Live signal lab
A public, simplified Kibana-style view of NadSec honeypots. Per-sensor attack telemetry, monthly AI-written reports, IOC feeds, and downloadable STIX logs-ready to drop into your workflows.
Stack status
Cisco ASA, SSH, ADB, Redis, Elastic - expanding as new traps go live.
Distribution
OTX pulses
Public STIX exports
Reporting brain
Robert AI
Monthly narratives
Interactive Terminal
Tab = autocomplete • ↑↓ = history
Signals we surface
Every indicator enriched with GeoIP, ASN, threat scores, MITRE ATT&CK mappings, and AbuseIPDB data. Drop straight into your SIEM.
Signals we surface
Real payloads and botnet binaries from high-interaction traps. SHA256 hashes ready for VirusTotal lookups or sandbox analysis.
Signals we surface
Robert AI clusters infrastructure, spots campaign reuse, and writes monthly threat briefs that humans actually want to read.
Real-time intel
How this works
Data from T-Pot honeypots on Linode Sydney
Real-time attacks hitting our Sydney honeypots.
Adversary mapping
We map every honeypot hit to the MITRE ATT&CK framework - the global knowledge base of adversary tactics and techniques. See which TTPs attackers are using against our infrastructure in real-time.
Reconnaissance
Active scanning, vulnerability probing
T1190
Exploit Public-Facing Application
9 Tactics
Mapped from honeypot types & ports
27+ TTPs
Automatically identified from traffic
What is MITRE ATT&CK? It's a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. We use it to translate raw honeypot hits into actionable threat intelligence - helping you understand not just what hit your network, but how attackers operate.
Original research
Deep-dive exploit analysis and reverse engineering by NadSec.
How I reverse-engineered 28 JavaScript modules recovered from b27.icu - a watering-hole serving a Safari exploit chain targeting iOS 16-17.2.
Deep-dive static reverse engineering of 16 recovered modules. Full XOR decryption, ARM64 gadget scanner, and YARA/Snort rules.
Quick pulse
Combined from 7 sensors: Suricata (Feb 2026), Redishoneypot (Feb 2026), Adbhoney (Feb 2026), Dionaea (Feb 2026), Ciscoasa (Feb 2026), SSH (Feb 2026), Tpotsyd (Jan 2026).
Unique IPs
0
Source IPs across all sensors.
SHA-256 hashes
0
File samples trapped by honeypots.
Indicator objects
0
STIX indicator objects published.
Avg signal score
0
Heuristic strength across sensors.
Sensors
Each sensor gets its own dashboard, STIX download, and monthly AI brief. Graphs will land alongside IOC feeds.
ADB trap on TCP/5555 with monthly reports and STIX download.
VPN auth spray attempts, geo heat, and exploit strings.
Brute-force telemetry, creds, and repeat-offender tracking.
Network IDS hits with IOC exports and brief summaries.
Multi-protocol trap (SMB, HTTP, FTP) capturing malware samples.
Comprehensive multi-honeypot platform running in Sydney.
Redis protocol trap on TCP/6379 catching database attackers.
Roadmap
Pro accounts, more honeypots, and AI-powered automation.
Coming soon
APISTIX/TAXII 2.1 integration so your SIEM, SOAR, or TIP can pull indicators automatically.
Coming soon
VizLive geo heatmaps showing attacker origins, infrastructure clusters, and campaign spread.
Coming soon
AIBuild Kibana-style views with natural language prompts. Ask questions, get panels.
Coming soon
AIQuery IOCs, enrich indicators, and generate reports using custom-tuned models and cutting-edge AI.
Pro accounts will unlock expanded honeypot access, higher API limits, priority AI models, and SOC automation via TAXII. Stay tuned.
How it works
T-Pot CE honeypots sit on noisy ports, vacuuming malicious sessions and payloads on purpose.
Events are enriched and pushed into AlienVault OTX as rolling pulses with STIX 2.1 exports.
Robert AI ingests the pulses and writes human-friendly monthly reports for each honeypot.
Dashboards like ADBHoney render metrics, reports, and indicator tables for anyone to consume.
This is a research playground. Everything shown is derived from honeypot traffic only - no production user data, no private traffic, no exceptions. Telemetry refreshes monthly with each report drop. Share the links, clone the STIX, or ignore it entirely - your call.
Need help responding to a security incident or implementing these indicators in your environment? Our sister company NadTech Support provides professional IT support and security assistance.