DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your Marketing Dashboard Is Already Threat Intelligence

Patrick Duggan
Oct 24, 2025
5 min read

# Your Marketing Dashboard Is Already Threat Intelligence

**Author:** Patrick Duggan

**Reading Time:** 6 minutes

The Walter White Principle

Walter White didn't become Heisenberg by learning new chemistry. He used the same AP Chemistry he'd taught for 20 years. Same method. Different target.

Your marketing analytics dashboard contains the exact data threat intelligence analysts use to track nation-state actors. Same numbers. Same patterns. You're measuring bounce rates. I'm measuring residential proxy operations.

**Same data. Different questions.**

This Morning (Real-Time)

**7:30 AM CT** - Morning checklist. Claude asks: "Check the traps?"

**Translation:** Run daily marketing reconciliation. Cloudflare + App Insights + GA4.

**What we found:**

- USA Traffic: 76.8% (16,559 requests over 7 days)

- Request-to-PageView Ratio: 6.5:1 (normal: 1.5-2:1)

- Spike: Oct 20-21 (7,021 requests, 90%+ USA)

- Threats Blocked: 0

**My response:** "Look at USA traffic - it's a proxy operation adoy"

**Claude's analysis:** Residential proxy operation. Professional. Automated scraping timed to blog post publication.

**The kicker:** I was checking marketing metrics, not looking for threats.

The Method Never Changes

Breaking Bad, Season 1

**Walter's first cook:** 99.1% pure methamphetamine using high school chemistry. Pseudoephedrine reduction, proper glassware, temperature control, recrystallization.

**Jesse:** "This is art, Mr. White!"

**Walter:** "No. It's chemistry. The chemistry doesn't change. I just apply it correctly."

DugganUSA, October 24, 2025

**Marketing formula:** bounceRate = (1 - sessions / pageviews) × 100

**Threat intel formula:** requestRatio = requests / pageviews (>5.0 = automated scraping)

Same math. Different interpretation.

Three Targets, Same Method

Target 1: Canada (Oct 15-16)

- 285 requests, 135 MB

- Timed to Cloudflare bypass blog post

- **Detection:** Cloudflare GraphQL Analytics (marketing dashboard)

Target 2: USA Spike (Oct 20-21)

- 7,021 requests, 90.8% USA

- 6.5:1 ratio (automated scraping signature)

- Timed to "I Caught The Guy Who Attacked Brian Krebs" post

- **Detection:** Same Cloudflare dashboard

- **Correlation:** Sergiy Usatyuk emails us Oct 23 (same day as our threat intel report)

**Evidence:**

- Date: 2025-10-20

- US Requests: 3,599

- Pageviews: 555

- Ratio: 6.48:1

- US Percentage: 90.8%

- Threats Blocked: 0

Target 3: Asia-Pacific Surge (Oct 24)

- Singapore: 411 requests (23.3% daily)

- Japan: 391 requests (16.0% previous day)

- Korea: 425 requests (10.4%)

- Classic residential proxy geographic signature

- **Detection:** Same Cloudflare dashboard

The Chemistry: Three Ratios

**1. Request-to-PageView Ratio**

Formula: requests / pageviews

Marketing interpretation:

- 1.5-2.0 = Normal (HTML + assets)

- 2.0-3.0 = Heavy assets

Threat intel interpretation:

- 5.0-7.0 = Automated scraping

- 10.0+ = API harvesting

**2. Geographic Concentration**

Formula: topCountry / totalRequests

Marketing interpretation:

- 40-60% = Healthy distribution

- 60-75% = Dominant market

Threat intel interpretation:

- 75%+ = Investigate

- 90%+ with high ratio = Residential proxy

**3. Timeline Correlation**

|------|-------|-------|----------|-------|

| Oct 20 | Post #55 published | 90.8% | 3,599 | 6.5:1 |

| Oct 21 | Sustained | 89.0% | 3,422 | 6.0:1 |

| Oct 23 | Sergiy emails | 69.6% | 2,835 | 8.8:1 |

Pattern: Blog post about Layer3 Tripwire → USA traffic spike → Email same day

Marketing vs Threat Intel (Same Data)

**Marketing questions:**

- How many visitors?

- What's our bounce rate?

- Which countries are engaged?

**Threat intel questions:**

- Why is ratio 6.5:1 instead of 1.5:1?

- Why did USA spike 30% on publication day?

- Why zero threats with abnormal patterns?

- Why Singapore suddenly 23% of traffic?

**Same dashboard. Different lens.**

Hi Sergiy 👋

Since you're reading this (Oct 23 email, same day as our threat intel report):

**What you did:**

- Scraped our Krebs post (Oct 20-21)

- Used residential proxies (90.8% USA, 6.5:1 ratio, zero Cloudflare flags)

- Emailed us Oct 23

- Professional execution (impressed with the OpSec)

**What we did:**

- Published Krebs post Oct 20

- Noticed spike Oct 24 during morning analytics check

- Analyzed pattern (residential proxy, automated)

- Cross-referenced timeline

- Published this (90 minutes detection-to-post)

**What you'll learn:**

- We monitor everything

- Cloudflare logs bypass attempts (even when it doesn't block)

- Residential proxies leave patterns

- We publish in real-time

**The question:** If you're selling residential proxy detection (Layer3 Tripwire), why use residential proxies to monitor us?

**The answer:** Because you know they work. And you know we know.

**The game:** We publish. You scrape. We detect. We publish. You read. We know. Repeat.

The Playbook (5 Minutes Daily)

**Step 1:** Run your marketing analytics (you already do this)

**Step 2:** Calculate three ratios (30 seconds)

- requestRatio = requests / pageviews

- geoConcentration = topCountry / totalRequests × 100

- uniqueRatio = uniques / pageviews × 100

**Step 3:** Check three thresholds (30 seconds)

- requestRatio > 5.0 AND threats = 0 → Residential proxy

- geoConcentration > 90% → Proxy pool

- uniqueRatio > 95% → IP rotation

**Step 4:** Correlate to events (2 minutes)

- Traffic spike after blog post?

- After press mention?

- After competitor mention?

**Step 5:** Document (2 minutes)

- Save to surveillance log

- JSON format with timestamp

**Total time:** 5 minutes

**Total cost:** $0

**Value:** Early warning for competitive intelligence ops

"I Am The One Who Knocks"

Breaking Bad, Season 4

**Walter:** "I am not in danger, Skyler. I am the danger. I am the one who knocks."

DugganUSA, October 24, 2025

**Me:** "I am not being monitored. I am the monitor. I am the one who publishes."

**The pattern:**

1. You scrape (thinking you're gathering intel)

2. We detect in marketing analytics (you're in our honeypot)

3. We publish the methodology

4. You read this

5. We detect THAT

6. Loop forever

**The chemistry never changes. The application does.**

The Takeaway

Your marketing dashboard = Threat intelligence platform

Your daily metrics = Competitive surveillance detection

Your geographic chart = Residential proxy operation map

**The method:** Walter White's chemistry (same principles, different targets)

**The cost:** $0 (you already pay for analytics)

**The ROI:** Infinite (threat intel from sunk costs)

**The question:** What else are you measuring without realizing it?

The Challenge

**This morning:** Detected residential proxy operation in marketing dashboard. 90 minutes later, this post exists.

**Your morning:** Checked bounce rates. Threat intelligence was right there. You weren't asking the questions.

**Tomorrow:** Run analytics. Calculate ratios. Ask "why?" three times.

You'll find something. Walter White was right - you don't need new chemistry. You need new questions.

P.S. - Sergiy, Two Questions

**1.** If Layer3 Tripwire is the world's best residential proxy detection, why didn't it catch your own operation scraping our blog?

**2.** Want to beta test Butterbot's marketing-analytics-as-threat-intel? First license free. Professional courtesy. Former adversaries make the best testers.

**Email:** [email protected]

**Offer expires:** When you stop reading (so, never)

**Evidence:**

- `compliance/evidence/marketing/cloudflare-analytics-2025-10-24.json`

- `compliance/evidence/marketing/3-source-reconciliation-2025-10-24.md`

- `compliance/evidence/threat-intelligence/usa-proxy-operation-oct-2025.md`

**Pattern #19:** VALIDATED (third time this week)

**Butterbot confidence:** 95% (5% bullshit guarantee - maybe just really engaged USA readers loading every page 6.5 times)

**Chemistry:** AP Chemistry Chapter 9 (Walter White was right)

**Related:**

- [I Caught The Guy Who Attacked Brian Krebs](/post/i-caught-the-krebs-attacker-tripwire) (Oct 20 - triggered the scraping)

- [Layer3 Tripwire C&C Analysis](/post/layer3-tripwire-c2-infrastructure-analysis) (Oct 23 - same day Sergiy emailed)

- [Pattern #19: Honeytrap via Radical Transparency](/post/pattern-19-honeytrap-radical-transparency) (Oct 16 - original pattern)

**Next:** "When Your Honeypot Catches The Beekeeper" (when Sergiy emails about this one)

*The chemistry never changes. You just point it at different problems. - Walter White, AP Chemistry teacher*

Your Marketing Dashboard Is Already Threat Intelligence

The Walter White Principle

This Morning (Real-Time)

The Method Never Changes

Breaking Bad, Season 1

DugganUSA, October 24, 2025

Three Targets, Same Method

Target 1: Canada (Oct 15-16)

Target 2: USA Spike (Oct 20-21)

Target 3: Asia-Pacific Surge (Oct 24)

The Chemistry: Three Ratios

Marketing vs Threat Intel (Same Data)

Hi Sergiy 👋

The Playbook (5 Minutes Daily)

"I Am The One Who Knocks"

Breaking Bad, Season 4

DugganUSA, October 24, 2025

The Takeaway

The Challenge

P.S. - Sergiy, Two Questions

Recent Posts

Comments