Security research, threat intelligence insights, and product updates.
Our MongoDB honeypot captured a complete ransomware operation: three simultaneous connections from the same IP, systematic database enumeration, full data exfiltration, three dropDatabase commands, and a ransom note inserted into READ_ME_TO_RECOVER_YOUR_DATA. Total time on target: 711 milliseconds.
Our HTTP honeypot captured a self-replicating exploit chain in the wild: 46 requests in 16 seconds, six different vulnerability families, and a payload designed to turn every compromised server into a new scanner. CGI shell injection, CVE-2024-4577, PHPUnit eval-stdin across 37 path variations, ThinkPHP RCE, pearcmd file inclusion, and a Docker API probe. Each exploit carries an MD5 verification canary. Each successful infection spawns a copy of itself. This is not a tool. It is a contagion.
Our honeypot network captured an SSH attacker methodically appraising what it believed was a high-value GPU workstation. 55 commands in 100 seconds: hardware benchmarks, credential harvesting, and a paranoid honeypot detection sweep across six frameworks. It checked for Cowrie, Kippo, Dionaea, and more. Every check came back clean. The machine doesn't exist.