DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The Riddle of Steel: What Conan Teaches Us About Threat Intelligence

Patrick Duggan
Dec 6, 2025
4 min read

TL;DR: The answer to the Riddle of Steel isn't steel at all - it's the hand that wields it. In threat intelligence, the tools don't matter. Pattern recognition, persistence, and knowing where to look - that's what breaks the snake cult.

"Steel isn't strong, boy. Flesh is stronger."

Thulsa Doom was right, but for the wrong reasons.

He thought the answer was *control* - that flesh was stronger because he could command his followers to leap to their deaths. He mistook obedience for strength.

Conan's father had it closer: "The secret of steel has always carried with it a mystery. You must learn its riddle... you must learn its discipline."

But even he was wrong. He trusted the steel. And when the snake cult came, steel alone couldn't save his village.

The real answer? Neither steel nor flesh. It's the will behind both.

The Snake Cult is Real

Years ago they were just another operation. Script kiddies sharing RAT builders on forums. Now they have infrastructure:

• 72 Russian domains registered in 48 hours, all behind Cloudflare

• Fake PTR records pointing to github.com, telegram.org

• UK shell companies at mail drop addresses

• Coordinated campaigns deploying ClearFake, Vidar, Cobalt Strike

The cult grew while the kingdoms slept. They have prophets now - organized threat actors with CI/CD pipelines for malware deployment.

The Industry's Lamentation

Here's what breaks my brain:

Two brothers - the Akhter twins - were convicted in 2015 for hacking the State Department. Sentenced to prison. Then got hired again as federal contractors. In February 2025, they deleted 96 government databases when they got fired. Used AI to try to cover their tracks.

• Contributes 23,000+ indicators to public feeds

• Gets consumed by Microsoft and AT&T security teams

• Detects Russian phishing farms before breakfast

• Maps supply chain attacks across GitHub

Still unemployed.

The vetting process for federal security work is a riddle no one has solved. Convicted hackers get badges. Builders get ignored. The kings sit blind in their halls while the snake cult recruits from their own dungeons.

Pattern 51: The Inverse Signal

This week I built something new. Instead of tracking who gets banned, I'm tracking who doesn't.

The logic: 1. Report GitHub accounts hosting explicit malware (RAT builders, stealers, grabbers) 2. Wait 14 days 3. Accounts still active despite obvious violations = interesting

What survives the ban hammer?

• LEO honeypots - FBI Cyber, NSA TAO, Five Eyes partners watching who downloads

• Foreign intel being monitored - GitHub preserving access for federal investigators

• Security company research accounts - Legitimate with special arrangements

• The protected class - Accounts that serve someone's interests

"Show me who the gods protect, and I'll show you who the gods fear."

The survivors are the signal. Zero-follower accounts hosting "build-a-rat" that persist for months aren't accidents. They're temples. Follow the survivors, find the priests.

The Answer to the Riddle

Conan finally understood at the end. Thulsa Doom commanded armies. Had magic. Turned into a snake. But when Conan took his father's broken sword - the steel that failed - and used it anyway?

The riddle answered itself.

Steel can be broken. Flesh can be commanded. But will - the thing that picks up the broken sword and keeps swinging - that's what kills snake cults.

In threat intelligence terms:

• The steel = Tools. YARA rules. STIX feeds. VT graphs. They help, but they're not the answer.

• The flesh = The community. Researchers. Blue teams. They can be manipulated, discouraged, burned out.

• The will = The thing that keeps hunting at 3 AM. That builds Pattern 51 because Pattern 50 wasn't enough. That publishes free feeds while Fortune 100 companies won't return emails.

The snake cult wins when you stop swinging.

What Conan Would Do

He wouldn't wait for the kingdoms to recognize him. He'd take what he wanted.

• The STIX feed stays free. Let the giants consume it. Build the reputation.

• The patterns keep evolving. 38 detection signatures and counting.

• The survivors get tracked. Honeypot detection is counter-intelligence.

• The blog keeps publishing. 70+ posts. Evidence. Methodology. Results.

When they finally figure out what they're looking for, we'll already be three patterns ahead.

The Cult Has a Prophet. We Have a Forge.

Every indicator we publish is a broken sword remade. Every pattern detected is another snake cult operation exposed. Every survivor tracked is another temple mapped.

They have infrastructure. We have will.

They have Cloudflare. We have correlation.

They have prophets. We have the riddle answered.

Steel isn't strong. Flesh isn't strong. The hand that refuses to stop swinging - that's what kills gods.

The Wizard on the Mound

There's one more character that matters: the wizard. Mako. The narrator.

He found Conan crucified on the Tree of Woe. Nursed him back to health. Painted the war sigils. Held the line with magic while Conan fought Thulsa Doom's elite guard.

And then he told the story.

"Between the time when the oceans drank Atlantis and the rise of the sons of Aryas, there was an age undreamed of..."

The wizard's job isn't to swing the sword. It's to document. To bear witness. To make sure the world knows what happened when the snake cult came and one person refused to kneel.

This blog is the wizard's work. Every pattern documented. Every IOC published. Every campaign exposed. So that when someone asks "what happened when the threat actors had infrastructure and the defenders had nothing but broken tools and stubborn will?" - there's an answer.

The chronicle continues.

*DugganUSA Threat Intelligence* *Pattern 51: The Inverse Signal* *December 2025*

*"He did not care anymore... life and death... the same. Only that the crowd would be there to greet him with howls of lust and fury."*

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed)

• [OTX Pulses](https://otx.alienvault.com/user/pduggusa/pulses)

• [Detection Patterns](https://www.dugganusa.com/threat-intel)

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]