Passive OT/ICS honeypot · aggregated data

What is the internet
looking for right now?

Anonymised statistics from a passive system emulating industrial control systems, network cameras, VPN portals and DevOps services.

Online since: 2025-08-01 · Last aggregated: 2026-05-17 · Source: passive HTTP sensor

35 998

requests since launch

Unique IP addresses 4 578

Active endpoints 2 657

This hour

162

Today

Logins today

Port scan creds

Refreshes in 30s

Polling · every 30 seconds

Key metrics

Total requests

35 998

+2 178 last 7 days

Unique IP addresses

4 578

+438 last 7 days

Emulated services

2 657

active endpoints

545

+0 last 7 days

High-signal events

112

Sophisticated targeted attacks

Sanitised events

852

XSS, SQLi and path traversal attempts

AI agent probes

MCP endpoints probed last 7 days

Excl. own IP addresses and known scanning systems.

Activity & geographic distribution

Daily activity · last 28 days

Lower

Higher

Hourly activity · last 7 days

Lower activity

Higher activity · Hour (UTC) · last 7 days

Geographic distribution · top 8

US USA

8 959

SE Sverige

7 368

NL Nederländerna

3 491

DE Tyskland

2 477

GB Storbritannien

2 048

FR Frankrike

1 995

CN Kina

939

IN Indien

611

Categories & endpoints

Targeted system probes — breakdown by system category

Kommunal dokumentportal

500 1.4%

SCADA & styrsystem

191 0.5%

Fibernät & transmission

154 0.4%

VPN-portal

102 0.3%

Fastighetssystem (BMS)

93 0.3%

OT tidsserie-API

77 0.2%

Övervakningskameror

71 0.2%

Passersystem

34 0.1%

Nätverksövervakning

23 0.1%

VA & fjärrvärme-SCADA

18 0.1%

Civilberedskapsplaner

12 0%

Kommunal dokumentportal

3 0%

intrusion_alarm

2 0%

Reservkraft & generatorer

1 0%

Related CVEs — known vulnerabilities in exposed system types

10.0 CVE-2019-7256 RCE (CVSS 10) — Linear eMerge E3 passersystem

10.0 CVE-2023-20198 Auth bypass (CVSS 10) — Cisco IOS XE webbgränssnitt

9.9 CVE-2023-44373 RCE — Siemens RUGGEDCOM APE1808

9.8 CVE-2024-9003 Auth bypass — Schneider Electric Easergy P5 BMS

9.8 CVE-2021-36260 Command injection — Hikvision IP-kameror

9.8 CVE-2023-27350 Auth bypass & RCE — PaperCut (VA-verk)

Protocol scanning — breakdown by system category

Protokollscanning

13 579 37.7%

Related CVEs — known vulnerabilities in exposed system types

7.5 CVE-2023-27321 DoS — OPC UA Foundation SDK via crafted message

7.4 CVE-2022-44725 Memory corruption — OPC UA SDK (Unified Automation)

Generic mass scanning — breakdown by system category

Generisk webbscanning

19 210 53.4%

Credential-stöld

812 2.3%

DevOps & API-sondning

639 1.8%

none

266 0.7%

unknown

173 0.5%

Kataloggenomgång

23 0.1%

ai_agent

13 0%

civil_readiness

1 0%

ups

1 0%

Related CVEs — known vulnerabilities in exposed system types

10.0 CVE-2024-3400 RCE (CVSS 10) — Palo Alto PAN-OS GlobalProtect

8.1 CVE-2024-6387 RCE — OpenSSH regreSSHion

Most requested endpoints

ssdp

6 385

ssh_banner

5 278

root_probe

5 172

favicon_ico

1 252

robots_txt

402

raw_file_env

400

sitemap_xml

348

raw_file_git_config

296

telnet

285

hikvision_sdk

252

Recent activity

LIVE

Time UTC	Country	Endpoint	Category	Method
2 h sedan	US	root_probe	generic_scan	GET
2 h sedan	BG	actuator_gateway_routes	generic_scan	GET
2 h sedan	SG	root_probe	generic_scan	GET
2 h sedan	NL	cgi_bin_luci_stok_locale	generic_scan	GET
3 h sedan	US	fchksbg2t17ghj	generic_scan	GET
3 h sedan	US	favicon_ico	generic_scan	GET
3 h sedan	US	favicon_ico	generic_scan	GET
3 h sedan	US	wiki	generic_scan	GET

Method · User-agent · Response code

HTTP method

GET

18 654

CONNECT

13 579

POST

2 622

HEAD

460

OPTIONS

PUT

TRACE

KEAN

SUQF

VUEA

UGNB

DSLW

IRSZ

Top User-Agents

browser

13 498

curl

2 833

security_scanner

1 765

l9explore/1.2.2

1 400

no_agent

885

go_http

760

HTTP response code

200 OK

22 326

13 579

404 Not Found

Credential attempts · login attempts per system and username

Most attempted usernames

root

117

admin

ZAP (scanner)

Poot

user

Pdmin

operator (OT)

test

default

guest

administrator

vstarcam2015

Passersystem

102

Fibernät & nätverks…

Process-SCADA (Siemen…

VPN-gateway (Ivanti)

Oklassificerat

Driftportal

IP-kameror (Hikvision…

Fastighetsautomation …

Säkerhetsaccess

Civilberedskapsportal

Attacker patterns · recurring actors and multi-endpoint attempts

4 749

Unique external IPs

Recurring actors · >1 visit

Targeted actors · 2+ distinct endpoints

#	Requests	Endpoint groups	Service types	OT focus
1	280	5	4	OT-targeted
2	170	4	4	OT-targeted
3	40	4	4	OT-targeted
4	1 727	3	3	OT-targeted
5	1 425	3	3	OT-targeted
6	1 182	3	3	OT-targeted
7	990	3	3	OT-targeted
8	641	3	3	OT-targeted
9	611	3	3	OT-targeted
10	549	3	3	OT-targeted
11	288	3	3	OT-targeted
12	273	3	3	OT-targeted

Time to first probe · how quickly each service was discovered

Time to first probe · per exposed service since 2026-03-08

VPN-gateway (Ivanti) +18h 5min

Passersystem +18h 47min

DevOps / CI-API +1 dagar

Credential-stöld +1 dagar

Fibernät & nätverkshårdvara +4 dagar

Säkerhetsaccess +5 dagar

ai_agent +69 dagar

Time after ports were opened until the first external request was recorded per service type

Want to know more?

Detailed analysis — attacker profiles, ISP data, credential trends — available on request for security researchers and industry peers.

Geographic timeline · daily activity by origin country · last 7 days

Date	DE Tyskland	NL Nederländerna	US USA	AD AD	SG Singapore	BE Belgien	Total
2026-05-19	64	26	37	3	6	5	162
2026-05-18	215	77	80	9	5	3	432
2026-05-17	59	34	47	9	6	8	186
2026-05-16	156	101	43	3	2	1	340
2026-05-15	193	64	53	4	6	2	357
2026-05-14	5	91	72	8	2	9	207
2026-05-13	120	28	61	6	8	1	244
2026-05-12	138	8	25	2	5	·	185

External traffic only. Dark cell = high activity from the country. Own IP addresses excluded.

Protocol scanning

OT protocols ranked by hit count

#	Protocol	Total	Share	Today
1	SSDP/UPnP :1900	6 385	47%	—
2	SSH Banner :2222	5 278	38.9%	—
3	Telnet :23	285	2.1%	—
4	Hikvision SDK :8000	252	1.9%	—
5	OPC-UA :4840	141	1%	—
6	Siemens S7comm :10102	138	1%	—
7	Niagara Fox :1911	135	1%	—
8	DNP3 :20000	112	0.8%	—
9	Modbus TCP :15502	105	0.8%	—
10	EtherNet/IP :44818	101	0.7%	—
11	iec104	91	0.7%	—
12	SIP :5060	90	0.7%	—
13	Dahua TCP :37777	86	0.6%	—
14	SNMP :161	78	0.6%	—
15	RTSP :554	76	0.6%	—
16	MQTT :1883	74	0.5%	—
17	GE SRTP :18245	58	0.4%	—
18	MELSEC SLMP :5007	52	0.4%	—
19	bacnet	41	0.3%	—
20	FTP :21	1	0%	—

All hits since launch. "Today" = requests on the current UTC day. Own IP addresses excluded.

Attack types explained

What is actually happening

Credential stuffing

0 unique IPs / 7 d

Automated Telnet connections systematically trying credentials from leaked databases. The goal is to take over routers and IoT devices to expand botnets.

CVE-targeted scanning

0 distinct protocols

Requests matching known CVE signatures — the attacker is looking for a specific vulnerability in industrial control systems, cameras or network equipment.

Disguised traffic

0 requests

OT protocol requests with browser user-agent (Mozilla/Chrome/Safari). The intent is to evade signature-based detection systems that filter out obvious scanner identities.

Counts refer to observations in honeypot data. Figures reflect attacker patterns, not actual breaches.

Trends

Requests per day over the last 30 and 90 days

Last 30 days

Last 90 days

Quarterly trends

Key KPIs per quarter — escalation over time

Quarter	Requests	Unique IPs	High-signal	Credential attempts	Residential IPs
2026-Q1	18 256	2 551	112	470	—

127 fiber_targeted — requests specifically targeting fibre network infrastructure and transmission equipment

Quarters with zero requests are excluded. Δ = change vs. previous quarter in the table.

Attack depth · resource targets, behaviour signatures and origin

What attackers are looking for

33 042

Protocol (TCP/UDP raw)

1 328

883

Document files

630

API endpoints

92

Unknown

23

Directory structures

Behaviour signatures

13 792

Path enumeration

10 023

Human-like browsing

6 345

Automated scanning

5 487

Vulnerability scanning

4 645

Configuration probe

2 337

Mass scanning

1 309

API probing

885

No User-Agent

379

OT-targeted

287

known_scanner

286

Credential attempt

262

Backup probe

Attacker network operators

2 249

Digitalocean, LLC

1 908

Secure Internet LLC uk

1 489

FBW NETWORKS SAS

1 400

Censys, Inc.

Security researcher

929

TECHOFF SRV LIMITED

882

Feo Prest SRL

830

Pfcloud UG

585

Google LLC

569

ONYPHE SAS

Threat intelligence scanner

469

Linode

No IP addresses shown. ASN data via passive geo-enrichment.

What is the internet looking for right now?

Key metrics

Activity & geographic distribution

Categories & endpoints

Recent activity

Method · User-agent · Response code

Credential attempts · login attempts per system and username

Attacker patterns · recurring actors and multi-endpoint attempts

Time to first probe · how quickly each service was discovered

Geographic timeline · daily activity by origin country · last 7 days

Protocol scanning

Attack types explained

Trends

Quarterly trends

Attack depth · resource targets, behaviour signatures and origin

AI agent scanning · MCP protocol probing and known actors

What is the internet
looking for right now?