DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

While CISA Burns at 38% Capacity, We Pushed 246 Threat Objects to 46 Countries

Patrick Duggan
Feb 21
3 min read

# While CISA Burns at 38% Capacity, We Pushed 246 Threat Objects to 46 Countries

**Saturday morning. Coffee. Traffic report. Then the question: what did we miss?**

The answer turned out to be five threat actors operating in the wild with zero coverage in our STIX feed. By afternoon, all five gaps were closed — 241 indicators, 4 threat actors, and 1 critical CVE pushed to 275+ consumers across 46 countries.

Here's what the week looked like and why it matters that someone's still watching.

The Landscape: February 21, 2026

CISA is operating at 38% capacity after DHS restructuring. Two cybersecurity professionals pleaded guilty as ALPHV/BlackCat affiliates. University of Mississippi Medical Center got hit with ransomware — 7 hospitals, 35 clinics dark. Six Microsoft zero-days dropped. Chrome zero-day. Apple zero-day. BeyondTrust published CVE-2026-1731 at CVSS 9.9 with confirmed ransomware exploitation.

And somewhere in the noise, a new Android malware called PromptSpy became the first known threat to abuse generative AI at runtime — using Google's Gemini API to manipulate device UIs and maintain persistence.

This is not a quiet week.

The Gap Analysis

We ran our standard self-assessment first. Are we exposed? No — no BeyondTrust, no Semantic Kernel, no Cline in our stack. Container images pinned. Chrome patched. Clean.

Then: are our customers protected? We queried the STIX feed for five emerging threats:

| Threat | Prior Coverage | Gap |

|--------|---------------|-----|

| WorldLeaks (Hunters International rebrand) | 0 IOCs | SharpRhino RAT, ESXi encryptor |

| NoName057(16) DDoSia botnet | 0 IOCs | 33 C2 IPs, DDoSia binaries |

| PromptSpy Android spyware | 0 IOCs | First GenAI-abusing malware |

| SparkRAT (Chinese/DPRK APTs) | 0 IOCs | Go-based cross-platform RAT |

| BeyondTrust CVE-2026-1731 | 0 IOCs | CVSS 9.9, active ransomware |

Five zeros. That's unacceptable when 275+ organizations depend on your feed.

The Push: 246 Objects in 7 Bundles

We collected IOCs from SentinelOne, Unit42, ESET, Team Cymru, Sekoia, Avast, GovCERT.ch, Censys, AhnLab, F5 Labs, and Recorded Future. Then formatted them as STIX 2.1 bundles and pushed them through our ingest endpoint:

**75 IP addresses** — C2 servers for DDoSia botnets, SparkRAT implants, PromptSpy VNC channels, and BeyondTrust exploitation infrastructure.

**45 domains** — DDNS C2 for NoName057, Cloudflare Workers abuse by WorldLeaks, OAST callback domains from BeyondTrust exploitation, fake meeting sites from DPRK-linked SparkRAT campaigns.

**68 SHA-256 hashes** — DDoSia client binaries across Windows/Linux/macOS/FreeBSD, PromptSpy APK variants, SparkRAT implants, web shells and post-exploitation tools from BeyondTrust attacks.

**53 SHA-1 hashes** — SentinelOne-sourced DDoSia samples, ESET-sourced PromptSpy Android packages, F5 Labs SparkRAT variants spanning 2022-2024.

**4 threat actor profiles** — WorldLeaks, NoName057(16), PromptSpy Operators, SparkRAT Operators.

**1 vulnerability** — CVE-2026-1731 (BeyondTrust PRA/RS, CVSS 9.9, federal 3-day remediation deadline).

All seven POST requests returned 200. IOC index now at 894,879 indicators.

Why This Matters

When CISA operates at 38% capacity, the gap doesn't disappear — it gets filled by whoever shows up. Today that was a two-person company in Minnesota running on $76/month of Azure infrastructure.

The protect-customers-publish pipeline isn't a marketing exercise. It's the operational loop: assess your own exposure, verify your customers' coverage, fill the gaps, then tell people what you found so they can verify independently.

Our STIX feed serves 275+ consumers in 46 countries. Every one of them now has indicators for five threats they didn't have this morning. The cost of that protection: one Saturday afternoon and the compute budget of a modest dinner.

The Numbers

- **6.5 million** documents across 30 indexes

- **894,879** IOCs in the threat intelligence index

- **329,474** Epstein DOJ documents (dataset 9)

- **1.78 million** ICIJ offshore entities

- **275+** STIX feed consumers in 46 countries

- **$76/month** total infrastructure cost

- **99.99%** uptime

The 5% we guarantee is wrong? We haven't found it yet today. But we're looking.

*DugganUSA LLC operates Butterbot, a threat intelligence platform serving 275+ consumers across 46 countries. Our STIX feed is free and public. If CISA can't watch, we will.*

*STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed*

*Epstein Files: https://epstein.dugganusa.com*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*