DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your $200K Security Tool Has a STIX Import Button. Here's the Free Feed It's Been Waiting For.

Patrick Duggan
Jan 6
3 min read

The Button Nobody Clicks

You bought the platform. CrowdStrike, Palo Alto, Microsoft Sentinel, IBM QRadar, OpenCTI - doesn't matter which. Somewhere in the settings, there's a button that says "Add STIX/TAXII Feed."

You've probably never clicked it.

Not because you don't want more threat intelligence. Because when you go looking for feeds to add, you find:

Vendor's own feed: $50K/year extra
AlienVault OTX: Still on STIX 1.x (a different format)
MITRE ATT&CK: Knowledge base, zero IOCs
abuse.ch feeds: JSON, not STIX
CINS Army: Plain text IP list
Everything else: CSV files you'd have to transform yourself

So the button sits there. Waiting.

We Went Looking

We spent an afternoon doing what you probably did: searching for free STIX 2.1 threat intelligence feeds.

Here's what we found:

Feed	Format	Actionable IOCs	STIX 2.1?
AlienVault OTX	STIX 1.x	Yes	No
MITRE ATT&CK	STIX 2.1	No (knowledge only)	Yes
Feodo Tracker	JSON	4 active C2s	No
ThreatFox	JSON/API	Yes	No
CINS Army	Plain text	15,000 IPs	No
URLhaus	JSON	Yes	No

Zero free STIX 2.1 feeds with actionable IOCs and full graph structure.

The enterprise platforms support STIX 2.1 because enterprise customers check that compliance box. But the actual feeds? Paywalled at $50K-$500K/year.

Why the Gap Exists

STIX 2.1 is the format. Everyone agrees on it. OASIS published the spec. IBM, Microsoft, Palo Alto, CrowdStrike - they all implemented it.

But here's the thing: threat intelligence is a product. The vendors selling $50K feeds aren't going to give them away. And the open-source community? They're publishing in whatever format is easiest (JSON, CSV, plain text).

Collecting IOCs from multiple sources
Correlating and deduplicating
Enriching with threat actor attribution
Adding kill chain phases
Building relationship graphs
Outputting as proper STIX 2.1 bundles

Until now.

What We Built

DugganUSA STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed

A real STIX 2.1 bundle with:

Object Type	Count	What It Is
indicator	1,000+/day	Actual IP addresses you can block
threat-actor	399	APT groups with attribution
campaign	Active	Inferred from malware families
infrastructure	Bulletproof hosting, proxies	ISP-level threat data
sighting	500+	When we observed each indicator
relationship	600+	Graph connections between objects
attack-pattern	16	Supply chain TTPs mapped to MITRE

Sources: AbuseIPDB, VirusTotal, ThreatFox, OTX, plus our own honeypot network.

Cost: Free. Actually free. No API key required.

How to Use It

Microsoft Sentinel

Settings → Data Connectors → Threat Intelligence - TAXII
URL: https://analytics.dugganusa.com/api/v1/stix-feed
Polling frequency: 1 hour

OpenCTI

# docker-compose.yml
- TAXII2_URL=https://analytics.dugganusa.com/api/v1/stix-feed
- TAXII2_INTERVAL=3600

CrowdStrike Falcon

Support → API Clients → STIX/TAXII Integration
Discovery URL: https://analytics.dugganusa.com/api/v1/stix-feed

curl (for the skeptics)

curl -s "https://analytics.dugganusa.com/api/v1/stix-feed?days=7" | jq '.objects | length'
# Returns: 2500+

Parameters

Parameter	Default	Description
days	30	How far back to pull
limit	none	Cap the number of indicators
min_confidence	30	Filter by confidence score
format	bundle	STIX 2.1 bundle

What You Get

Every indicator includes:

{
  "type": "indicator",
  "pattern": "[ipv4-addr:value = '45.148.10.242']",
  "confidence": 95,
  "kill_chain_phases": [
    {"kill_chain_name": "mitre-attack", "phase_name": "command-and-control"}
  ],
  "x_dugganusa_threat_intel": {
    "abuse_score": 100,
    "malware_family": "Cobalt Strike",
    "isp": "TECHOFF-HOSTING",
    "country": "RU"
  }
}

Plus relationship objects linking indicators to threat actors:

{
  "type": "relationship",
  "relationship_type": "attributed-to",
  "source_ref": "indicator--abc123",
  "target_ref": "threat-actor--def456",
  "confidence": 70
}

This isn't a flat list of IPs. It's a graph you can query.

Why Free?

Because we're not a threat intel company. We're a security operations company that built this infrastructure for ourselves and realized nobody else was publishing it.

Our business is the $77/month security dashboard at security.dugganusa.com. The STIX feed is what happens when you open-source your data pipeline.

Also: we think threat intelligence being locked behind $50K/year paywalls is part of why security is losing. The attackers share freely. Defenders should too.

The Fine Print

License: CC0-1.0 (public domain, do whatever you want)
Attribution: Appreciated but not required
SLA: Best effort (it's free)
Rate limits: Don't abuse it
Format: STIX 2.1 bundle, JSON

Try It

Right now. Takes 30 seconds.

curl -s "https://analytics.dugganusa.com/api/v1/stix-feed?days=1" | jq '.objects | group_by(.type) | map({type: .[0].type, count: length})'

Then go click that button in your $200K security platform. It finally has something to import.

DugganUSA LLC operates threat intelligence infrastructure from Minnesota at $75/month. We believe in sharing what we learn.

Questions? [email protected] Dashboard: security.dugganusa.com Feed: analytics.dugganusa.com/api/v1/stix-feed