DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your SIEM. Our Intelligence. Zero Friction.

Patrick Duggan
Dec 1, 2025
4 min read

Free Threat Hunting + Detection Rules for Splunk, Sentinel, QRadar, and Any SIEM

December 1, 2025

We've been asked a lot recently: "How do we integrate your threat intelligence into our existing security stack?"

The answer: You already can. Right now. For free.

What We Offer

1. Free STIX 2.1 Feed

Endpoint: `https://analytics.dugganusa.com/api/v1/stix-feed`

1,342+ IOCs. Updated hourly. TAXII-compatible. Machine-readable. Zero authentication required.

• Malicious IPs (with abuse scores, country, ISP)

• C2 infrastructure (mapped to hosting providers)

• Threat actor profiles (with MITRE ATT&CK mappings)

• Attack patterns (with kill chain phases)

• Malware indicators (hashes, URLs, domains)

• STIX 2.1 JSON (default)

• CSV (`?format=csv`)

• Simple JSON (`?format=simple`)

2. Copy-Paste Detection Rules

We don't just give you IOCs. We give you the detection logic - ready to paste into your SIEM.

• Sigma YAML (Universal - converts to anything)

• Splunk SPL (Search Processing Language)

• KQL (Azure Sentinel / Microsoft Defender)

• YARA (File/memory scanning)

• Snort/Suricata (Network IDS)

API Endpoint: `GET /api/v1/detection-rules`

3. Threat Hunt Queries

• Credential stuffing detection

• C2 beacon patterns

• Data exfiltration indicators

• Lateral movement signatures

• Ransomware precursors

API Endpoint: `GET /api/v1/threat-hunt-queries`

Platform Integrations

Microsoft Azure Sentinel

kql
// Import DugganUSA threat intel into Sentinel
let ThreatIntel = externaldata(ip:string, abuse_score:int, total_reports:int, country:string)
[@"https://analytics.dugganusa.com/api/v1/stix-feed?format=simple"]
with (format="multijson");

CommonSecurityLog | where TimeGenerated > ago(24h) | join kind=inner ( ThreatIntel | where abuse_score > 15 ) on $left.SourceIP == $right.ip | project TimeGenerated, SourceIP, country, abuse_score, DeviceAction ```

Setup Time: 5 minutes

Splunk

spl
| inputlookup dugganusa_threat_intel.csv
| join src_ip [search index=firewall earliest=-24h]
| where abuse_score > 15 AND total_reports > 10
| stats count by src_ip, abuse_score, country
| sort -abuse_score

Integration Options: 1. Scheduled search to pull STIX feed 2. Lookup table with daily refresh 3. Splunk SOAR playbook integration

IBM QRadar

aql
SELECT sourceip, destinationip, category
FROM events
WHERE INOFFENSE(sourceip)
AND sourceip IN (
  SELECT ip FROM reference_table('dugganusa_malicious_ips')
)
LAST 24 HOURS

Setup: Import reference set from CSV endpoint

Palo Alto Cortex XSOAR

yaml
# Integration Configuration
name: DugganUSA Threat Intel
type: Feed
feed_url: https://analytics.dugganusa.com/api/v1/stix-feed
feed_format: STIX 2.1
refresh_interval: 3600

CrowdStrike Falcon

Use our STIX feed with Falcon's custom IOC import: 1. Export CSV from our endpoint 2. Import via Falcon IOC Management 3. Set expiration policy (we recommend 30 days)

Elastic Security

{
  "name": "DugganUSA Threat Intel",
  "type": "threat_intel_filebeat",
  "url": "https://analytics.dugganusa.com/api/v1/stix-feed?format=elastic",
  "schedule": "0 */1 * * *"
}

MITRE ATT&CK Coverage

Our detection rules map to 47 MITRE ATT&CK techniques across 10 tactics:

| Tactic | Techniques Covered | |--------|-------------------| | Initial Access | T1190, T1566, T1195, T1078 | | Execution | T1059, T1204 | | Persistence | T1136, T1053 | | Privilege Escalation | T1548, T1068 | | Defense Evasion | T1090, T1036, T1027 | | Credential Access | T1110, T1003, T1555, T1539 | | Discovery | T1046, T1087, T1082 | | Lateral Movement | T1021, T1563 | | Command & Control | T1071, T1573, T1095 | | Exfiltration | T1041, T1567 |

API Endpoint: `GET /api/v1/mitre/coverage`

Sample Detection Rule (Sigma)

yaml
title: High-Confidence Malicious IP Detection
id: dugganusa-001-high-abuse-score
status: production
description: Detects IPs with abuse score >15 AND multiple reports
author: DugganUSA LLC
date: 2025-11-19
references:
    - https://www.dugganusa.com/detection-rules
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_traffic
detection:
    selection:
        abuse_score: '>15'
        total_reports: '>10'
    condition: selection
fields:
    - src_ip
    - abuse_score
    - total_reports
    - country
falsepositives:
    - Residential IPs with dynamic assignments
    - Legitimate security scanners
level: high

False Positive Rate: 5.96% (measured, not estimated)

Why Free?

> "Most vendors charge $50K-$500K/year for threat intelligence feeds. We charge $0."

Our Philosophy: 1. Threat intelligence should be democratized 2. Enterprise-grade security shouldn't require enterprise budgets 3. The more organizations blocking bad actors, the safer everyone becomes

• Free tier: STIX feed, detection rules, threat hunt queries

• Paid tier ($49/month): Custom integrations, priority support, sector-specific intel

Quick Start

Option 1: Direct API Access

# Get STIX feed
curl https://analytics.dugganusa.com/api/v1/stix-feed

Option 2: Subscribe on OTX

• Profile: [otx.alienvault.com/user/pduggusa](https://otx.alienvault.com/user/pduggusa)

• 28 Pulses with 1,342+ indicators

• Automatic sync to any OTX-compatible tool

Option 3: Manual Dashboard

• Live threat map

• Threat actor profiles

• IOC export (CSV, STIX, JSON)

• Detection rule browser

Contact Us

Ready to integrate? We offer free 30-minute integration calls.

Email: [email protected]

What We'll Cover: 1. Your current security stack (SIEM, EDR, Firewall) 2. Integration options (API, scheduled pull, webhook) 3. Custom detection rules for your sector 4. Ongoing threat intel requirements

Response Time: Same business day

Who Uses This?

• Healthcare organizations (HIPAA-compliant threat intel)

• Financial services (SOX/PCI-DSS relevant IOCs)

• Education (K-12 and Higher Ed specific threats)

• Government (CISA-aligned reporting)

• Startups (enterprise security at startup prices)

What's in the Pipeline

• Real-time webhook notifications for high-severity IOCs

• Sector-specific feeds (Healthcare, Finance, Education)

• TAXII 2.1 server for automated STIX consumption

• Detection-as-Code repository (GitHub Actions integration)

Your security stack is already built. Our intelligence makes it smarter.

Free STIX Feed: analytics.dugganusa.com/api/v1/stix-feed

OTX Profile: otx.alienvault.com/user/pduggusa

Contact: [email protected]

*"We give away the IOCs. We sell the peace of mind."*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]