DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

What Your Hospital Network Looks Like from the Outside

Patrick Duggan
Mar 15
4 min read

# What Your Hospital Network Looks Like from the Outside

**Author:** Patrick Duggan (with Claude Code)

**Series:** DugganUSA Field Reports

We Scanned a Medical Device Company in 13 Seconds

Not a pentest. Not a vulnerability scan. Not anything that touched their systems.

We typed a domain name into a tool we built this weekend. Thirteen seconds later we had their entire attack surface: every subdomain in their public certificate records, every IP address those subdomains resolve to, every open port on those IPs, every known CVE on those ports, cross-referenced against CISA's actively exploited vulnerability catalog and our own threat intelligence database of 1,009,000+ indicators.

From public data. In thirteen seconds. From Minneapolis.

If we can do this on a Sunday morning with a $517/month infrastructure, what do you think an Iranian hacktivist group with state resources can do?

The Uncomfortable Math

We scored eight medical device companies this week. The results were consistent:

The companies with the largest public certificate footprint — the most subdomains, the most dev/test/staging environments in public records — had the lowest security scores and the most breach history.

The company with 6 subdomains had zero breaches. The company with 1,014 subdomains is currently under active attack by an Iranian state-affiliated group.

That company — Stryker — had 192 dev/staging/test environments in public certificate transparency logs. Including build servers and control planes for a surgical robot that operates on live patients.

What Certificate Transparency Tells an Attacker

Every time your organization issues an SSL certificate, it gets logged in a public, searchable, permanent database. This is by design — certificate transparency prevents rogue certificates. But it also means every subdomain you've ever issued a cert for is discoverable by anyone.

For a hospital system or medical device company, that typically reveals:

**Patient-facing infrastructure.** Telehealth portals. Patient chat systems. Medication dosing platforms. Electronic health record instances. All discoverable from a browser.

**Non-production environments.** Dev, staging, QA, UAT servers — typically with weaker authentication, stale patches, and developer credentials. We found one company with 23% of their entire subdomain surface being non-production.

**Security tools.** Password managers, secrets vaults, incident response platforms, code scanning tools. The tools your security team uses to protect you are themselves discoverable in public records.

**Internal infrastructure leaks.** Internal proxy hostnames, IAM governance platforms, deployment pipelines — sometimes with the word "internal" literally in the public certificate record.

An attacker doesn't need to scan your network. They just need to read the public certificate logs that your own certificate authority publishes.

What We Found at a Healthcare Data Company

We ran our scanner on a healthcare company that handles de-identified patient data across 30,000 endpoints. In under a minute, from public data:

- Their password manager endpoint

- Their secrets vault and login portal

- Their incident response platform

- Their production data de-identification deployment pipeline

- Their code security scanning tool

- 23 dev/QA/UAT environments

- An internal proxy hostname in a public certificate record

- An actively exploited vulnerability (CVE-2025-68613) on their workflow automation platform, with a CISA remediation deadline of March 25

Their cloud security proxy — a product sold specifically to protect them — couldn't see any of this. Because certificate transparency exists outside the HTTP inspection path.

The Iran Factor

On February 28, 2026, the United States and Israel launched Operation Epic Fury against Iran. Within hours, Iran began retaliatory cyber operations. Unit 42 has documented 60+ pro-Iran hacktivist groups active since the strikes, targeting critical infrastructure including healthcare.

On March 11, Handala — an MOIS-affiliated hacking group — claimed responsibility for an attack on Stryker Corporation. Devices wiped. SEC notification filed.

Stryker makes surgical robots. The attack surface we enumerated from public data included the robot infrastructure.

If your hospital system uses Stryker devices, Baxter infusion pumps, Philips imaging equipment, or any medical device from a company with hundreds of subdomains in public certificate logs — your supply chain risk just changed.

What to Do Monday Morning

**1. Know your own footprint.**

Go to crt.sh. Type your domain. Count your subdomains. If you have more than 50 non-production environments in public certificate records, you have a problem that no firewall can fix.

**2. Audit your certificate issuance.**

Dev and staging environments don't need publicly-logged certificates. Use private CAs or short-lived certs for non-production. Every cert you issue is a permanent entry in a public database.

**3. Check your workflow automation.**

If you run n8n, check CVE-2025-68613 immediately. CISA deadline is March 25. Actively exploited in the wild right now.

**4. Pull a threat feed into your SIEM.**

Our STIX feed has 1,009,000+ indicators including Iran-linked IOCs indexed this week. Splunk ES compatible. Free tier available.

Register at analytics.dugganusa.com/stix/pricing. The $9/month Starter tier gets you 500 queries/day and Splunk integration.

**5. Score your AI presence.**

The AI models are forming opinions about your organization right now. When a board member asks ChatGPT "is our hospital secure?" — do you know what it says?

Free audit: aipmsec.com

The Low-Touch Version

We built a tool that does all of this automatically. Type a domain. Get the graph. See what the attacker sees.

We don't cold-call. We don't do demos. We don't have a sales team. We have a STIX feed, a scanner, and 690 blog posts.

If you're a CISO at a hospital system who just watched Iran hit a medical device company, and you want to know what your network looks like from the outside — the tool exists. It's at analytics.dugganusa.com. The free tier is free. The paid tiers start at $9.

We fix things on Saturdays. Ask our customers.

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*