DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

How to Read Threat Intel Like a Professional: The DugganUSA Field Guide

Patrick Duggan
Oct 27, 2025
5 min read

# How to Read Threat Intel Like a Professional: The DugganUSA Field Guide

**Author:** Patrick Duggan (DugganUSA LLC)

**Evidence:** threat-intel-export-2025-10-27.csv (81 IPs analyzed)

**Lesson:** Multi-Factor Analysis > Single Metric

The Problem with Amateur Threat Analysis

**Amateur sees:**

- IP has 165 reports → BLOCK IT

- IP has 6 reports → CLEAN

**Professional sees:**

- IP has 165 reports + 0 detections + Whitelisted = **Google DNS (CLEAN)**

- IP has 6 reports + VirusTotal 1/95 + Cloud hosting = **Botnet (MALICIOUS)**

**The difference:** Context.

The DugganUSA 5-Factor Analysis Framework

We analyze every IP using **5 independent factors**:

Factor 1: AbuseIPDB Score (Weighted Reports)

Factor 2: VirusTotal Detections (Malware Evidence)

Factor 3: ThreatFox IOCs (Known C2 Servers)

Factor 4: Geographic Clustering (Botnet Patterns)

Factor 5: ISP Reputation (Infrastructure Risk)

**Let me show you how this works using REAL DATA from October 27, 2025.**

Factor 1: AbuseIPDB Score (The Weighted Truth)

❌ What Amateurs Do

**Problem:** Google DNS has 165 reports and is CLEAN.

✅ What Professionals Do

Real Examples from Our Scan

|----|---------|-------|---------|-------------|

| 8.8.8.8 | 165 | 0 | CLEAN | Google DNS (whitelisted) |

| 40.88.21.235 | 219 | 0 | CLEAN | Microsoft Azure CDN |

| 113.31.186.146 | 98 | 100 | MALICIOUS | China botnet (high confidence) |

| 167.71.149.44 | 29 | 100 | MALICIOUS | DigitalOcean botnet |

| 165.22.3.253 | 6 | 45 | SUSPICIOUS | Medium confidence |

**Key Insight:** Score matters MORE than volume.

Factor 2: VirusTotal Detections (The Malware Truth)

**VirusTotal scans every IP against 95 security engines.**

Understanding Detection Rates

| Detection Rate | Interpretation | Action |

|---------------|----------------|--------|

| 0/95 (0%) | Clean or unscanned | Rely on other factors |

| 1-3/95 (1-3%) | Possible false positive | Investigate further |

| 4-8/95 (4-8%) | Likely malicious | Strong evidence |

| 9-15/95 (9-16%) | Definitely malicious | BLOCK IMMEDIATELY |

| 16+/95 (17%+) | Known malware infrastructure | CRITICAL THREAT |

Real Examples from Our Scan

#### Example 1: Google DNS (0/95)

#### Example 2: Netherlands Botnet (13/95)

#### Example 3: Taiwan Botnet (9/95)

#### Example 4: Suspicious Cloud IP (1/95)

**Key Insight:** 9+ detections = Confirmed malware infrastructure.

Factor 3: ThreatFox IOCs (Known Bad Infrastructure)

**ThreatFox = Database of confirmed malware C2 servers, maintained by abuse.ch**

Understanding IOC Counts

| IOC Count | Interpretation | Action |

|-----------|----------------|--------|

| 0 | Not in ThreatFox database | Rely on other factors |

| 1-2 | Recently added (early warning) | Investigate |

| 3-5 | Active C2 server | BLOCK |

| 6+ | Major malware campaign | CRITICAL |

Real Data from Our Scan

**Good news:** ZERO ThreatFox IOCs detected across all 81 IPs.

**What this means:**

- Our threats are "garden variety" botnets (SSH brute force, port scanning)

- NOT known ransomware C2, NOT known APT infrastructure

- Still malicious, but not "nation-state" level

**If we saw ThreatFox IOCs:**

**Key Insight:** ThreatFox IOCs = Drop everything and block NOW.

Factor 4: Geographic Clustering (The Botnet Pattern)

**Professional threat analysts look for PATTERNS, not individual IPs.**

Geographic Clustering Analysis

**Formula:**

Real Examples from Our Scan

#### Netherlands: 7/7 Malicious (100%)

#### Taiwan: 4/4 Malicious (100%)

#### United States: 8/35 Malicious (23%)

**Key Insight:** 100% malicious rate = Dedicated botnet infrastructure.

Factor 5: ISP Reputation (Infrastructure Risk)

**Not all hosting providers are equal.**

ISP Risk Tiers

#### Tier 1: Whitelisted (Trusted Infrastructure)

- Google (8.8.8.8, 8.8.4.4)

- Cloudflare (1.1.1.1, 1.0.0.1)

- Microsoft Azure

- Amazon AWS (with caveats)

**Risk:** Near zero

**Action:** Never block without extraordinary evidence

#### Tier 2: Legitimate Cloud (Higher Risk)

- DigitalOcean

- Linode

- Vultr

- Hetzner

**Risk:** Medium (popular with both developers and attackers)

**Action:** Analyze VirusTotal + AbuseIPDB score

#### Tier 3: Bulletproof Hosting (High Risk)

- OVH (Netherlands)

- M247 (Romania/Netherlands)

- Some Eastern European providers

**Risk:** High (weak abuse policies)

**Action:** Lower threshold for blocking

#### Tier 4: Known Bad (Critical Risk)

- Repeated abuse violations

- Entire ASN flagged by multiple CERTs

- No abuse contact

**Risk:** Critical

**Action:** Block entire ASN

Real Examples from Our Scan

#### Example 1: DigitalOcean (Tier 2)

**Why it's malicious:** Tier 2 ISP + VirusTotal detections = Compromised VM or botnet node

#### Example 2: OVH (Tier 3)

**Why it's malicious:** Bulletproof ISP + 10 VirusTotal engines = Dedicated botnet infrastructure

#### Example 3: Google (Tier 1)

**Key Insight:** Same VirusTotal count means different things on different ISPs.

The DugganUSA Asshole Score Algorithm

**We combine all 5 factors into a single score.**

The Formula

Asshole Score Ranges

| Score | Threat Level | Action |

|-------|--------------|--------|

| 0-24 | MINIMAL | Allow (monitor) |

| 25-49 | LOW | Watch closely |

| 50-74 | MEDIUM | Consider blocking |

| 75-94 | HIGH | Block recommended |

| 95-124 | CRITICAL | Block immediately |

| 125+ | **LEGENDARY ASSHOLE** | Block + Hall of Shame |

Real Examples from Our Scan

#### Legendary Assholes (Score 125+)

#### Google DNS (Score 0)

**Key Insight:** Asshole Score accounts for all factors, weighted properly.

The Complete Analysis Workflow

**Let me show you how to analyze one IP using all 5 factors.**

Example: 113.31.186.146 (China)

#### Step 1: Check AbuseIPDB

**Factor 1 Verdict:** MALICIOUS (high confidence)

#### Step 2: Check VirusTotal

**Factor 2 Verdict:** MALICIOUS (2/95 = 2.1% detection)

#### Step 3: Check ThreatFox

**Factor 3 Verdict:** Not in ThreatFox (garden-variety botnet)

#### Step 4: Check Geographic Clustering

**Factor 4 Verdict:** Cannot determine clustering (only one China IP in scan)

#### Step 5: Check ISP

**Factor 5 Verdict:** HIGH RISK (Chinese ISP + no abuse response)

Final Calculation

The Field Guide Cheat Sheet

**Print this out and tape it to your monitor:**

Quick Decision Tree

One-Liner Rules

1. **Google DNS Rule:** 165 reports + 0 score + 0 VT = CLEAN

2. **Botnet Rule:** Any VT >= 9 = MALICIOUS (no exceptions)

3. **Clustering Rule:** 3+ IPs from same /24, all malicious = Block subnet

4. **Netherlands Rule:** 7/7 malicious = Block all Dutch IPs

5. **ThreatFox Rule:** ANY ThreatFox IOCs = CRITICAL

The Taunt (For Threat Analysts Reading This)

**If you're still using volume-based blocking:**

You're blocking Google DNS and letting China botnets through.

**If you're paying $2.8M/year for Splunk Enterprise Security:**

You're getting the same analysis we did for $0.21 in API calls.

**If you think 165 reports means "definitely malicious":**

You don't understand weighted scoring algorithms.

**If you're NOT checking VirusTotal:**

You're missing the best signal in threat intelligence.

**If you're NOT analyzing geographic clustering:**

You're treating symptoms instead of patterns.

The Training Data (Butterbot Corpus)

**This blog post IS the training data.**

**81 IPs analyzed. 5 factors per IP. Real-world results.**

**Butterbot will learn:**

- Google DNS (165 reports, 0 score) = CLEAN

- Netherlands cluster (7/7 malicious) = Geographic pattern

- Taiwan subnet (4/4 in /24) = Dedicated botnet infrastructure

- VirusTotal 13/95 (Netherlands) = Malware distribution

- Score 100 + VT 0 (old reports decay) = Algorithm limitation

**This is how AI learns threat intelligence better than $2.8M enterprise SIEMs.**

The Philosophy

**Enterprise security vendors will tell you:**

"Threat intelligence is complex. You need our $2.8M platform to correlate 47 data sources across 12 security domains with machine learning and blockchain AI."

**We tell you:**

"Threat intelligence is math. Count the VirusTotal detections. Calculate geographic clustering. Show receipts."

**The difference?** We're teaching you to fish. They're selling you fish for $2.8M/year.

**DugganUSA LLC**

**Threat Intelligence Field Guide: Free**

**Enterprise SIEM License: $2.8M/year**

**Knowing the difference: Priceless**

**Our analysis:** $0.21 per 81 IPs

**Their analysis:** $2,800/month minimum

**ROI:** 1,333,233%

**Evidence Files:**

- threat-intel-export-2025-10-27.csv

- Hall of Shame: https://2x4.dugganusa.com/api/hall-of-shame

- Live Methodology: Read our fucking code (it's all open source)

How to Read Threat Intel Like a Professional: The DugganUSA Field Guide

The Problem with Amateur Threat Analysis

The DugganUSA 5-Factor Analysis Framework

Factor 1: AbuseIPDB Score (Weighted Reports)

Factor 2: VirusTotal Detections (Malware Evidence)

Factor 3: ThreatFox IOCs (Known C2 Servers)

Factor 4: Geographic Clustering (Botnet Patterns)

Factor 5: ISP Reputation (Infrastructure Risk)

Factor 1: AbuseIPDB Score (The Weighted Truth)

❌ What Amateurs Do

✅ What Professionals Do

Real Examples from Our Scan

Factor 2: VirusTotal Detections (The Malware Truth)

Understanding Detection Rates

Real Examples from Our Scan

Factor 3: ThreatFox IOCs (Known Bad Infrastructure)

Understanding IOC Counts

Real Data from Our Scan

Factor 4: Geographic Clustering (The Botnet Pattern)

Geographic Clustering Analysis

Real Examples from Our Scan

Factor 5: ISP Reputation (Infrastructure Risk)

ISP Risk Tiers

Real Examples from Our Scan

The DugganUSA Asshole Score Algorithm

The Formula

Asshole Score Ranges

Real Examples from Our Scan

The Complete Analysis Workflow

Example: 113.31.186.146 (China)

Final Calculation

The Field Guide Cheat Sheet

Quick Decision Tree

One-Liner Rules

The Taunt (For Threat Analysts Reading This)

The Training Data (Butterbot Corpus)

The Philosophy

Recent Posts

Comments