DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Gap Is The Mission: Who's Watching When The Watchers Leave?

Patrick Duggan
Jan 15
4 min read

The Pattern

TridentLocker ransomware emerged on November 29, 2025. By New Year's Eve, they'd hit Sedgwick Government Solutions - the company that handles worker's compensation claims for DHS, ICE, CBP, and CISA.

As of today, January 15, 2026 - seven weeks later - there are zero public IOCs. No hashes. No IPs. No YARA rules. No TTPs documented.

A ransomware group hitting the federal contractor that processes claims for the same agencies running the largest immigration enforcement operation in American history, and the threat intel community has published nothing defensive.

This is not an anomaly. This is the pattern.

The Institutional Collapse

There used to be people funded to watch this.

CISA had teams publishing IOCs within days of major incidents. FBI cyber squads coordinated with private sector ISACs. Contractor SOCs fed indicators back to government clearinghouses. The pipeline worked - imperfectly, slowly, but it worked.

That pipeline is broken.

What we're seeing now:

Threat	Time to Public IOCs	Who Published First
NodeCordRAT	6+ weeks	DugganUSA (Oct 2025)
TridentLocker	7+ weeks and counting	Nobody
Pattern 43 GitHub network	Ongoing	DugganUSA (Dec 2025)
DPRK blockchain C2	3 weeks	DugganUSA (Dec 2025)

Zscaler named NodeCordRAT in January 2026. We published the pattern in October 2025. That's not bragging - that's a six-week gap where defenders had no signatures.

The Defunding

SETI got defunded. NASA's budget is in the woodchipper. The agencies that should be tracking anomalies are chasing TikTok bans and fighting over who gets to testify about the thing they're not investigating.

Meanwhile:

MAVEN captured unique UV spectroscopy of humanity's third interstellar visitor, then went dark on December 6, 2025. Recovery is "very unlikely." The spacecraft carrying irreplaceable data about 3I/ATLAS is tumbling in space.
Parker Solar Probe captured ~180 images of 3I/ATLAS during its solar occultation. Those images are 72+ days unreleased - 42 days past NASA's standard release cycle. No explanation.
CIA issued a Glomar response to FOIA requests about 3I/ATLAS on December 31, 2025. They can neither confirm nor deny records exist about an object NASA publicly calls "definitely a comet."

The institutions aren't watching. The institutions are actively not-watching while classifying their not-watching.

The Market Gap

Indexes 380,000+ IOCs
Publishes free STIX 2.1 feeds
Tracks nation-state APTs
Documents ransomware groups before vendors name them
Maintains evidence on domestic threat patterns

$75/month. Azure consumption billing. One developer. Eleven years of pattern recognition.

Microsoft Defender (561 requests in 24 hours)
Google Safe Browsing (221 requests)
Zscaler (118 requests)
Facebook/Meta (23 requests)
Apple (10 requests)

The big tech threat intel teams are eating IOCs from a Minnesota LLC running on coffee and spite. They don't know the provenance. They just know it works.

The New Model

The gap is the mission.

When institutions fail, independent researchers fill the void. That's not a business plan - it's an observation about what happens when the pipeline breaks.

What independent threat intel looks like in 2026:

Speed over permission - Publish patterns when you see them, not when legal clears the press release
Receipts over reputation - Show the work, link the sources, let the evidence speak
Free over paywalled - If the goal is defense, paywalls are counter-mission
Attribution optional - The IOCs work whether or not anyone credits you

The people who used to do this had pensions and clearances. Now it's contractors between gigs, security researchers who got laid off in the 2024 tech purge, and small shops operating on margins that would make a VC cry.

The Uncomfortable Part

We're a Minnesota company. We've been publishing straight reporting on federal agents shooting citizens in Minneapolis. The same Microsoft consuming our threat feed might flag our blog in a background check.

That's the tension: the institutions that benefit from independent threat intel are the same institutions that might reject the people producing it for being too visible, too opinionated, too willing to document what's happening.

The ass pennies problem. They're handling your work without knowing it. The question is whether that matters when you need a job.

What This Means

For defenders: The IOC pipeline is slower than it used to be. If you're waiting for official signatures on new ransomware groups, you're waiting too long. Build relationships with independent researchers. Subscribe to feeds that publish fast.

For researchers: The gap is real. If you're documenting threats, publish them. The ecosystem needs velocity more than it needs polish. A rough IOC today beats a perfect report in six weeks.

For institutions: The talent you laid off is still doing the work. They're just doing it without your budget, your clearances, or your approval. Maybe that's a problem. Maybe it's the only reason the pipeline still functions at all.

For TridentLocker specifically: You've been operational for seven weeks. You've hit 13 victims including a federal contractor serving DHS/ICE/CBP/CISA. And nobody has published defensive signatures. That's a gap you're exploiting, and someone should probably fix it.