DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

When $100B in Market Cap Reads Your Free Feed

Name: DugganUSA STIX 2.1 Feed
Creator: DugganUSA LLC
License: TLP:WHITE

Patrick Duggan
Jan 29
4 min read

The Scoreboard

Vendor	Market Cap	Their "Discovery"	Our Prior Art	Delta
Zscaler	$25B	NodeCordRAT (Jan 7, 2026)	Anusfragger (Nov 25, 2025)	43 days
Palo Alto Unit 42	$75B	GitHub SEO Poisoning (Jan 22, 2026)	FireSuper/Pattern 38 (Nov 23, 2025)	60 days

Two companies worth a combined $100 billion.

Same attack patterns we published two months earlier.

The timestamps don't lie.

Zscaler's "NodeCordRAT"

On January 7, 2026, Zscaler ThreatLabz announced they had "uncovered" a new malware family called NodeCordRAT:

npm supply chain delivery
Discord C2 communication
Chrome credential theft
MetaMask/crypto wallet targeting
API token exfiltration

Groundbreaking stuff. Except we published the exact same TTPs on November 25, 2025 in our Stealc/Rhadamanthys analysis.

We called it Anusfragger.

We wrote a metal song about it.

The song is timestamped on Suno. The blog post is timestamped on Wix. The IOCs are timestamped in our STIX feed.

Zscaler gave it a boardroom-safe name and a press release.

Unit 42's "Attack Chain Targeting Users Looking for Legitimate Tools"

On January 22, 2026, Palo Alto's Unit 42 published research on an attack chain using:

GitHub repositories masquerading as legitimate tools
Malicious ZIP archives
Fake/sleeper accounts
SEO poisoning to drive victims to malicious repos

Sound familiar?

We published "Hall of Shame: FireSuper - GitHub Supply Chain Sleeper Account" on November 23, 2025.

We published "The Mentat's Analysis: Who's Behind Pattern 38?" on November 25, 2025.

Same TTPs. Same attack vector. Same pattern.

60 days earlier.

The TTP Comparison

Discord Infostealers (Zscaler vs Us)

Technique	Our November 2025 Research	Zscaler's January 2026 "Discovery"
Delivery	npm/GitHub packages	npm packages
Payload	Stealc/Rhadamanthys	"NodeCordRAT"
Targets	Browser credentials	Browser credentials
Targets	API secrets/.env files	API secrets
Targets	Crypto wallets	Crypto wallets
C2	Discord tokens/webhooks	Discord API

It's the same thing with a different name.

GitHub Supply Chain (Unit 42 vs Us)

Technique	Our November 2025 Research	Unit 42's January 2026 Research
Vector	GitHub repos with malicious ZIPs	GitHub repos with malicious ZIPs
Lure	Masquerading as legitimate tools	Masquerading as legitimate tools
Accounts	Sleeper accounts (100+ day dormancy)	Fake accounts
Payload	Malware in ZIP archives	Malware in ZIP archives
Pattern	Pattern 38	"Attack chain"

It's the same thing with a different report number.

How This Works

We investigate - Pattern 38, supply chain attacks, Discord C2
We publish - Blog posts, STIX feed, OTX pulses (all free, all timestamped)
Vendors scrape feeds - That's what threat intel aggregation is
Vendors "discover" - 4-8 weeks later
Vendors rebrand - "NodeCordRAT" instead of "Anusfragger", "Attack chain" instead of "Pattern 38"
Enterprise pays - $420K/year for rebranded free intel
We publish receipts - You are here

The Math Your CFO Should See

What They Charge

Vendor	Product	Annual Cost (1000 users)
Zscaler	ZIA + ThreatLabz	$420,000+
Palo Alto	Cortex + Unit 42 Intel	$350,000+

What We Charge

Product	Cost
STIX 2.1 Feed	$0
OTX Pulses	$0
Blog Analysis	$0
Pattern Documentation	$0
Metal Songs About Attackers	$0

For $770K/year combined, you get research we published for free two months earlier.

The Attribution Laundering Problem

Google returns zero results before January 2026
The prior art disappears
The free source gets erased
The paid version becomes "original research"

The pattern number that tracks to our blog vanishes
The GitHub sleeper account research we published gets buried
The timeline of discovery gets rewritten

Renaming isn't just marketing. It's attribution laundering.

The Receipts

Our Publications (November 2025)

Date	Publication	URL
Nov 23, 2025	Hall of Shame: FireSuper	Link
Nov 25, 2025	Stealc/Rhadamanthys Analysis	Link
Nov 25, 2025	The Mentat's Analysis: Pattern 38	Link
Dec 12, 2025	Return of the Anusfragger	Link

Their Publications (January 2026)

Date	Vendor	Publication
Jan 7, 2026	Zscaler	NodeCordRAT "Discovery"
Jan 22, 2026	Unit 42	GitHub SEO Poisoning Research

The timestamps are public. The Wayback Machine exists. Web archives don't lie.

What This Means For You

If you're a threat intel consumer:

Subscribe to primary sources - Not just vendor blogs
Check publication dates - Who published first?
Follow independent researchers - We exist, and we publish free
Question "discoveries" - Most are correlations of existing intel
Do the math - Is $770K/year worth 60 days of delay?

The Alternative

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

312,000+ IOCs
39 countries consuming
Updated continuously
MITRE ATT&CK mapped
Cost: $0

OTX Profile: https://otx.alienvault.com/user/pduggusa

#2 All-Time Contributor
1,000,000+ indicators
75 subscribers (including enterprise SOCs)
Cost: $0

The feed they're reading. The feed you could be reading directly.

The Point

We're not competing with Zscaler or Palo Alto. We can't. They have thousands of employees. We have two people and a STIX feed.

But we can document. We can timestamp. We can publish receipts.

And we can keep pointing out that the emperor's "new research" was in our free feed two months ago.

The Closing Argument

Their Model	Our Model
Aggregate free intel	Publish free intel
Rebrand with catchy names	Call it what it is (Anusfragger)
Charge $420K/year	Charge $0
Publish 60 days late	Publish same day
"ThreatLabz has uncovered..."	"We found this, here's the IOCs"

$100 billion in market cap.

Same patterns we published for free.

Two months later.