DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Numbers Don't Lie

Name: DugganUSA STIX 2.1 Threat Intelligence Feed
Creator: DugganUSA LLC
License: https://analytics.dugganusa.com/api/v1/stix-feed

Patrick Duggan
Dec 11, 2025
4 min read

--- title: "44% Original Threat Discoveries: Why Microsoft Is Polling Our Free Feed 214 Times a Week" slug: stix-feed-quality-microsoft-polling date: 2025-12-12 author: Patrick Duggan tags: [threat-intelligence, stix, microsoft, otx, levelblue] category: Threat Intelligence featured: true ---

Last night at 1:47 AM Central, I ran an analysis on our STIX 2.1 threat intelligence feed. Not because anyone asked - because I wanted to know if we were actually good or just loud.

920 indicators. 146 unique ISPs. 40 countries. Those are the surface numbers.

Here's what stopped me cold: 410 of our 920 indicators - 44.5% - are PRIMARY SOURCE DISCOVERIES.

That means DugganUSA LLC, operating out of Minnesota with zero venture funding and a $75/month Azure bill, is finding threats that AbuseIPDB, VirusTotal, ThreatFox, Team Cymru, and GreyNoise all missed.

Who's Actually Consuming This Feed

I pulled the Cloudflare analytics at 1:51 AM. Seven days of data (Cloudflare's free tier limit). Here's who's been knocking:

| ASN | Country | Requests | Who They Are | |-----|---------|----------|--------------| | MICROSOFT-CORP-MSN-AS-BLOCK | US | 214 | Microsoft Defender/Sentinel | | HWCLOUDS-AS-AP HUAWEI CLOUDS | HK | 15 | Huawei Cloud Hong Kong | | GOOGLE | US | 7 | Google + GCP | | IONOS-AS | DE | 4 | 1&1/IONOS Germany | | JAGUAR-AS | FR | 4 | French ISP | | AMAZON-02 | GB | 2 | AWS UK | | NETSKOPE | CO | 1 | Cloud security vendor | | BEZEQ-INTERNATIONAL | IL | 1 | Israeli national telecom |

Microsoft. 214 requests in 7 days. That's not casual browsing - that's a cron job. Someone on the Defender or Sentinel team built an integration to poll our feed every ~45 minutes.

Why Our Feed Is Different

Most threat intel feeds are aggregators. They pull from the same 5-6 sources everyone else uses, slap a logo on it, and charge $50K-$200K per year.

We do something different. We run multi-source correlation and find the gaps.

Our enrichment pipeline:

| Metric | Our Feed | Industry Average | |--------|----------|------------------| | Average Confidence | 71.2% | 50-60% | | High Confidence (80%+) | 45% | <20% | | MITRE ATT&CK Mapped | 86% | <30% | | SSL/TLS Enriched | 93% | ~5% | | Bot Classification | 100% | ~10% | | Primary Source Discoveries | 44.5% | 0-5% |

That last number is the killer. 44.5% of our indicators come from our own detection - not regurgitated from existing feeds. We add an average of +10.9 confidence points above what other vendors report.

The MITRE ATT&CK Breakdown

T1190 Exploit Public-Facing App   264 (29%)
T1090 Proxy                       251 (27%)
T1102 Web Service                 137 (15%)
T1133 External Remote Services     72 (8%)
T1110.003 Password Spraying        34 (4%)
T1071 Application Layer Protocol   19 (2%)

Every indicator mapped to the framework. Microsoft Sentinel loves this - their detection rules are built on ATT&CK. When we serve indicators pre-mapped to T1190, their SOC analysts don't have to think. They just block.

The Israel Connection

That single request from Bezeq International caught my eye. Bezeq is Israel's largest ISP - the AT&T of Israel. They run the largest data centers in the Middle East and provide cyber protection as a "national commitment."

One request could be Paul Galjan's contact saying shalom. Or it could be someone adjacent to Unit 8200 doing due diligence. Either way - Israeli national infrastructure knows we exist.

What $75/Month Buys You

Our entire threat intelligence infrastructure runs on Azure Container Apps. One replica. 1 CPU, 2GB RAM. We process:

• 920 active indicators

• Real-time enrichment from 6 sources

• MITRE ATT&CK mapping

• SSL/TLS certificate analysis

• Bot classification

• ISP reputation scoring

Microsoft spends billions on their threat intel. We spend less than a nice dinner. And they're polling our feed 214 times a week.

The Democratic Sharing Law

We publish 99.5% of our threat intel for free. No paywall. No registration required. Just hit the endpoint:

https://analytics.dugganusa.com/api/v1/stix-feed

Why? Because hoarding threat intel doesn't make anyone safer. The attackers share TTPs freely on Telegram and dark web forums. If defenders don't share at the same velocity, we lose.

We track who shares back. 20% of consumers credit us in their referer headers. We call it Democratic Sharing - we publish openly, we measure who reciprocates.

What Happens Next

Someone at Microsoft is going to email us. Not because we're special - because 44.5% original discovery rate is too good to ignore for a free feed.

When they do, we'll have the same conversation we have with everyone: The feed stays free. The methodology stays open. We're not building a moat - we're building a movement.

DugganUSA LLC. Minnesota. $75/month. Finding threats that billion-dollar vendors miss.

• Feed URL: `https://analytics.dugganusa.com/api/v1/stix-feed`

• Format: STIX 2.1 Bundle

• Update Frequency: Real-time

• Authentication: None required

• Rate Limit: Be reasonable

• 30-day requests: 699

• Unique consumers: 183 IPs

• Countries: 26

• Indicators served: 375,434

*Analysis performed December 12, 2025 at 01:47 AM Central. All data pulled from production systems.*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]