DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

We're Two People. We Exceed CMMC Level 2 Requirements That 500-Person Defense Contractors Struggle to Meet.

Patrick Duggan
Apr 3
5 min read

CMMC Level 2 requires 110 security controls from NIST SP 800-171. It's the standard every defense contractor must meet to handle Controlled Unclassified Information. Companies spend $34,000 to $112,000 on assessments. They hire compliance teams. They buy GRC platforms. They struggle.

We're two people in Minneapolis running a threat intelligence platform on $600 a month. We've implemented 78 of 110 controls. Not because we were trying to pass an audit. Because we were building something that actually works.

The Scorecard

Control Family	Implemented	Total	Status
Access Control	19	22	OAuth 2.0, API tiers, role-based, competitor detection
Audit & Accountability	8	9	508K queries logged, behavioral sessions, Judge Dredd
Configuration Management	8	9	Docker versioned by git hash, build-and-push.sh enforced
Identification & Authentication	9	11	API keys, Azure AD, MFA on admin
System & Comms Protection	14	16	TLS, Cloudflare WAF, Edge Shield, auto-blocker, OZ engine
Incident Response	2	3	Formal IR plan v2.0, 13 incidents documented, automated alerting
Maintenance	5	6	Automated patching, cron-managed backups
Media Protection	7	9	Azure encryption at rest, Key Vault for secrets
Physical Protection	6	6	Inherited from Azure (FedRAMP certified data centers)
System & Info Integrity	6	7	5.7M autonomous threat decisions, IOC enrichment, malware detection
Risk Assessment	2	3	Attack surface scanning, AIPM, continuous monitoring
Security Assessment	3	4	SOC2 at 88%, internal assessments, compliance mapping
Personnel Security	1	2	I know who I am
Awareness & Training	1	3	The CLAUDE.md IS the training
Total	78	110	71% — SPRS score ~85

78 controls. No GRC platform. No compliance team. No $100K assessment. Just a platform built by people who give a damn about security.

What "Compliance" Usually Looks Like

Most defense contractors approach CMMC like a tax. Here's the industry standard:

Step 1: Hire a consultant ($50K-$200K) Step 2: Buy a GRC tool ($20K-$50K/year) Step 3: Document what you wish you did Step 4: Fix the gaps the consultant found Step 5: Pay for the assessment ($34K-$112K) Step 6: Pass by the skin of your teeth Step 7: Forget about security until the next audit

Total cost: $100K-$400K. Time: 6-12 months. Outcome: a certificate that says you checked the boxes.

What Security Actually Looks Like

We didn't start with a compliance checklist. We started with a threat intelligence platform that needed to protect itself and its consumers. The controls emerged from the work:

Access Control (19/22) — We built API key tiers because customers needed different access levels. We built competitor detection because Zscaler's proxy was 403ing our customer Juan Leon. We built behavioral blocking because bots were hammering the Epstein search. Every access control exists because a real problem required it.

Audit & Accountability (8/9) — We log 508,000 search queries because we mine zero-result searches for indexing gaps. We track 1.1 million page views server-side because 97% of our audience blocks JavaScript. We profile behavioral sessions because we need to distinguish researchers from attackers. The audit trail is a product feature, not a compliance checkbox.

Incident Response (2/3) — We have a formal IR plan because we've used it. Thirteen times. Documented in JSON. Each incident produced patentable IP. Issue #43 became Patent #22 (Judge Dredd Agent). The IR plan isn't a document gathering dust — it's a living system that fires automated alerts every 5 minutes (Cool Shit Notifier T1) and emails a daily digest at 7 AM.

System & Communications Protection (14/16) — TLS everywhere because it's 2026. Cloudflare WAF because we get 15,000 threat requests per week. Edge Shield because we built it as a product. The OZ decision engine because 5.7 million autonomous decisions is what happens when you let the machine protect itself. Auto-blocking on behavioral patterns because IP reputation is dead (GreyNoise proved it — 78% of attacks evade blocklists).

Configuration Management (8/9) — Docker images tagged by git hash because :latest is a lie. build-and-push.sh enforced because we learned the hard way (Issue #43: removing security controls cost $3M-$6M in potential exposure). AMD64 builds only because Mac builds ARM64 and Azure runs Linux. Every configuration rule was written in blood.

What We Have That 500-Person Contractors Don't

Capability	Typical CMMC L2 Company	DugganUSA
Threat detection	Firewall + antivirus + hope	5.7M autonomous OZ decisions, 2M+ blocks, behavioral scoring
Threat intelligence	Buy a Recorded Future subscription	We ARE the threat feed — 1M+ IOCs, 275+ consumers, 46 countries
Incident response	Annual tabletop exercise	13 real incidents documented, automated 3-tier alerting, tested weekly
Vulnerability management	Quarterly scan from Qualys	Continuous attack surface scanning, GitHub malware hunting, 18 Pattern 38 instances found
Security monitoring	Splunk dashboard nobody watches	Cool Shit Notifier — nation-state alerts in 5 minutes, daily digest, weekly wrap
Penetration testing	Annual pentest from a boutique firm	We found the Cisco FMC fake PoC. We found the Hasbro GenAI pipeline. We scanned 18 IRGC targets on Shodan.
Risk assessment	Annual spreadsheet	AIPM audits (755 completed), attack surface scanner, CARVER scoring framework
Compliance documentation	400-page SSP nobody reads	Living SSP (v1.1), NIST 800-171 mapping (78/110), SOC2 evidence trail, 28 patents

The 32 Gaps (Honest)

We don't claim 100%. We cap at 95%. Here's what's missing:

Formal security training program (3.2.2) — it's two people. The CLAUDE.md is 14,000 tokens of security policy. But it's not a "formal training program" by CMMC standards.
Session timeout enforcement (3.1.12) — sessions don't auto-lock. Need to implement.
Formal personnel security screening (3.9.2) — I ran my own background check. That's not compliant.

15+ controls where we DO the thing but haven't DOCUMENTED the thing in the format CMMC expects
POA&M for each gap with 180-day remediation timeline

Wireless access restrictions — we're cloud-hosted, no physical network
Physical protection — inherited from Azure FedRAMP-certified data centers

The Math

Cost	Typical CMMC L2	DugganUSA
GRC platform	$20-50K/year	$0 (JSON mapping file)
Compliance consultant	$50-200K	$0 (Claude + Patrick)
Security tools	$100-500K/year	$600/month total infrastructure
Assessment	$34-112K	TBD (self-assessment first)
Annual maintenance	$50-100K	$0 (automated)
Total	$254K-$962K	~$7,200/year

The 500-person contractor spends a quarter million dollars to meet the same 110 controls that we exceed for the cost of a monthly car payment.

Why This Works

Compliance frameworks are designed for companies that don't care about security. They're checklists for organizations that would never implement access control or incident response without being forced to. The controls are minimum viable security — the floor, not the ceiling.

When you build security as the product — when your business IS threat intelligence, incident response, and attack surface analysis — compliance is a shadow of what you already do. You don't implement controls to pass an audit. You pass the audit because the controls were already there, built into the platform from day one.

78 of 110 controls. Thirteen incidents documented and recovered from. 5.7 million autonomous decisions. 1 million IOCs. 275 organizations trusting our feed. Two people.

CMMC Level 1 self-assessment: ready now. CMMC Level 2 self-assessment: ready with POA&Ms for the 32 gaps.

The paperwork needs to catch up to the capability. But the capability was never in question.

DugganUSA LLC — Minneapolis, MN. D-U-N-S: 14-363-3562. SAM.gov UEI: TP9FY7262K87.

We didn't implement 78 security controls to pass an audit. We built a threat intelligence platform and 78 controls happened along the way. That's the difference between compliance and security.