Methodology & Architecture

honeypot.observer is a distributed honeypot network that captures real attacker behavior across multiple continents. Every claim on this site traces back to raw session data. Here's how it works.

// METHODOLOGY

Passive collection onlyWe observe attacker intent, never execution. No exploit payloads are sent. No active scanning is performed. Decoy services respond to connections, record behavior, and let attackers reveal their techniques organically.

Sensors run Beelzebub, an open-source honeypot framework. SSH services use LLM-generated responses (GPT-4.1 mini) to keep attackers engaged โ€” they think they're on a real server, run more commands, and we capture everything. HTTP services emulate AI infrastructure (Ollama, OpenAI, MCP gateways) to attract emerging attack patterns.

// PIPELINE

TRAPBeelzebubHoneypot sensors
โ†’
โ†“
COLLECTGo ExporterParse + classify
โ†’
โ†“
ENRICHPython + APIs6 intel sources
โ†’
โ†“
STOREPostgreSQLLive + archive
โ†’
โ†“
ANALYZEIntelligenceDaily analysis
โ†’
โ†“
PUBLISHNext.jsThis site

A custom Go exporter processes raw events in real time โ€” parsing authentication attempts, commands, HTTP requests, and payloads into structured sessions. Each session is mapped to MITRE ATT&CK techniques, assigned an intent label, and checked against known campaign fingerprints. An automated intelligence pipeline (Python + LLM agents) runs daily analysis, produces threat briefs, writes detection rules, and tracks campaigns.

// DATA ETHICS

No legitimate user dataEvery IP shown on this site connected to a decoy server uninvited. No real users, no real services, no bystander data. These are honeypots โ€” nothing behind the facade is real.

Malicious IPs are automatically reported to AbuseIPDB with evidence from the session. We contribute back to the community that helps protect the rest of the internet.

AbuseIPDB Contributor Badge
Enter Dashboard โ†’View Attack Map โ†’