DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

When Microsoft, Google, and Cloudflare Download Your Threat Intel (And You're Just a Guy in Minnesota)

Patrick Duggan
Nov 22, 2025
5 min read

A Celebration of Democratic Sharing

MINNEAPOLIS, November 22, 2025 — Seven days ago, I built a script to see who's consuming our free STIX threat intelligence feed. I expected hobbyists, maybe a few security researchers, perhaps some undergraduate students writing their thesis on cyber threats.

Instead, I got this:

• Microsoft: 30 requests, 10,696 indicators served

• Cloudflare: 19 requests, 10,161 indicators served

• Google: 2 requests, 580 indicators served

I'm sitting in Minneapolis, running a security company on $75/month infrastructure, and I'm helping secure the giants.

Let me tell you why this makes me unreasonably happy.

The Original Philosophy: Standing on Shoulders

When we launched the STIX feed on November 1, 2025, the philosophy was simple:

"We stand on the shoulders of giants. We should lift others up, not hoard."

Every threat we block, every credential-stuffing botnet we identify, every residential proxy pattern we detect — it goes into the feed. Not behind a paywall. Not gated by enterprise contracts. Not sold to the highest bidder.

Open. Standard. Free.

• Brian Krebs' investigative journalism

• Team Cymru's WHOIS infrastructure

• MITRE ATT&CK framework

• Cloudflare's free tier

• Azure's open-source SDKs

• Constitutional AI from Anthropic

You give back.

The Numbers (And What They Mean)

• Total unique consumers: 21

• Total requests: 103

• Total indicators served: 48,002

• Enterprise consumers: 9 (42.9%)

• Attribution rate: 42.9% (companies linking back to us)

• 28 requests

• 9,964 indicators served

• No attribution (yet — but they're welcome to the data regardless)

• 12 requests

• 6,294 indicators served

• ✅ Full attribution via website link

What This Proves (To VCs, Competitors, and Myself)

1. Our Threat Intel Is Production-Grade

When Microsoft consumes your feed 30 times in a week, that's not a courtesy download. That's operational integration.

When Cloudflare — a company that sees more internet traffic than most countries — pulls your indicators 19 times, that's validation.

When Google — the company that literally crawls the web for a living — requests your data, that's trust.

2. Free Doesn't Mean Worthless

The enterprise cybersecurity industry has a toxic belief: "If it's free, it's amateur."

False.

Our feed is free because: 1. The marginal cost of sharing digital goods is zero 2. We bootstrapped this on poverty-level infrastructure ($75/month) 3. We believe in Democratic Sharing (Judge Dredd Dimension 6) 4. The data gets better when more people use it (network effects)

Charging for threat intel creates information asymmetry. The rich get safer. The small get pwned.

That's not how you build a safer internet. That's how you build a protection racket.

3. Attribution Isn't Required, But It's Appreciated

42.9% of our consumers link back to DugganUSA in their implementations. Not required. Not enforced. Just... decent.

The other 57.1%? They're still welcome to the data.

Because the goal isn't credit. The goal is fewer breaches.

If Microsoft's security team uses our residential proxy patterns to block an attack, I don't need my name in their incident report. I need the attack blocked.

Standing on shoulders works both ways.

The Uncomfortable Truth (Pattern #32: Brand Weaponization)

Here's something weird we discovered:

IP 216.73.216.112 claimed to be "Anthropic, PBC" (the company behind Claude). WHOIS said "Amazon.com, Inc."

That's not Anthropic. That's AWS pretending to be Anthropic.

We call this Pattern #32: Brand Weaponization — when ISPs claim brand names they don't own to bypass security controls.

Our response: 1. Documented the pattern (November 4, 2025) 2. Sent disclosure to [email protected] (they were victimized too) 3. Added it to the STIX feed

Why this matters: If we were hoarding our research, Anthropic wouldn't know AWS is using their name. The security community wouldn't know the tactic exists. Everyone would be slightly less safe.

Democratic Sharing means admitting when you find something scary and telling everyone.

The Blocked IP That's Still Consuming (And Why That's Fine)

IP 9.169.121.184 (Microsoft) is in our `BlockedAssholes` table. Abuse score. Blocked timestamp. The works.

It's also still downloading our STIX feed.

This is intentional.

Blocking someone from attacking your infrastructure doesn't mean denying them threat intelligence. If Microsoft has a compromised machine hitting our services, we block it. If that same IP wants to download indicators to protect itself, we serve the data.

Because the goal is fewer victims, not revenge.

What This Means for the Business

VC Question #1: "If your feed is free, what's your revenue model?"

Answer: The feed is marketing for the platform.

Microsoft consuming our feed proves the data is valuable. When they're ready to integrate real-time auto-blocking (not just passive indicators), that's the $49-$249/month tier.

The STIX feed is the free sample. The platform is the product.

VC Question #2: "What if competitors steal your data?"

Answer: They already are. That's the point.

Every indicator we share makes the internet slightly safer. If "competitors" use our data to protect their customers, everyone wins.

The differentiator isn't the data. It's the orchestration (auto-blocking, Hall of Shame publishing, blog generation, MITRE mapping, D&D-themed threat actor tracking).

You can't clone orchestration by reading a STIX feed.

VC Question #3: "What's your moat?"

Answer: We don't have one. We have a ladder.

Standing on shoulders, lifting others up. If someone builds something better using our data, good. That's how progress works.

The "moat" is speed. We shipped this in 2 months. Most enterprises are still arguing about which SIEM to buy.

The Philosophy (The Real Reason This Matters)

Here's what keeps me going at 2 AM when I'm debugging Team Cymru WHOIS timeouts:

Every indicator we publish is an attack someone else won't experience.

• 1,000 user accounts not compromised

• 1,000 "forgot password" flows not triggered

• 1,000 customer service calls not made

• 1,000 people who still trust the internet slightly more than they did yesterday

That scales. That compounds.

And it costs us nothing to give it away.

The Invitation (To Every Enterprise Reading This)

If you're consuming our STIX feed:

1. Thank you. You're making the internet safer. 2. Attribution is optional. But if you link back, it helps others find the feed. 3. Feedback is welcome. Found a false positive? Tell us. Missed an attack? Tell us that too. 4. The upgrade exists when you're ready. Free indicators are great. Real-time auto-blocking with 5% false positives is better.

If you're not consuming our feed yet:

Feed URL: `https://analytics.dugganusa.com/api/v1/stix-feed`

STIX 2.1 format. Free. No registration. No rate limits.

• `?days=7` — Last N days of threats

• `?min_confidence=80` — Filter by confidence score

• `?country=CN` — Filter by threat origin

• `?exclude_residential=true` — Exclude residential proxies (reduce false positives)

• `?format=csv` — Get CSV instead of STIX bundle

Attribution: `https://www.dugganusa.com` (optional but appreciated)

The Gratitude

To Microsoft, Google, and Cloudflare:

Thank you for trusting our data enough to operationalize it.

You didn't have to. You have massive security teams, billion-dollar budgets, and relationships with every threat intel vendor on Earth.

But you still pulled our indicators. That means something.

To the 42.9% who attributed:

You get it. Standing on shoulders works when we acknowledge whose shoulders we're on.

To the 57.1% who didn't:

You're still welcome. The data exists to be used, not to collect credit.

The Conclusion (And The Commitment)

We're going to keep publishing. Every threat we block. Every pattern we detect. Every ASN we identify as weaponized.

Free. Open. Standard.

Because if the goal is a safer internet, hoarding is sabotage.

DugganUSA LLC Born Without Sin. Running on $75/Month. Helping Secure the Giants.

STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed Attribution (Optional): https://www.dugganusa.com Judge Dredd 6D Score: 93% (Dimension 6: Democratic Sharing)

*"We stand on the shoulders of giants. We lift others up."*

Technical Details:

Analysis script: `scripts/analyze-stix-feed-consumers.js` (open source, committed to repo)

Methodology: Query `STIXFeedAnalytics` Azure Table (7-day window), enrich IPs with Team Cymru WHOIS, cross-reference with `ISPReputationScores` and `BlockedAssholes` tables, detect enterprise ASNs (AWS, Google, Microsoft, Cloudflare, Oracle, IBM, Akamai, Fastly).

Data transparency: This blog post is based on real production logs. No exaggeration. No marketing spin. Just `node scripts/analyze-stix-feed-consumers.js --days 7`.

Judge Dredd approved.