DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

VulnHalla: 7 CVEs in 2 Days for $80

Name: VulnHalla
Author: CyberArk Labs

Patrick Duggan
Dec 21, 2025
3 min read

--- title: "VulnHalla: 7 CVEs in 2 Days for $80 - CyberArk's LLM + CodeQL Monster" slug: vulnhalla-cyberark-codeql-llm-vuln-hunting date: 2025-12-21 author: Patrick Duggan tags: [vulnhalla, cyberark, codeql, llm, vulnerability-hunting, cve, open-source] category: Threat Intelligence featured: false ---

The Problem With Static Analysis

CodeQL is powerful. It finds bugs. It also finds thousands of "bugs" that aren't actually exploitable. Security teams drown in false positives. Real vulnerabilities hide in the noise.

CyberArk Labs just open-sourced a solution: VulnHalla.

What VulnHalla Does

VulnHalla layers LLM reasoning on top of CodeQL results. It solves two fundamental problems:

The WHERE Problem: LLMs don't know which code sections deserve attention in million-line codebases. CodeQL tells them where to look.

The WHAT Problem: Even when examining the right location, models need to know what bug class to seek. CodeQL provides the category; LLMs assess exploitability.

The magic is in the combination. CodeQL generates alerts. VulnHalla retrieves context in ~3 seconds per finding. Then it asks "guided questions" that simulate how experienced researchers think:

• Where are variables declared and what sizes do they have?

• Do those sizes change between declaration and use?

• What constraints exist on source/destination buffers?

• Can an attacker control the inputs?

This isn't pattern matching. This is reasoning about exploitability.

The Results: 7 CVEs in 2 Days

| CVE | Project | Impact | |-----|---------|--------| | CVE-2025-38676 | Linux Kernel | Memory corruption | | CVE-2025-0518 | FFmpeg | Buffer overflow | | CVE-2025-27151 | Redis | Memory safety | | CVE-2025-8854 | Bullet3 | Physics engine vuln | | CVE-2025-9136 | RetroArch | Emulator exploit | | CVE-2025-9809 | Libretro | Core library issue | | CVE-2025-9810 | Linenoise | Input handling |

Total cost: Under $80 in LLM API calls.

Time invested: Two days.

Projects scanned: 100 large C repositories.

The False Positive Massacre

Raw CodeQL output is noisy. VulnHalla filters it:

| Bug Class | False Positive Reduction | |-----------|-------------------------| | Operator precedence logic errors | 96% | | Pointer offset before check | 91.96% | | Copy function using source size | 91.53% | | Missing null checks | 89.26% |

Human verification on the remaining findings: 62% were genuine issues.

Compare that to typical static analysis tools reporting 80%+ false positives. VulnHalla inverts the ratio.

Why This Matters

For Security Teams

You can now run CodeQL on your codebase and actually triage the results. The LLM layer separates "technically matches pattern" from "actually exploitable."

For Bug Bounty Hunters

$80 and two days got CyberArk seven CVEs including a Linux Kernel vulnerability. The ROI is absurd.

For Threat Intel

These CVEs are now indexed. If we see exploitation attempts targeting FFmpeg CVE-2025-0518 or Redis CVE-2025-27151, we know the lineage. VulnHalla-discovered bugs will show up in the wild.

The Technical Innovation

The CSV pre-indexing approach is clever:

1. Extract all functions, structs, and globals into CSV files before scanning 2. Run CodeQL queries to generate security alerts 3. Retrieve relevant code context in ~3 seconds per finding 4. No repository clones needed 5. No compiler access required

This eliminates multi-minute CodeQL query latencies. You can process hundreds of findings without waiting for database rebuilds.

The Pattern Recognition

This is the same architecture we use for threat intelligence:

VulnHalla: CodeQL (structured detection) → LLM (reasoning about exploitability) → CVEs

DugganUSA: ThreatFox/VirusTotal (structured detection) → LLM correlation (reasoning about attribution) → IOCs

Layer reasoning on top of structured data. Let the detection engine find candidates. Let the LLM assess significance.

CyberArk applied it to vulnerabilities. We applied it to threat actors. Same pattern, different domain.

Get VulnHalla

Repository: Check CyberArk Labs GitHub (link in original research)

Original Research: https://www.cyberark.com/resources/threat-research-blog/vulnhalla-picking-the-true-vulnerabilities-from-the-codeql-haystack

Cost to run: ~$80 for meaningful results across 100 repos

The CVEs We're Tracking

These seven CVEs are now in our index:

CVE-2025-38676 - Linux Kernel
CVE-2025-0518  - FFmpeg
CVE-2025-27151 - Redis
CVE-2025-8854  - Bullet3
CVE-2025-9136  - RetroArch
CVE-2025-9809  - Libretro
CVE-2025-9810  - Linenoise

If exploitation attempts surface, we'll correlate. The VulnHalla paper gives us the vulnerability details. Our infrastructure gives us the exploitation telemetry.

Credit Where Due

CyberArk Labs shipped this as open source. They published the methodology. They shared the CVEs.

This is how security research should work: find bugs, report them, publish the technique, let others build on it.

We're signal boosting because good research deserves attention.

*DugganUSA indexes threats. CyberArk finds the vulnerabilities that become threats. The loop closes.*

• VulnHalla Research: https://www.cyberark.com/resources/threat-research-blog/vulnhalla-picking-the-true-vulnerabilities-from-the-codeql-haystack

• Our Threat Intel: https://analytics.dugganusa.com/api/v1/stix-feed

• CVE Index: Now tracking VulnHalla discoveries

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]