Watch what attackers do when they think no one is looking.
Real attackers hit our honeypot sensors around the clock. We record every keystroke, classify every technique against MITRE ATT&CK, and let you watch the replay.
- Attacks captured
- 32K
- Unique attackers
- 21K
- Countries
- 146
- Active sensors
- 3
Raw attacker behavior, classified and enriched.
Full command streams
Every keystroke, timed and replayed. Reconnaissance through persistence.
LLMjacking & MCP exploitation
Autonomous agents probing Ollama, OpenAI, and MCP endpoints. Tool abuse, prompt injection, model enumeration.
HTTP reconnaissance
Web fuzzing, API abuse, credential-file hunting. Full request detail, captured as access logs.
A pipeline, not a dashboard.
Capture
Sensors across four continents, multiple protocols, every connection logged with passive fingerprints and microsecond timing.
Classify
Mapped against MITRE ATT&CK. Scored for automation and novelty. Agents detected separately.
Enrich
Cross-referenced with AbuseIPDB, GreyNoise, VirusTotal, Shodan. Malicious IPs reported back.
Research integrity,
not threat theater.
- Evidence over speculation.
- Backed by captured data. No threat theater.
- Passive collection only.
- No payloads, no active scanning. The sensors wait.
- No false attribution.
- Geography reported, never blamed. Origin is not attribution.
- Safety first.
- Credentials, working exploits, and infrastructure — all redacted.
See what attackers do when they think no one is looking.
Passive collection only · No exploit payloads