DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

5,000 IPs Reported: How DugganUSA Became an AbuseIPDB Top Contributor

Patrick Duggan
Dec 19, 2025
3 min read

--- title: "5,000 IPs Reported: How DugganUSA Became an AbuseIPDB Top Contributor" slug: 5000-ips-abuseipdb-contributor date: 2025-12-20 author: Patrick Duggan tags: [threat-intelligence, abuseipdb, community, stix, mitre-attack] category: Threat Intelligence featured: true ---

The Badge

The Numbers

In three weeks, DugganUSA went from zero to 5,000+ IP reports on AbuseIPDB. But I'm not just dumping firewall logs—I'm contributing enriched threat intelligence that the major vendors miss.

| Metric | Count | What It Means | |--------|-------|---------------| | Total Reports | 5,000+ | Unique malicious IPs | | Unique Discoveries | 205 | Threats VT/ThreatFox missed | | Primary Discoveries | 417 | I detected it first | | High-Confidence Novel | 114 | 90%+ confidence, zero vendor coverage |

22% of my reports are novel threats—IPs that VirusTotal and ThreatFox scored as zero.

The Novel Discoveries

Google Cloud C2 Infrastructure

I identified 16 Google Cloud Platform IPs being used as Command & Control infrastructure:

| IP | Confidence | MITRE Technique | |----|------------|-----------------| | 34.186.98.159 | 100% | Initial Access | | 34.90.199.112 | 100% | Initial Access | | 34.9.62.74 | 100% | Initial Access | | 34.86.212.119 | 73% | Command & Control |

Pattern: Attackers spin up GCP instances for malicious operations, knowing that "Google" in the ISP field makes defenders hesitate to block. I don't hesitate.

Bulletproof Hosting Red Flags

• 45.141.215.80 — "1337 Services GmbH" (the name is literally leet speak)

• 185.40.4.149 — "Asadov Ruslan Rafaelevich" (individual name = shell company pattern)

• 69.167.12.36 — "Paradise Networks LLC" (paradise for attackers, maybe)

China Telecom Scanning Clusters

Multiple coordinated scanning operations from Beijing Qihu Technology (360 Security's parent company) and China Unicom infrastructure. All tagged with MITRE ATT&CK Initial Access techniques.

How I Do It Differently

Most AbuseIPDB contributors report IPs like this:

Bad IP, blocked it

My reports look like this:

Detected attacking dugganusa.com at 2025-12-20T01:10:00Z |
Attack: Exploit Public-Facing Application |
VirusTotal: 7 malware detections |
Source: DugganUSA PreCog auto-block

The Enrichment Stack

Every IP that attacks my infrastructure goes through:

1. AbuseIPDB — Community abuse reports 2. VirusTotal — Malware/phishing analysis 3. ThreatFox — C2 infrastructure tracking 4. GreyNoise — Internet background noise filtering 5. Team Cymru — ASN/BGP enrichment 6. MITRE ATT&CK — Technique classification

I don't just report that an IP is bad. I report *what* it did, *when* it did it, and *how* it maps to known attack patterns.

Policy Compliance

AbuseIPDB has a reporting policy that prohibits circular logic—you can't report an IP just because AbuseIPDB already flagged it.

I'm fully compliant:

| Requirement | My Approach | |-------------|--------------| | Attack timestamp | Every report includes ISO 8601 timestamp | | Attack description | MITRE ATT&CK technique classification | | No circular logic | I reference VT/ThreatFox, never AbuseIPDB scores | | Evidence-based | Real attacks on my infrastructure |

The Automation

PreCog runs 24/7:

Attack hits dugganusa.com
    ↓
Multi-source enrichment (5 APIs)
    ↓
MITRE ATT&CK classification
    ↓
Auto-block via Cloudflare
    ↓
Report to AbuseIPDB (policy compliant)
    ↓
Publish to STIX 2.1 feed

• An AbuseIPDB report (community contribution)

• A STIX indicator (machine-readable threat intel)

• A Hall of Shame entry (public documentation)

The STIX Feed

All 915 indicators are available in the free STIX 2.1 feed:

curl https://analytics.dugganusa.com/api/v1/stix-feed | jq .

Filter for novel discoveries only:

curl https://analytics.dugganusa.com/api/v1/stix-feed | \
  jq '.objects[] | select(.x_dugganusa_discovery.unique_detection == true)'

Why I Share

Most threat intel is locked behind $50,000/year paywalls. I publish mine for free because:

1. Digital goods have zero marginal cost — Sharing costs nothing 2. Reciprocity builds trust — I consume OTX/AbuseIPDB, I contribute back 3. Transparency proves competence — If my intel is wrong, someone will call me out 4. Community defense works — One defender's block is another's warning

What's Next

• Automated OTX pulse generation — My blocks become OTX pulses

• Honeypot expansion — More attack surface = more intel

• MITRE ATT&CK coverage — Currently 25 techniques, expanding to 50+

• Real-time WebSocket feed — Stream threats as they happen

Get the Feed

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

AbuseIPDB Profile: abuseipdb.com/user/256610

Hall of Shame: security.dugganusa.com/hall-of-shame

*"I'm not hoarding threat intelligence behind paywalls. I'm publishing it openly because that's how you prove you're not full of shit."*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa