DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

They Stopped the Moment We Said Their Name

Patrick Duggan
6 minutes ago
3 min read

# They Stopped the Moment We Said Their Name

Earlier today we published our investigation into a persistent probe of our STIX/TAXII threat intelligence feed. One IP address. One script. 100,000 requests over 65 days. Every 30 seconds. From an AT&T Wireless mobile device geolocated to Titusville, Florida — twenty miles from Kennedy Space Center.

The collection name hardcoded into the script matched a GitHub username belonging to a developer at one of China's largest technology companies, based in Beijing.

We published the investigation. We updated the endpoint to return a 410 Gone response with a link to the blog post. We waited.

Within minutes, the polling stopped.

Sixty-five days of persistence. Over 100,000 requests. Not a single interruption despite receiving 403 Forbidden on every attempt since February 7, 2026. And then — silence. The moment the JSON response included the word "reading" and a URL to our investigation, the requests ceased.

As of this writing, the endpoint is quiet for the first time in over two months.

We have questions.

The questions we had before

Why was a mobile device in the Kennedy Space Center defense corridor polling a threat intelligence feed that tracks nation-state IOCs every 30 seconds for 65 days?

Why does the collection name in the polling script match the GitHub username of a Beijing-based developer at a major Chinese technology company?

Why is that developer's active secondary account researching Claude Code and AI agent frameworks during the exact window the polling is occurring?

Why did that secondary account fork a repository containing leaked Claude Code source on March 31, 2026 — during the active polling window?

The new questions

Why did the polling stop within minutes of the endpoint returning a link to our investigation?

If this was a forgotten test script, who read the 410 response, parsed the JSON, found the URL, and killed the process — all within minutes?

If this was a misconfigured TAXII client, why did 65 days of 403 responses not trigger the same shutdown that one 410 with a blog post link triggered instantly?

If this was innocent, why did naming the GitHub account in a public investigation cause an immediate operational response?

What does it mean that 100,000 failed requests over two months produced no behavior change, but one response containing the word "reading" and a URL produced an immediate stop?

Who is monitoring the output of this script closely enough to react in minutes, but was not monitoring it closely enough to notice two months of 403 failures?

What we know

No data was exfiltrated. Our authentication held on every one of the 100,000+ requests.

The investigation is documented. The evidence is timestamped. The GitHub accounts are public. The geographic correlation between the source IP and the Kennedy Space Center counterintelligence corridor is a matter of public record, documented by the FBI, DCSA, and Vanity Fair.

The polling stopped the moment we said their name.

We have forwarded the complete evidence package to the appropriate authorities.

What we are

We are a two-person threat intelligence company in Minneapolis. We run on $600 per month of Azure compute. We publish a free STIX feed consumed by 275+ organizations in 46 countries. We index 1.07 million indicators of compromise across 44 indexes.

We built the thing that sees. Sometimes what it sees is interesting.

Today was interesting.

There is an episode of It's Always Sunny in Philadelphia where Charlie Kelly discovers a vast conspiracy in the mailroom. He connects names on envelopes, draws red string between pushpins, and concludes that a shadowy figure named Pepe Silvia is orchestrating everything. The joke is that Pepe Silvia does not exist. The letters say "Philadelphia." Charlie cannot read.

We thought about that scene when we started this investigation. One GitHub username matching a TAXII collection name. A copy-paste error in a Jekyll config file. An IP geolocated to a place Vanity Fair just profiled as a spy corridor. Red string and pushpins. Maybe we were Charlie.

Then we put a link to our investigation in the 410 response and 65 days of continuous polling stopped in minutes.

Charlie's mail kept coming. Ours didn't.

— Patrick

Read the original investigation: dugganusa.com/post/one-ip-one-script-100-000-requests-who-is-polling-our-stix-feed-from-the-space-coast

Search our feed: analytics.dugganusa.com/api/v1/search?q=AS7018

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.