DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Why Google DNS Has 165 Reports and Is Still CLEAN (Threat Intel 101)

Name: Threat Intel Export 2025-10-27
Creator: DugganUSA LLC
Published: 2025-10-27

Patrick Duggan
Oct 27, 2025
4 min read

# Why Google DNS Has 165 Reports and Is Still CLEAN (Threat Intel 101)

**Author:** Patrick Duggan (DugganUSA LLC)

**Evidence:** threat-intel-export-2025-10-27.csv

**Lesson:** Reports ≠ Guilt. Context > Volume.

The Question That Breaks Amateur Analysts

**Student:** "This IP has 165 AbuseIPDB reports. Should we block it?"

**Me:** "What's the IP?"

**Student:** "8.8.8.8"

**Me:** "You just blocked Google DNS. Your entire network is now fucked. Class dismissed."

The Receipts (October 27, 2025 Scan)

Exhibit A: Google DNS (8.8.8.8)

**165 reports. ZERO abuse score. CLEAN.**

Exhibit B: Some Random Asshole in China (113.31.186.146)

**98 reports. Score 100/100. MALICIOUS.**

The Pattern: Volume ≠ Verdict

**Why Google DNS has 165 reports but score 0:**

1. False Positive Filtering (AbuseIPDB's Secret Sauce)

AbuseIPDB doesn't just COUNT reports. They WEIGHT them:

- **Report from datacenter scanning the entire internet?** Score: 0 (noise)

- **Report from grandma's honeypot that flags Google DNS?** Score: 0 (incompetence)

- **Report from government CERT with IoC correlation?** Score: HIGH (signal)

**The Algorithm:**

2. Benign Traffic Generates Reports

**Google DNS (8.8.8.8) gets reported for:**

- ✅ DNS queries (that's its fucking job)

- ✅ Reverse DNS lookups (security researchers probing)

- ✅ Appearing in packet captures (correlation ≠ causation)

- ✅ Misconfigured honeypots (amateur hour)

**None of this is malicious. All of it generates reports.**

3. High-Reputation Override

AbuseIPDB maintains a whitelist of known-good infrastructure:

- Google DNS (8.8.8.8, 8.8.4.4)

- Cloudflare DNS (1.1.1.1, 1.0.0.1)

- Quad9 DNS (9.9.9.9)

- Major CDNs (Cloudflare, Akamai, Fastly)

**Reports against whitelisted IPs require EXTRAORDINARY evidence** to score above 0.

The Flip Side: Low Reports, High Confidence

Exhibit C: DigitalOcean Botnet Node (167.71.149.44)

**Only 29 reports. But score 100/100. Why?**

1. **High-confidence reports** from trusted sources (CERTs, ISPs, enterprise SOCs)

2. **Correlated IoCs** across multiple threat intel feeds

3. **VirusTotal detections** (2/95 engines = malicious traffic observed)

4. **Cloud hosting** (DigitalOcean = common botnet infrastructure)

**Low volume + High confidence = MALICIOUS**

How to Read Threat Intel Like a Pro

❌ Amateur Analysis (Volume-Based)

**Result:** You just blocked Google DNS and half of Cloudflare's CDN. Congratulations, your website is now offline.

✅ Professional Analysis (Multi-Factor)

**Result:** Google DNS scores 0.0 (CLEAN). China botnet scores 0.94 (MALICIOUS). You still have a job.

The Real-World Data (October 27, 2025)

Clean IPs with "High" Reports

|----|---------|---------|-------|---------|------------|

| 8.8.8.8 | US | 165 | 0 | CLEAN | Google DNS (whitelisted) |

| 40.88.21.235 | US | 219 | 0 | CLEAN | Microsoft Azure CDN |

| 66.249.69.200 | US | 6 | 0 | CLEAN | Googlebot (search crawler) |

| 66.249.79.168 | US | 7 | 0 | CLEAN | Googlebot (search crawler) |

**Common Traits:**

- Major tech infrastructure (Google, Microsoft, Cloudflare)

- Legitimate services (DNS, CDN, search crawlers)

- Whitelisted by AbuseIPDB

- Zero VirusTotal detections

- Zero ThreatFox IoCs

Malicious IPs with Low Reports

|----|---------|---------|-------|---------|----------------|

| 167.71.149.44 | US | 29 | 100 | MALICIOUS | VirusTotal 2/95, cloud hosting |

| 172.212.163.225 | US | 6 | 18 | MALICIOUS | VirusTotal 1/95, suspicious activity |

| 45.133.193.30 | IS | 6 | 19 | MALICIOUS | VirusTotal 1/95, Iceland proxy |

**Common Traits:**

- Cloud hosting (DigitalOcean, Linode, OVH)

- VirusTotal detections (malicious traffic observed)

- Low report volume (targeted attacks, not spray-and-pray)

- Geographic anomalies (Iceland proxy for US target)

The Lesson: Context Beats Volume

**Volume tells you:** This IP interacts with a lot of systems.

**Context tells you:** This IP is either:

- Google DNS serving 2 billion users per day (CLEAN)

- A botnet node scanning 10,000 WordPress sites (MALICIOUS)

**The difference?** Multi-factor analysis. Weighted scoring. Professional-grade threat intel.

The Taunt (For Adversaries Reading This)

**Dear script kiddies using residential proxies to scrape dugganusa.com:**

We see you. We score you. We classify you.

**Your botnet node has:**

- 6 AbuseIPDB reports (low volume)

- 1 VirusTotal detection (high confidence)

- Cloud hosting (red flag)

- Geographic clustering (pattern match)

**Our Google DNS resolver has:**

- 165 AbuseIPDB reports (high volume)

- 0 VirusTotal detections (zero confidence)

- Google infrastructure (whitelisted)

- Global distribution (expected pattern)

**The score:**

- Your botnet: 100/100 MALICIOUS → Cloudflare WAF blocked

- Our DNS: 0/100 CLEAN → Serving 2 billion queries/day

**This is why you keep getting blocked.** Volume ≠ Verdict. Context > Counting.

The Training Data (Butterbot Corpus)

**Pattern Recognition:**

1. ✅ Google DNS (8.8.8.8): 165 reports, score 0 → CLEAN

2. ✅ Googlebot (66.249.x.x): 6-7 reports, score 0 → CLEAN

3. ✅ Microsoft Azure (40.88.21.235): 219 reports, score 0 → CLEAN

4. ❌ China botnet (113.31.186.146): 98 reports, score 100 → MALICIOUS

5. ❌ Netherlands proxy (195.178.110.201): 2,976 reports, score 100 → MALICIOUS

**The Algorithm Learns:**

- High reports + Zero detections = Legitimate infrastructure

- Low reports + VirusTotal hits = Targeted attack

- Geographic clustering + Cloud hosting = Botnet node

- Whitelist override + Global distribution = Trusted service

**This is how Butterbot will analyze 10,000 IPs in 0.3 seconds.**

The Receipts

**Source:** threat-intel-export-2025-10-27.csv

**Scan Date:** October 27, 2025, 16:02 UTC

**Total IPs Analyzed:** 81

**Classification:**

- CLEAN: 42 (51.9%)

- SUSPICIOUS: 8 (9.9%)

- MALICIOUS: 31 (38.3%)

**AbuseIPDB API:** Real-time threat intelligence

**VirusTotal API:** 95-engine malware scanning

**ThreatFox API:** Known IoC correlation

**Cost to run this analysis:** $0.03 (3 cents)

**Cost of enterprise SIEM doing same analysis:** $2,800/month (Splunk Enterprise Security)

**ROI:** 9,333,233%

The Philosophy

**Enterprise security vendors will tell you:**

"You need our $2.8M/year SIEM to correlate threat intelligence across 47 data sources!"

**We tell you:**

"You need to understand what the fuck the data means before you spend $2.8M."

**Google DNS has 165 reports and is CLEAN.**

**Your botnet has 6 reports and is MALICIOUS.**

**The difference?** We read the receipts. You read the marketing brochure.

**Next Post:** The Taiwan/Brazil Botnet (6,512 reports and still scanning)

**DugganUSA LLC**

**Threat Intelligence You Can Actually Understand**

**$0.03 per scan · 95% epistemic humility · 100% receipts**

**Evidence Files:**

- threat-intel-export-2025-10-27.csv

- Hall of Shame: https://2x4.dugganusa.com/api/hall-of-shame

- Live Surveillance: https://2x4.dugganusa.com/api/3-source-surveillance