DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

The SOC Triad: Free Threat Intelligence for Everyone

Patrick Duggan
Nov 19, 2025
5 min read

--- title: "The SOC Triad: Free Threat Intelligence for Everyone" date: 2025-11-19 slug: the-soc-triad-free-threat-intelligence-platform excerpt: "Detection Rules, Remediation Playbooks, and Threat Hunt Queries. All free. All production-tested. Multi-SIEM compatible. Get inoculated against internet's unstoppable threats." tags: ["threat-intelligence", "soc", "detection-rules", "cybersecurity", "free-tools"] ---

TL;DR: We just released a complete SOC platform for free. 6 detection rules, 6 remediation playbooks, 8 threat hunt queries. Works with Splunk, Azure Sentinel, Elastic, or whatever SIEM you use. Zero cost. Zero catch. Get it here: analytics.dugganusa.com

The Problem

Cybersecurity is becoming like nuclear weapons—only nation-states and major corporations can afford effective defense. Small businesses, nonprofits, schools? They're defenseless against sophisticated threats.

That's bullshit.

The Solution: Free Inoculation

We built The SOC Triad—a complete threat detection, response, and hunting platform. All free. All production-tested. Multi-SIEM compatible.

The three pieces:

1. Detection Rules - Alert when bad things happen 2. Remediation Playbooks - Fix problems when alerts fire 3. Threat Hunt Queries - Find threats detection missed

Think of it like vaccines. Why hoard them when sharing costs nothing? Digital goods have zero marginal cost. So we're giving them away.

Part 1: Detection Rules

What you get: 6 production-tested detection rules that catch real threats.

Example: Our "High-Confidence Malicious IP" rule catches IPs with abuse scores >15 AND >10 reports. After we accidentally blocked a legitimate user (Paul Galjan) with our old threshold of >5, we raised it and dropped our false positive rate from 63% to 5.96%.

We documented the mistake publicly. Because transparency matters more than looking perfect.

• Sigma YAML (converts to any SIEM)

• Splunk SPL (Search Processing Language)

• KQL (Azure Sentinel / Microsoft Defender)

• JSON (raw metadata)

How to use it:

# Get all detection rules
curl https://analytics.dugganusa.com/api/v1/detection-rules

• High-Confidence Malicious IP (FPR: 5.96%)

• VirusTotal Malicious Detection

• Suspicious ISP Keywords (proxy, VPN, bulletproof hosting)

• Young Domain Detection (<90 days old)

• Repeat Offender ISP Pattern

• Cloud Provider Abuse (AWS/Google/Microsoft weaponization)

Part 2: Remediation Playbooks

What you get: Step-by-step response procedures for each detection rule.

Example: When "High-Confidence Malicious IP" fires, the playbook tells you exactly what to do:

1. Verify detection (15 seconds) - Check AbuseIPDB score >15 AND reports >10 2. Check current traffic (2 minutes) - Query firewall logs for active connections 3. Block IP (1 minute) - Add to firewall blocklist 4. Document incident (5 minutes) - Create ticket with details 5. Monitor (1 minute) - Set alert for same IP returning

Total time: 15 minutes from alert to resolution.

• Prerequisites (what access you need)

• Verification steps (confirm it worked)

• Rollback procedures (if it's a false positive)

• Estimated completion time

How to use it:

# Get playbook for specific detection rule
curl https://analytics.dugganusa.com/api/v1/remediation-playbooks/dugganusa-001

Or just use the web UI: analytics.dugganusa.com/#detection-rules - click any rule, switch to the "Remediation Playbook" tab.

Part 3: Threat Hunt Queries

What you get: 8 proactive hunting queries to find what detection missed.

• Detection = passive (alerts fire automatically when bad things happen)

• Hunting = active (you look for threats before they trigger alerts)

Example hunt: "C2 Beaconing Patterns" looks for periodic connections with low variance—a sign of command-and-control malware that's too sophisticated for signature-based detection.

• Bucket connections by hour

• Calculate average and standard deviation

• Flag connections with low variance (periodic beaconing)

• At least 24 hours of beacons = likely C2

• Splunk SPL

• KQL (Azure Sentinel)

• ElasticSearch DSL

• SQL (generic SIEM databases)

• JSON (metadata)

Queries included: 1. Suspicious Authentication Patterns (brute force, credential stuffing) 2. Data Exfiltration Indicators (>1GB uploads to Dropbox/Mega) 3. Lateral Movement Detection (PSExec, WMI, RDP pivoting) 4. Privilege Escalation Attempts (UAC bypass, token manipulation) 5. C2 Beaconing Patterns (periodic connections) 6. Anomalous Outbound Traffic (DGA domains, high entropy) 7. Credential Dumping Activity (LSASS access, mimikatz) 8. Living Off the Land Binaries (certutil, bitsadmin abuse)

How to use it:

# Get all hunt queries
curl https://analytics.dugganusa.com/api/v1/threat-hunt-queries

How They Work Together

Scenario 1: Detection → Response 1. "High-Confidence Malicious IP" detection rule fires 2. You open the remediation playbook 3. Follow 5 steps, resolve in 15 minutes

Scenario 2: Hunting → Detection 1. Run "C2 Beaconing Patterns" hunt query 2. Find suspicious domain with periodic connections 3. Create new detection rule for that domain 4. Future C2 beacons trigger alerts automatically

Scenario 3: Incident → Knowledge 1. Incident occurs (like when we blocked Paul Galjan) 2. Update remediation playbook with better verification steps 3. Adjust detection rule threshold (>5 → >15) 4. Document publicly so others don't repeat the mistake

Multi-SIEM Compatible

We're not trying to lock you into our platform. Use whatever SIEM you already have:

• Splunk Enterprise Security - Import SPL queries directly

• Microsoft Azure Sentinel - Import KQL queries

• Elastic Security - Import ElasticSearch DSL

• IBM QRadar, Rapid7, LogRhythm - Import SQL queries

• Any other SIEM - Convert Sigma YAML to your format

Philosophy: Zero marginal cost for digital goods. We spent the time building these. Sharing them costs us nothing. Why be a greedy asshole?

Production-Tested Intelligence

These aren't theoretical rules. They come from our live auto-blocking system that has:

• Blocked 1,500+ malicious IPs in 90 days

• Processed data from 7 threat intel sources (AbuseIPDB, VirusTotal, ThreatFox, GreyNoise, IPQualityScore, Cloudflare, MISP)

• Generated 559 STIX 2.1 indicators with full provenance

• Achieved 94.04% precision after expert-curation

We eat our own dog food. These rules protect our production infrastructure right now.

The Democratic Sharing Law

We operate under the Democratic Sharing Law, which means:

• 99.5% public sharing - 4,780 files publicly available

• Zero hoarding - No proprietary lock-in

• 7.1x evidence:claims ratio - Receipts for every assertion

• Free for non-commercial use - Commercial use requires attribution only

"The Aristocrats Standard": Admit mistakes, show receipts, thank those wronged, fix publicly.

When we blocked Paul Galjan (false positive), we: 1. Unblocked him immediately 2. Documented the incident publicly 3. Adjusted the detection threshold 4. Measured the improvement (63% FPR → 5.96%) 5. Published the fix for everyone

Get Started in 60 Seconds

Option 1: Web UI

Visit analytics.dugganusa.com

• Click "Detection Rules" in left nav

• Browse 6 rules with filters

• Click any rule → Export in your SIEM format

• Switch to "Remediation Playbook" tab for response procedures

Option 2: Direct API

# Detection Rules
curl https://analytics.dugganusa.com/api/v1/detection-rules

Option 3: GitHub

All documentation is in our public repo: github.com/pduggusa/enterprise-extraction-platform

• `/docs/detection-rules/` - Rule documentation

• `/docs/remediation-playbooks/` - Playbook guides

• `/docs/threat-hunt-queries/` - Hunt methodologies

Why Free?

Short answer: Because we can.

Long answer: Building this cost us time. But sharing it costs us nothing. Digital goods have zero marginal cost. Hoarding threat intelligence doesn't make us money—it just makes the internet less safe.

• Open source security tools

• Public threat intelligence feeds

• Community malware analysis

• Researchers who share vulnerabilities

Paying it forward is the least we can do.

The Burevestnik Problem

Russia's 9M730 Burevestnik is a nuclear-powered cruise missile with unlimited range. Traditional air defense can't stop it. It's the ultimate unstoppable threat.

• Nation-state APT groups with unlimited budgets

• Ransomware gangs with criminal infrastructure

• Zero-days that bypass all signatures

• Sophisticated C2 frameworks that evade detection

Our answer: Free inoculation. If everyone has access to production-tested threat intelligence, the playing field levels. Small businesses get the same defenses as enterprises. Nonprofits get the same protection as Fortune 500s.

You can't stop a Burevestnik with a single missile defense system. But if everyone has defenses, the threat becomes manageable.

What's Next?

• More detection rules (as we encounter new threats)

• More playbooks (as we respond to incidents)

• More hunt queries (as we discover new TTPs)

Everything will stay free. Everything will stay open. Everything will stay production-tested.

Democratic Sharing Law in action.

Get Inoculated

Public site: https://analytics.dugganusa.com

• Detection Rules: `/api/v1/detection-rules`

• Remediation Playbooks: `/api/v1/remediation-playbooks`

• Threat Hunt Queries: `/api/v1/threat-hunt-queries`

• STIX Feed: `/api/v1/stix-feed`

Press release: dugganusa.com/press-release

Contact: [email protected]

The SOC Triad is live. Get protected. Stay protected. Help others get protected.

Standing on shoulders, not being a greedy asshole.

— DugganUSA LLC (Minnesota)

The SOC Triad: Free Threat Intelligence for Everyone

The Problem

The Solution: Free Inoculation

Part 1: Detection Rules

Part 2: Remediation Playbooks

Part 3: Threat Hunt Queries

How They Work Together

Multi-SIEM Compatible

Production-Tested Intelligence

The Democratic Sharing Law

Get Started in 60 Seconds

Why Free?

The Burevestnik Problem

What's Next?

Get Inoculated

Recent Posts

Comments