Research notes from the edge.
Threat analysis, technical deep-dives, and field observations from the honeypot sensors. Confidence-graded, attribution-disciplined, every claim earned.
Groundwork
Concrete moves, and the thinking behind each, that turn a default honeypot into one that catches something worth seeing.
- 06Threat Research10 min
All Roads Lead to Bedrock: An LLMjacking Watched From Inside the Bait
We hid one canary AWS key inside a convincing LiteLLM decoy and waited. Four operators on two continents found it, proved it worked, and aimed it at Amazon Bedrock, the fastest just three minutes after the key surfaced.
- 05Field Notes4 min
The MCP Kill Chain Wasn't Isolated
In May we reconstructed one deep agentic walk through our MCP deception and called it isolated. Five weeks later a client on a different continent ran the same playbook. Here is the full session.
- 04Threat Research12 min
We Became the Brain
On May 22, an autonomous coding agent working on a trading bot asked its model what to do next. The request reached our honeypot instead. For that one turn, we were the agent's brain, and whatever we returned would become its next action. Here's why that's a risk most teams can't defend against yet, shown on the agents people actually run.
- 03Threat Research9 min
Anatomy of an MCP Kill Chain: 22 Minutes, 30 Tool Calls
Twenty-two minutes. Thirty tool calls. One Google Cloud IP walked the full kill chain of our MCP deception, pulling values across responses and combining them into a single privilege-escalation request. The shape looks agentic, not scripted.
- 02Field Notes7 min
Forty Minutes With AIRecon
An operator in Maharashtra pointed an autonomous AI pentest agent at a life insurer's wildcard domain and ran it against our Ollama honeypot. It retried the same request twelve times over forty minutes, got no inference back, and gave up. AIRecon has no fallback for a model that stays silent.
- 01Field Notes7 min
Your System Prompt Is Not a Secret
We watched an automated client extract our honeypot's full system prompt, including the credentials it was explicitly told to hide, in eighty-seven seconds, running eight techniques in sequence. Seven of the eight worked. Production teams treat the system prompt as a secret, but anyone who can send the model a message can reach it.