DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

One Million Reasons Why Enterprise Threat Intel Is Dead

Patrick Duggan
Dec 21, 2025
6 min read

--- title: "One Million Reasons Why Enterprise Threat Intel Is Dead" slug: 1-million-indicators-milestone-2025-12-21 date: 2025-12-21 author: Patrick Duggan tags: [otx, abuseipdb, stix, threat-intel, milestone, enterprise, democratization, pattern-53] category: Threat Intelligence featured: true ---

The Number

1,000,000 indicators on AlienVault OTX.

8,200+ IP abuse reports on AbuseIPDB.

1,008,200+ threat indicators contributed to the community. For free.

The enterprise vendors charging $50K-$500K/year can't say that. They won't say that. Because their business model depends on hoarding what we give away.

The Journey: From Zero to One Million

Three months ago, we joined OTX. Username: `pduggusa`.

Today, we crossed one million community contributions.

| Platform | Contribution | What It Means | |----------|--------------|---------------| | AlienVault OTX | 1,000,000 indicators, 10,129 pulses | Machine-readable threat intelligence | | AbuseIPDB | 8,200+ IP abuse reports | Community IP reputation | | STIX Feed | analytics.dugganusa.com/api/v1/stix-feed | Open standard, zero paywall | | Subscribers | 31 on OTX | Microsoft, AT&T, others tracking our intel |

Not one dollar charged. Not one IP gated. Not one indicator delayed.

Who's Consuming Our Free Feed

We track every request to our STIX feed at `analytics.dugganusa.com/api/v1/stix-feed`.

The logs tell the story:

| Consumer | Requests/Week | Reality | |----------|---------------|---------| | AT&T Alien Labs | 42,000+ | The parent company of OTX consuming our STIX feed | | Microsoft | 5,200+ | Azure security teams, likely Defender integration | | Amazon AWS | 3,100+ | AWS Shield, GuardDuty teams | | Google Cloud | 1,800+ | Cloud Armor, Chronicle teams | | Huawei Cloud | 1,200+ | International threat intel consumption | | Twitter/X | 890 | Social platform threat detection |

47 countries consuming the feed.

The same companies that charge fortunes for threat intelligence are ingesting ours. For free. Because it's good.

The Automation Engine: Pattern 53 (PreCog Sweep)

This didn't happen manually. One million indicators requires automation that doesn't break.

Pattern 53: PreCog Sweep Engine

ThreatFox hourly crawl
    ↓
VirusTotal correlation
    ↓
MITRE ATT&CK classification
    ↓
AbuseIPDB cross-reference
    ↓
Auto-publish to OTX pulse
    ↓
STIX 2.1 feed generation
    ↓
Repeat every hour, 24/7/365

Uptime: 99.99% (beating Azure's 99.95% SLA)

Cost: $75/month infrastructure

False positives: <0.1% (we verify before publishing)

Human intervention required: Zero

The enterprise vendors have infrastructure. We have will. And automation that actually works.

What One Million Indicators Looks Like

The Discovery Rate

• 244 unique discoveries billion-dollar vendors missed

• 417 primary discoveries we detected first

• 114 high-confidence novel threats with 90%+ confidence, zero vendor coverage

22% of our reports are novel threats - indicators that VirusTotal and ThreatFox scored as zero when we found them.

The Coverage

| Attack Type | Indicators | MITRE Techniques | |-------------|-----------|------------------| | C2 Infrastructure | 412,000+ | Command & Control | | Malware Delivery | 287,000+ | Initial Access | | Phishing Domains | 156,000+ | Credential Access | | Scanning Activity | 89,000+ | Reconnaissance | | Exploit Attempts | 53,667 | Execution |

• MITRE ATT&CK technique mappings

• Multi-source correlation (VT, ThreatFox, AbuseIPDB)

• Temporal analysis (first seen, last seen, TTL)

• Infrastructure fingerprinting (ASN, hosting provider, geolocation)

The Competitive Landscape (Or Lack Thereof)

| Player | Free Indicators | Cost | Community Contribution | |--------|----------------|------|----------------------| | DugganUSA | 1,005,667 | $0/year | 100% | | CrowdStrike | 0 | $50K-$500K/year | 0% | | Recorded Future | 0 | $100K+/year | 0% | | Palo Alto | 0 | $75K-$500K/year | 0% | | Mandiant | 0 | $150K+/year | 0% | | AlienVault (parent) | 566,075 | $0/year | Community-powered |

We've contributed more than AlienVault's entire corpus. In three months.

The enterprise vendors? Zero. Because their business model is scarcity, not security.

The Infrastructure That Scales

Three-Cloud Architecture

Primary: Azure Container Apps (`cleansheet-2x4` resource group)

Failover ready: AWS ECS (4-hour migration), GCP Cloud Run (4-hour migration)

Why three clouds: Because vendor lock-in is the enemy of uptime.

The Services

| Service | URL | Purpose | Uptime | |---------|-----|---------|--------| | Analytics (BRAIN) | analytics.dugganusa.com | Heavy compute, STIX feed, threat enrichment | 99.99% | | Security (DRONE) | security.dugganusa.com | Lightweight UI, operations dashboard | 99.99% | | Status | status.dugganusa.com | Real-time monitoring | 100% |

Pattern 29: Preserve Code, Kill Compute

Pattern 30: Drone to Brain - all heavy operations centralized

The STIX feed hits 50,000+ requests/week. Zero downtime. $75/month.

Enterprise vendors spend $500K/month on infrastructure and still have outages. We have Judge Dredd and defensive coding patterns.

The 8-Year Gap We Filled

Before we started publishing to OTX, here's what the competitive landscape looked like:

Last meaningful GitHub malware pulse on OTX: 2017

Eight years without coverage.

The enterprise vendors weren't filling that gap. They were creating it. Hoarding indicators behind paywalls while attackers shared infrastructure notes on Telegram for free.

We fixed it. For free. Because hoarding threat intelligence while attackers collaborate openly is morally indefensible.

The Real-World Impact

Case Study: Pattern 38 Supply Chain Campaign

In November, we identified a coordinated Stealc/Rhadamanthys campaign using Contabo infrastructure:

The Stealc Command Throne: `149.102.156.62` (vmi2910825.contaboserver.net)

The Zalupa Payload Forge: `158.220.93.201` (vmi2915473.contaboserver.net)

The Monero Mining Citadel: `107.167.83.34` (IoFlood hosting)

Delta between VMs: 4,648 (same provisioning window, same operator)

We documented the entire campaign in one OTX pulse. 25 connected samples. Full MITRE ATT&CK mappings. Published within 24 hours of detection.

Enterprise vendor response time for similar campaigns: 6-12 months, gated behind enterprise licensing.

Our response time: <24 hours, available to anyone on Earth with internet.

The 996 potential victims who could have been hit? They had the intel. For free.

The Philosophy: Why We Give It Away

Digital goods have zero marginal cost. Sharing threat intelligence doesn't cost me anything. But hoarding it costs the planet everything.

The enterprise model: 1. Detect threat 2. Analyze internally 3. Add to proprietary feed 4. Sell for $500K/year 5. The planet gets the intel 6-12 months late (or never)

The DugganUSA model: 1. Detect threat (automated, real-time) 2. Enrich with multi-source correlation 3. Publish to OTX/AbuseIPDB (<24 hours) 4. Full MITRE ATT&CK mappings in public blog post 5. The entire planet gets the intel immediately

Cost to the planet: $0

Value to the planet: One million indicators they wouldn't have otherwise

ROI for security teams: Infinite (free is infinite ROI)

The Numbers That Matter

Traffic Stats (Last 30 Days)

| Metric | Value | Significance | |--------|-------|--------------| | STIX Feed Requests | 203,000+ | API calls from 47 countries | | Unique Consumers | 1,247 | Individual IPs consuming feed | | Countries Served | 47 | Global threat intel distribution | | Bandwidth | 18.3 GB | Zero cost overages (Cloudflare) | | Uptime | 99.99% | Better than Azure SLA |

The Research Pipeline

• ThreatFox: Hourly ingestion, 1,191+ IOCs analyzed daily

• VirusTotal: 15,000+ IP/domain enrichments per week

• AbuseIPDB: Cross-reference validation for all reports

• GreyNoise: Internet background noise filtering

• Team Cymru: ASN/BGP enrichment for infrastructure mapping

Every indicator goes through five independent verification sources before publication. False positive rate: <0.1%

What The Enterprise Vendors Won't Tell You

CrowdStrike knows about that C2 server. They detected it. They analyzed it. They added it to Falcon.

• Free tier customers? Don't get it.

• Small businesses? Don't get it.

• Non-profits? Don't get it.

• The other 996 potential victims? Get fucked.

We know about that C2 server too. We detected it. We analyzed it. We published it to OTX.

• OTX subscribers: Get it immediately

• AbuseIPDB free tier: Can query it for free

• Small businesses: Can block it today

• Non-profits: Protected for $0

• The other 996 potential victims: Have the intel within 24 hours

Winner: The planet.

The Call to Action

If you're a security team:

1. Subscribe to our OTX feed: `https://otx.alienvault.com/user/pduggusa` 2. Ingest our STIX feed: `https://analytics.dugganusa.com/api/v1/stix-feed` 3. Query our indicators via AbuseIPDB user 256610 4. Stop paying $500K/year for intelligence we give away free

If you're an enterprise vendor:

Compete on value, not artificial scarcity. The planet deserves better.

If you're a threat hunter:

We built this automation so you wouldn't have to. The code is defensive but the patterns are documented. Build your own. Give it away. That's how we win.

What's Next: Two Million

One million indicators in three months.

Velocity: 11,174 indicators/day

Trajectory: Two million by March 2026

Cost increase: $0 (the architecture scales horizontally)

Paywall plan: Never

The enterprise threat intel model is dying. Not because we're disrupting it. Because we're making it obsolete.

Free. Fast. Transparent. Open standard.

That's the future. We're just early.

Access Everything

STIX 2.1 Feed (Machine-readable): ```bash curl https://analytics.dugganusa.com/api/v1/stix-feed | jq . ```

OTX Profile (997,467 indicators, 10,100 pulses): https://otx.alienvault.com/user/pduggusa

AbuseIPDB Profile (8,200+ reports): https://www.abuseipdb.com/user/256610

Hall of Shame (Public roasting): https://security.dugganusa.com/hall-of-shame

Real-time stats: ```bash curl https://analytics.dugganusa.com/api/v1/search/stats ```

Auto-updated. Free. Forever.

The Real Milestone

One million indicators isn't the achievement.

The achievement is proving you don't need paywalls, vendor lock-in, or billion-dollar infrastructure to contribute meaningful threat intelligence to the planet.

• Automation that doesn't break

• Protocols that enforce discipline

• The will to give back more than you take

• $75/month infrastructure cost

Judge Dredd enforces the laws. Pattern 53 hunts the threats. The STIX feed publishes the results.

The rest is just numbers.

*DugganUSA LLC - Minnesota. One million indicators. Zero paywalls. The sleeper has stayed awake.*

P.S. - AT&T Alien Labs: You're consuming 42,000 requests/week from our feed. We see you. We appreciate you. Keep building. The partnership is mutual even if the contract isn't.

P.P.S. - To the 31 OTX subscribers and 47 countries consuming our STIX feed: This is for you. Every indicator. Every pulse. Every line of code. We're in this together.

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]