Passive OT/ICS honeypot · aggregated data

What is the internet
looking for right now?

Anonymised statistics from a passive system emulating industrial control systems, network cameras, VPN portals and DevOps services.

Online since: 2025-08-01 · Last aggregated: 2026-06-13 · Source: passive HTTP sensor

48 527

requests since launch

Unique IP addresses 5 680

Active endpoints 3 673

This hour

718

Today

Logins today

Port scan creds

Refreshes in 30s

Polling · every 30 seconds

Key metrics

Total requests

48 527

+3 168 last 7 days

Unique IP addresses

5 680

+421 last 7 days

Emulated services

3 673

active endpoints

553

+0 last 7 days

High-signal events

112

Sophisticated targeted attacks

Sanitised events

1 134

XSS, SQLi and path traversal attempts

AI agent probes

MCP endpoints probed last 7 days

Excl. own IP addresses and known scanning systems.

Activity & geographic distribution

Daily activity · last 28 days

Lower

Higher

Hourly activity · last 7 days

Lower activity

Higher activity · Hour (UTC) · last 7 days

Geographic distribution · top 8

US USA

11 739

SE Sverige

7 413

NL Nederländerna

5 591

DE Tyskland

3 908

GB Storbritannien

2 394

FR Frankrike

2 068

CN Kina

1 111

IN Indien

977

Categories & endpoints

Targeted system probes — breakdown by system category

Kommunal dokumentportal

747 1.5%

SCADA & styrsystem

191 0.4%

Fibernät & transmission

154 0.3%

VPN-portal

107 0.2%

Fastighetssystem (BMS)

93 0.2%

OT tidsserie-API

89 0.2%

Övervakningskameror

71 0.1%

Passersystem

36 0.1%

Nätverksövervakning

23 0%

VA & fjärrvärme-SCADA

18 0%

Civilberedskapsplaner

12 0%

Kommunal dokumentportal

3 0%

intrusion_alarm

2 0%

Reservkraft & generatorer

1 0%

Related CVEs — known vulnerabilities in exposed system types

10.0 CVE-2019-7256 RCE (CVSS 10) — Linear eMerge E3 passersystem

10.0 CVE-2023-20198 Auth bypass (CVSS 10) — Cisco IOS XE webbgränssnitt

9.9 CVE-2023-44373 RCE — Siemens RUGGEDCOM APE1808

9.8 CVE-2024-9003 Auth bypass — Schneider Electric Easergy P5 BMS

9.8 CVE-2021-36260 Command injection — Hikvision IP-kameror

9.8 CVE-2023-27350 Auth bypass & RCE — PaperCut (VA-verk)

Protocol scanning — breakdown by system category

Protokollscanning

13 579 28%

Related CVEs — known vulnerabilities in exposed system types

7.5 CVE-2023-27321 DoS — OPC UA Foundation SDK via crafted message

7.4 CVE-2022-44725 Memory corruption — OPC UA SDK (Unified Automation)

Generic mass scanning — breakdown by system category

Generisk webbscanning

30 867 63.6%

Credential-stöld

1 268 2.6%

DevOps & API-sondning

750 1.5%

none

266 0.5%

unknown

199 0.4%

ai_agent

26 0.1%

Kataloggenomgång

23 0%

ups

1 0%

civil_readiness

1 0%

Related CVEs — known vulnerabilities in exposed system types

10.0 CVE-2024-3400 RCE (CVSS 10) — Palo Alto PAN-OS GlobalProtect

8.1 CVE-2024-6387 RCE — OpenSSH regreSSHion

Most requested endpoints

root_probe

7 038

ssdp

6 385

ssh_banner

5 278

favicon_ico

1 664

sdk_weblanguage

687

raw_file_env

589

robots_txt

449

raw_file_git_config

406

sitemap_xml

391

cgi_bin_luci_stok_locale

342

Recent activity

LIVE

Time UTC	Country	Endpoint	Category	Method
3 h sedan	DE	2577eb_2575i_2577sma_http	generic_scan	POST
3 h sedan	JP	root_probe	generic_scan	GET
3 h sedan	BR	sdk_weblanguage	generic_scan	GET
3 h sedan	DE	sse	generic_scan	GET
3 h sedan	DE	root_probe	generic_scan	GET
3 h sedan	DE	mcp	ai_agent	POST
3 h sedan	DE	favicon_ico	generic_scan	GET
3 h sedan	DE	root_probe	generic_scan	GET

Method · User-agent · Response code

HTTP method

GET

30 914

CONNECT

13 579

POST

2 797

HEAD

508

OPTIONS

PUT

PROPFIND

TRACE

VQYU

GKNX

APVL

PWGB

ZHNZ

RNLI

WTFI

IRSZ

DSLW

UGNB

VUEA

SUQF

KEAN

Top User-Agents

browser

21 460

curl

2 907

security_scanner

2 506

go_http

1 630

l9explore/1.2.2

1 500

no_agent

1 474

HTTP response code

200 OK

34 801

13 579

404 Not Found

147

Credential attempts · login attempts per system and username

Most attempted usernames

root

117

admin

ZAP (scanner)

Poot

user

Pdmin

operator (OT)

test

default

guest

administrator

vstarcam2015

Passersystem

110

Fibernät & nätverks…

Process-SCADA (Siemen…

VPN-gateway (Ivanti)

Oklassificerat

Driftportal

IP-kameror (Hikvision…

Fastighetsautomation …

Säkerhetsaccess

Civilberedskapsportal

Attacker patterns · recurring actors and multi-endpoint attempts

5 848

Unique external IPs

Recurring actors · >1 visit

Targeted actors · 2+ distinct endpoints

#	Requests	Endpoint groups	Service types	OT focus
1	436	5	4	OT-targeted
2	76	5	4	OT-targeted
3	170	4	4	OT-targeted
4	40	4	4	OT-targeted
5	1 727	3	3	OT-targeted
6	1 425	3	3	OT-targeted
7	1 413	3	3	OT-targeted
8	1 222	3	3	OT-targeted
9	1 182	3	3	OT-targeted
10	793	3	3	OT-targeted
11	641	3	3	OT-targeted
12	569	3	3	OT-targeted

Time to first probe · how quickly each service was discovered

Time to first probe · per exposed service since 2026-03-08

VPN-gateway (Ivanti) +18h 5min

Passersystem +18h 47min

DevOps / CI-API +1 dagar

Credential-stöld +1 dagar

Fibernät & nätverkshårdvara +4 dagar

Säkerhetsaccess +5 dagar

ai_agent +69 dagar

Time after ports were opened until the first external request was recorded per service type

Want to know more?

Detailed analysis — attacker profiles, ISP data, credential trends — available on request for security researchers and industry peers.

Geographic timeline · daily activity by origin country · last 7 days

Date	US USA	NL Nederländerna	DE Tyskland	BE Belgien	SG Singapore	IT Italien	Total
2026-06-15	66	33	16	175	·	·	396
2026-06-14	254	57	4	3	2	·	411
2026-06-13	95	72	5	10	2	2	245
2026-06-12	68	121	9	1	2	156	451
2026-06-11	58	117	5	4	4	·	214
2026-06-10	51	117	6	10	1	1	246
2026-06-09	52	94	26	2	11	·	263
2026-06-08	55	41	173	1	156	·	443

External traffic only. Dark cell = high activity from the country. Own IP addresses excluded.

Protocol scanning

OT protocols ranked by hit count

#	Protocol	Total	Share	Today
1	SSDP/UPnP :1900	6 385	47%	—
2	SSH Banner :2222	5 278	38.9%	—
3	Telnet :23	285	2.1%	—
4	Hikvision SDK :8000	252	1.9%	—
5	OPC-UA :4840	141	1%	—
6	Siemens S7comm :10102	138	1%	—
7	Niagara Fox :1911	135	1%	—
8	DNP3 :20000	112	0.8%	—
9	Modbus TCP :15502	105	0.8%	—
10	EtherNet/IP :44818	101	0.7%	—
11	iec104	91	0.7%	—
12	SIP :5060	90	0.7%	—
13	Dahua TCP :37777	86	0.6%	—
14	SNMP :161	78	0.6%	—
15	RTSP :554	76	0.6%	—
16	MQTT :1883	74	0.5%	—
17	GE SRTP :18245	58	0.4%	—
18	MELSEC SLMP :5007	52	0.4%	—
19	bacnet	41	0.3%	—
20	FTP :21	1	0%	—

All hits since launch. "Today" = requests on the current UTC day. Own IP addresses excluded.

Attack types explained

What is actually happening

Credential stuffing

0 unique IPs / 7 d

Automated Telnet connections systematically trying credentials from leaked databases. The goal is to take over routers and IoT devices to expand botnets.

CVE-targeted scanning

0 distinct protocols

Requests matching known CVE signatures — the attacker is looking for a specific vulnerability in industrial control systems, cameras or network equipment.

Disguised traffic

0 requests

OT protocol requests with browser user-agent (Mozilla/Chrome/Safari). The intent is to evade signature-based detection systems that filter out obvious scanner identities.

Counts refer to observations in honeypot data. Figures reflect attacker patterns, not actual breaches.

Trends

Requests per day over the last 30 and 90 days

Last 30 days

Last 90 days

Quarterly trends

Key KPIs per quarter — escalation over time

Quarter	Requests	Unique IPs	High-signal	Credential attempts	Residential IPs
2026-Q1	18 256	2 551	112	470	—

127 fiber_targeted — requests specifically targeting fibre network infrastructure and transmission equipment

Quarters with zero requests are excluded. Δ = change vs. previous quarter in the table.

Attack depth · resource targets, behaviour signatures and origin

What attackers are looking for

44 699

Protocol (TCP/UDP raw)

1 594

1 321

Document files

744

API endpoints

146

Unknown

23

Directory structures

Behaviour signatures

24 154

Path enumeration

15 033

Human-like browsing

10 341

Vulnerability scanning

9 287

Configuration probe

8 763

Automated scanning

3 136

Mass scanning

2 017

API probing

1 474

No User-Agent

874

Backup probe

401

OT-targeted

374

known_scanner

286

Credential attempt

Attacker network operators

2 800

Digitalocean, LLC

2 383

Google LLC

2 290

Secure Internet LLC uk

1 903

Censys, Inc.

Security researcher

1 881

TECHOFF SRV LIMITED

1 489

FBW NETWORKS SAS

1 305

Feo Prest SRL

1 117

Pfcloud UG

780

Microsoft Corporation

768

DEDIK SERVICES LIMITED

No IP addresses shown. ASN data via passive geo-enrichment.

What is the internet looking for right now?

Key metrics

Activity & geographic distribution

Categories & endpoints

Recent activity

Method · User-agent · Response code

Credential attempts · login attempts per system and username

Attacker patterns · recurring actors and multi-endpoint attempts

Time to first probe · how quickly each service was discovered

Geographic timeline · daily activity by origin country · last 7 days

Protocol scanning

Attack types explained

Trends

Quarterly trends

Attack depth · resource targets, behaviour signatures and origin

AI agent scanning · MCP protocol probing and known actors

What is the internet
looking for right now?