Watch what reaches our sensors when no one is looking.
Live adversary activity reaches our sensors around the clock. We record every keystroke, map techniques to MITRE ATT&CK where they fit, and let you watch the replay.
- Events observed
- …
- Unique sources
- …
- Countries
- …
- Active sensors
- …
Raw adversary behavior, classified and enriched.
Full command streams
Every keystroke, timed and replayed. Reconnaissance through persistence.
LLMjacking & MCP exploitation
Autonomous agents probing Ollama, OpenAI, and MCP endpoints. Tool abuse, prompt injection, model enumeration.
HTTP reconnaissance
Web fuzzing, API abuse, credential-file hunting. Full request detail, recorded as access logs.
A pipeline, not a dashboard.
Capture
Sensors across four continents, multiple protocols, every connection logged with passive fingerprints and microsecond timing.
Classify
Mapped against MITRE ATT&CK. Scored for automation and novelty. Agents detected separately.
Enrich
Cross-referenced with AbuseIPDB, GreyNoise, VirusTotal, Shodan. Malicious IPs reported back.
Research integrity,
earned line by line.
- Evidence over speculation.
- Every finding rests on direct session-level evidence. Conclusions stay inside the data.
- Confidence-graded.
- Every judgment is rated high, medium, or low, and the rating is stated.
- Passive collection only.
- No active scanning, no exploit delivery, no rDNS from sensors.
- No false attribution.
- Geography is reported, never blamed. Origin is not attribution.
- Safety first.
- Credentials, working exploits, and infrastructure are all redacted before publication.
See what reaches our sensors when no one is looking.
Passive collection only · No exploit payloads