DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Three Penis Wine and the Bag of Dicks Defense

Patrick Duggan
Mar 4
4 min read

# Three Penis Wine and the Bag of Dicks Defense

**How 34 Chinese IPs Found Exactly What They Deserved**

I got a LinkedIn message today from an old colleague — enterprise AE at a major zero-trust security vendor. You know the type. The kind of company that charges $50 per seat per year to do what we do for $500 a month, total.

His message: "Still up to shit. I love it. Never stop being Duggan! I might need an SE soon if you want to give some positive lip service to [REDACTED]."

Translation: your blog is scaring my employer. Come work for us instead.

My response: I am devouring their market. Live.

While we were having this conversation, 86 Chinese IP addresses were hitting dugganusa.com in a coordinated burst. 78 of them arrived in a single hour. Our PreCog auto-block pipeline caught every single one of them and redirected them to what we affectionately call "the bag of dicks in the corner."

Let me explain.

The Attack

At 17:00 UTC on March 4, 2026, our threat detection pipeline flagged a coordinated scan from Chinese infrastructure. The breakdown:

> 180.153.236.0/24 — 34 IPs from ChinaNet Shanghai (China Telecom), all blocked within a 5-second window

> 27.115.x.x — 10 IPs from China Unicom Shanghai

> 111.7.x.x — 7 IPs from China Mobile (Henan Province)

> 101.198.x.x — 6 IPs from Qihoo 360, Beijing — a Chinese "security" company with 100% abuse scores and 364 reports

> 106.75.x.x — 5 IPs from UCloud Shanghai

34 IPs from a single /24 subnet, arriving simultaneously, is not someone checking their email. That is a scan farm — either a botnet or a deliberately orchestrated probe from a residential proxy network. The low individual abuse scores (16-52%) tell you they rotate IPs to stay under detection thresholds. The 5-second block window tells you our system doesn't care about their rotation strategy.

The Qihoo 360 block is the fun one. Qihoo 360 is ostensibly a cybersecurity company. Their IPs came in at 100% abuse confidence with VirusTotal detections. A security company's infrastructure being used for malicious scanning. Make of that what you will.

The Bag of Dicks in the Corner

Our security architecture doesn't just block attackers. It redirects them. When PreCog identifies a malicious actor, it auto-blocks through Cloudflare WAF, indexes the event, enriches the IP through AbuseIPDB and VirusTotal, reports it back to the community, and then sends the attacker somewhere unpleasant.

Think of it like the body donation industry in Arizona.

In 2014, the FBI raided the Biological Resource Center in Phoenix. What they found was — and I'm quoting the sworn federal statement — "a bucket of heads, arms and legs" and "a cooler filled with male genitalia." The owner had been selling donated body parts for profit since 2007. He got four years probation. The families got a $58 million judgment.

The people who donated their bodies expected them to serve science. Instead they ended up in a cooler in a Phoenix strip mall. The people who scan dugganusa.com expect to find vulnerabilities. Instead they find the digital equivalent of that cooler.

They came looking for something valuable. They found something horrifying. And they can't complain about it because they weren't supposed to be there in the first place.

The Cultural Connection

Here's where it gets beautiful.

In traditional Chinese medicine — going back to the Shang Dynasty, approximately 1600 BC — there exists a category of medicinal alcohol called yaojiu. The most famous variety is Three Penis Wine, or Tezhi Sanbian Jiu. It contains the penises of a dog, a deer, and a seal, steeped in rice wine. It is believed to "strengthen the yang" and "improve sexual performance."

Fans of FX's The League will recognize this as Taco MacArthur's drink of choice. Jon Lajoie's masterful portrayal of a man who accidentally succeeds at everything while understanding nothing is, in retrospect, a documentary about the cybersecurity vendor market.

Think about it. Taco doesn't know what he's doing. He stumbles into millions. He invents businesses that shouldn't work but do. He is convinced that Three Penis Wine is the answer to every problem. He is the enterprise cybersecurity sales cycle personified.

Meanwhile, our platform — which indexes nearly 11 million documents across 42 gigabytes, publishes STIX threat intelligence feeds to 275+ consumers in 46 countries, and auto-blocks coordinated Chinese scanning campaigns in under 5 seconds — runs on a single VM and some cron jobs.

The Math

My old colleague's employer: ~$30 billion market cap. Thousands of employees. Per-seat licensing. Annual contracts. Enterprise sales cycles measured in quarters.

DugganUSA: $500 a month. Two people. 968,000+ IOCs indexed. 1.2 million block events processed. Auto-enrichment through five intelligence sources. Automated reporting back to the community. And a honeypot that serves attackers the digital equivalent of a 3,600-year-old Chinese penis beverage.

He asked if I wanted to be his SE. I am his competition.

The Point

There are two kinds of security companies. The kind that charges you $50 per seat to tell you that 34 IPs from ChinaNet Shanghai are bad. And the kind that blocks them in 5 seconds, enriches them through every available intelligence source, reports them to the community, indexes them for longitudinal analysis, and redirects them to a bag of dicks — all before the enterprise AE finishes typing his LinkedIn message.

We are the second kind.

The attackers came for our infrastructure. They got Three Penis Wine.

Cheers.

*DugganUSA LLC publishes daily threat intelligence through OTX and STIX feeds consumed by 275+ organizations across 46 countries. Our PreCog auto-block pipeline processes and enriches threats in real time. All data sourced from government releases and public intelligence feeds. We don't break laws. We make the government's own data searchable. And apparently, we serve Chinese wine.*

*For threat intelligence, visit analytics.dugganusa.com. For entertainment, keep reading the blog.*