infrastructure — 6,298 threats in two surgical bursts during Paris business hours

- **Recorded Future** — the intelligence community's preferred threat intel vendor — registered for our STIX feed

- **Goldman Sachs' Ontic** physical security platform was crawling our site

- Someone searched our Epstein index for **Babel Street**, a surveillance analytics vendor used by DHS and the intelligence community

We're a two-person company in Minnesota running 10.3 million government documents on $600/month of Azure infrastructure. We don't have a government contract. We don't have venture funding. We don't have a lobbyist.

What we have is a STIX feed, a whitelist file, and the ability to decide who gets friction and who doesn't.

The Whitelist File

Our consumer whitelist is called `consumer-whitelist.js`. The comment at the top reads: "The Non-Asshole List."

It includes Microsoft, CrowdStrike, Zscaler, Google, Amazon, Cloudflare, Palo Alto, MITRE, NIST, CISA, NSA, FBI, DHS, Starlink, and now every major Ukrainian network operator and cybersecurity organization.

The AT&T ASNs are deliberately excluded. Not because AT&T is an asshole — because Salt Typhoon (Chinese MSS) compromised AT&T, Verizon, and Lumen infrastructure. Residential ISPs aren't legitimate STIX feed consumers. Let behavioral scoring evaluate them like anyone else.

We make opinionated decisions about who gets friction and who doesn't. That's the point of running your own infrastructure.

The Math

Adding eight ASNs to a JavaScript Set takes about 200 bytes of code. Deploying it takes four minutes. The cost is zero.

The value is that a CERT-UA analyst, a Kyivstar security engineer, or a Ukrainian military cyber defender can pull our threat feed without hitting a single error. At 2 AM Kyiv time. During a blackout. On mobile. No registration. No API key. No friction.

Two people. Minnesota. $600/month. And a whitelist that says what we believe.

https://www.youtube.com/watch?v=wwhnT6nhWp8

*DugganUSA LLC is a Minnesota-based threat intelligence company. Our STIX feed is available at analytics.dugganusa.com. Our Epstein Files search engine is free at epstein.dugganusa.com. We guarantee 5% of this post is wrong. Russia can GTFO of Ukraine.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

GTFO Ukraine: Why a Minnesota Threat Intel Company Just Removed All Friction for Ukrainian Defenders

What We Did

Why

The Context

The Whitelist File

The Math

Recent Posts

Comments