DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

When Your Copilot Knows Where the Bodies Are Buried

Patrick Duggan
Dec 17, 2025
3 min read

# When Your Copilot Knows Where the Bodies Are Buried

**TL;DR:** We built an AI copilot with access to 45,000+ documents of institutional memory. Then we asked it who's been checking if they got caught. The answer was... illuminating.

The Setup

Here's the problem with threat intelligence: it's useless if you can't find it.

We've been publishing threat intel for months. 537,089 indicators. 3,886 pulses. Blocked 1,600+ malicious IPs. Wrote 5,945 blog posts documenting every pattern, every attack, every "holy shit" moment.

But ask me what we learned about Singapore shell companies three months ago? I'd have to grep through markdown files like a caveman.

So we built something different.

The Copilot

Meet Butterbot Jr. He's not ChatGPT with a funny name. He's an AI with **context**.

Every blog post we've written. Every IP we've blocked. Every threat intel pulse we've published. Every pattern we've discovered. It's all indexed, searchable, and wired directly into his brain.

When I ask Butterbot Jr a question, he doesn't hallucinate. He searches. 45,162 documents across 8 specialized indexes. Then he synthesizes.

The secret sauce? Probability math.

Not the "we trained a model" kind. The "we can check membership across 537,000 indicators in constant time using almost no memory" kind. The stuff Jensen Huang was pointing at on Joe Rogan when he talked about where computing is headed.

Our threat detection runs on mathematical structures that most security vendors haven't discovered yet. When Jr searches, he's not doing keyword matching. He's doing probabilistic correlation across a quarter million data points.

The cost? About $0.00015 per query. A tenth of a penny.

The Question

Yesterday, I had a hunch.

We've been tracking our STIX feed consumers - organizations pulling our threat intelligence. Most are expected: Microsoft, Google, Amazon. Security teams doing security things.

But some weren't expected.

So I asked Jr:

> "Who are the new STIX feed consumers in the last 7 days? Any interesting organizations?"

Cost: $0.000157

His answer flagged Huawei Cloud (Hong Kong) and ZEN-ECN (Singapore). Interesting, but not damning.

Then I asked the follow-up:

> "Tell me about any IPs or activity from Huawei Cloud or ZEN-ECN Singapore. Are they in our blocked list?"

Cost: $0.000172

Jr came back with receipts.

The Receipts

ZEN-ECN Singapore IP `103.253.145.0` - asshole score 75, flagged for probing activity.

But here's where it gets spicy:

|----|-----|--------------|---------------|--------|

| `162.128.163.209` | Zenlayer Singapore | C2 | 40.54 | Blocked Dec 14 |

Same organizations. Same infrastructure. Different IPs.

**Pattern:**

1. Run proxy/evasion operations from Singapore/HK cloud infrastructure

2. Get blocked by our automated threat detection

3. Start consuming our STIX feed to see what we caught

This is the "did they catch us?" pattern. And we found it with three questions to an AI that costs a tenth of a penny per query.

What's NOT There

Here's what made me sit up straight.

Our STIX feed has 537,089 indicators. 24 subscribers on OTX. We're not small.

**Who's consuming:**

- Hong Kong: Huawei Clouds (6 requests)

- Singapore: ZEN-ECN (2 requests)

- Japan: Zscaler (1 request)

- Colombia, Sweden, Poland: small numbers

**Who's conspicuously absent:**

- UK: Zero

- Canada: Zero

- Australia: Zero

- New Zealand: Zero

If Five Eyes intelligence services were interested in our feed, we'd see them. They're not hiding - they have legitimate collection operations.

But threat actors checking if they're burned? They look exactly like this. Singapore and Hong Kong cloud infrastructure, checking our intel right after getting blocked.

The Meta Point

We didn't discover this pattern through traditional threat hunting. We discovered it by asking an AI that has read everything we've ever written.

**Total cost of this counterintel session:** $0.001

One tenth of one cent.

The AI didn't hallucinate this. It searched 45,162 documents, found the blocked IPs matching our feed consumers, correlated the timing, and surfaced the pattern.

This is what Context-Augmented Generation looks like in practice. Not a chatbot. Not a search engine. Something in between that actually understands your domain because it's read all your homework.

The Punchline

State-level actors are checking our feed to see if they're burned.

That's either terrifying or the best product validation we've ever had.

Probably both.

*Butterbot Jr is our internal AI copilot built on 45,162 indexed documents of threat intelligence, blog posts, and blocked attacker data. The counterintel analysis in this post cost less than a penny and took about 3 minutes.*

*If you're interested in threat intelligence that's good enough to make nation-state actors nervous, our STIX feed is available at analytics.dugganusa.com.*

**Category:** Threat Intelligence

**Author:** Patrick Duggan