DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Your Threat Feed Is Missing the "Who": We Fixed That

Patrick Duggan
Jan 22
2 min read

The Attribution Problem

We audited our own feed yesterday. 85,000 IOCs. Zero attribution.

The indicators were solid - multi-source correlation, confidence scoring, MITRE ATT&CK mapping. But they stopped at geography. A Chinese IP was just "Chinese IP," not "possibly Comment Crew infrastructure."

That's the same gap every free feed has. And most paid ones.

What We Ship Now

Today's release adds nation-state attribution to every indicator:

{
  "type": "relationship",
  "relationship_type": "possibly-attributed-to",
  "source_ref": "indicator--abc123",
  "target_ref": "threat-actor--lazarus-group"
}

One IOC. Multiple possible threat actors. Proper STIX 2.1 graph relationships.

79 Chinese APTs (every Panda, every Typhoon)
42 Russian APTs (Bears, Sandworm, Turla)
12 North Korean APTs (Lazarus, Kimsuky)
18 Iranian APTs (Charming Kitten, MuddyWater)
Major ransomware groups (ALPHV, Qilin, LockBit affiliates)

Why "Possibly Attributed"

We use possibly-attributed-to instead of attributed-to because we're matching by country and TTP patterns, not confirmed infrastructure ownership.

A Russian IP using known APT28 malware patterns gets linked to APT28. But we're not claiming we traced the keyboard. Honest attribution beats false confidence.

Your analysts can escalate based on the association. They can also dismiss it if context says otherwise. That's how attribution should work.

The Economics

Recorded Future: $100K+/year for threat actor attribution Mandiant Advantage: $50K+/year CrowdStrike Falcon Intelligence: Enterprise pricing

DugganUSA STIX Feed: Free. Forever.

Same STIX 2.1 format. Same relationship graphs. Same actor database (sourced from AlienVault OTX, updated daily).

We're not competing with those vendors on analyst services. We're democratizing the data layer.

Integration

The feed works with any STIX 2.1 consumer:

OpenCTI: Import directly as external feed
MISP: STIX import module
Splunk SOAR: Native STIX support
Microsoft Sentinel: Threat Intelligence blade
Your custom tooling: It's just JSON

# Full feed with attribution
curl "https://analytics.dugganusa.com/api/v1/stix-feed?days=30"

What You Get

Every IOC in our feed now includes:

The indicator itself - IP, domain, hash with pattern matching
Confidence score - Multi-source correlation (AbuseIPDB, VirusTotal, ThreatFox, OTX)
MITRE ATT&CK mapping - Technique and tactic classification
Threat actor attribution - Nation-state APT linkage where applicable
Graph relationships - STIX 2.1 compliant for automated processing

The feed updates in real-time from production security operations. Not curated quarterly. Not delayed for review. Live from the honeypots.

The Bottom Line

Your threat intelligence shouldn't stop at "malicious IP from China."

It should continue to "possibly APT1 infrastructure, matches historical Comment Crew patterns, recommend elevated monitoring for lateral movement indicators."

That's what attribution enables. That's what we ship now.

Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed

Documentation: https://analytics.dugganusa.com/docs/stix-feed

DugganUSA provides free threat intelligence because security shouldn't be a luxury. The STIX feed is CC0 licensed - use it however you want, no attribution required.

Her name is Renee Nicole Good.