SV
Active sensor · updated daily
Passive OT/ICS honeypot · aggregated data

What is the internet
looking for right now?

Anonymised statistics from a passive system emulating industrial control systems, network cameras, VPN portals and DevOps services.

Online since: 2025-08-01   ·   Last aggregated: 2026-07-01   ·   Source: passive HTTP sensor
55 368
requests since launch
Unique IP addresses 6 316
Active endpoints 3 919
Login attempts 557
0
This hour
139
Today
0
Logins today
0
Port scan creds
Refreshes in 30s
Polling · every 30 seconds
01

Key metrics

Total requests
55 368
+2 197 last 7 days
Unique IP addresses
6 316
+449 last 7 days
Emulated services
3 919
 active endpoints
Login attempts
557
+0 last 7 days
High-signal events
112
Sophisticated targeted attacks
Sanitised events
1 281
XSS, SQLi and path traversal attempts
AI agent probes
6
MCP endpoints probed last 7 days

Excl. own IP addresses and known scanning systems.

02

Activity & geographic distribution

Daily activity · last 28 days
Lower
Higher
Hourly activity · last 7 days
0
6
12
18
Lower activity
Higher activity  · Hour (UTC) · last 7 days
Geographic distribution · top 8
US USA
13 422
NL Nederländerna
7 661
SE Sverige
7 510
DE Tyskland
4 378
GB Storbritannien
2 585
FR Frankrike
2 149
CN Kina
1 197
IN Indien
1 001
03

Categories & endpoints

Targeted system probes — breakdown by system category
Kommunal dokumentportal
888 1.6%
SCADA & styrsystem
191 0.3%
Fibernät & transmission
156 0.3%
OT tidsserie-API
113 0.2%
VPN-portal
108 0.2%
Fastighetssystem (BMS)
93 0.2%
Övervakningskameror
71 0.1%
Passersystem
37 0.1%
Nätverksövervakning
23 0%
VA & fjärrvärme-SCADA
18 0%
Civilberedskapsplaner
12 0%
Kommunal dokumentportal
4 0%
intrusion_alarm
2 0%
Reservkraft & generatorer
1 0%
Related CVEs — known vulnerabilities in exposed system types
10.0 CVE-2019-7256 RCE (CVSS 10) — Linear eMerge E3 passersystem
10.0 CVE-2023-20198 Auth bypass (CVSS 10) — Cisco IOS XE
9.9 CVE-2023-44373 RCE — Siemens RUGGEDCOM APE1808
9.8 CVE-2024-9003 Auth bypass — Schneider Electric Easergy P5 BMS
9.8 CVE-2021-36260 Command injection — Hikvision IP-kameror
9.8 CVE-2023-27350 Auth bypass & RCE — PaperCut (VA-verk)
Protocol scanning — breakdown by system category
Protokollscanning
13 579 24.5%
Related CVEs — known vulnerabilities in exposed system types
7.5 CVE-2023-27321 DoS — OPC UA Foundation SDK via crafted message
7.4 CVE-2022-44725 Memory corruption — OPC UA SDK (Unified Automation)
Generic mass scanning — breakdown by system category
Generisk webbscanning
37 129 67.1%
Credential-stöld
1 558 2.8%
DevOps & API-sondning
847 1.5%
none
266 0.5%
unknown
207 0.4%
ai_agent
40 0.1%
Kataloggenomgång
23 0%
ups
1 0%
civil_readiness
1 0%
Related CVEs — known vulnerabilities in exposed system types
10.0 CVE-2024-3400 RCE (CVSS 10) — Palo Alto PAN-OS GlobalProtect
8.1 CVE-2024-6387 RCE — OpenSSH regreSSHion
Most requested endpoints
root_probe
8 326
ssdp
6 385
ssh_banner
5 278
favicon_ico
1 945
sdk_weblanguage
1 478
raw_file_env
707
raw_file_git_config
500
robots_txt
483
cgi_bin_luci_stok_locale
435
sitemap_xml
428
04

Recent activity

LIVE
Time UTC Country Endpoint Category Method
2 h sedan HU root_probe generic_scan GET
2 h sedan BE root_probe generic_scan GET
3 h sedan US root_probe generic_scan GET
3 h sedan TH root_probe generic_scan GET
3 h sedan IE root_probe generic_scan HEAD
4 h sedan NL sdk_weblanguage generic_scan GET
4 h sedan BR sdk_weblanguage generic_scan GET
5 h sedan BE root_probe generic_scan GET
05

Method · User-agent · Response code

HTTP method
GET
37 539
CONNECT
13 579
POST
2 953
HEAD
535
OPTIONS
106
PUT
4
PROPFIND
4
TRACE
2
MNBX
1
POQB
1
LINY
1
VVZU
1
VQYU
1
GKNX
1
APVL
1
PWGB
1
ZHNZ
1
RNLI
1
WTFI
1
IRSZ
1
DSLW
1
UGNB
1
VUEA
1
SUQF
1
KEAN
1
Top User-Agents
browser
25 923
security_scanner
3 036
curl
2 969
l9explore/1.2.2
1 963
no_agent
1 907
go_http
1 859
HTTP response code
200 OK
41 633
0
13 579
404 Not Found
156
06

Credential attempts · login attempts per system and username

Most attempted usernames
root
117
admin
81
ZAP (scanner)
53
Poot
36
user
17
Pdmin
11
operator (OT)
11
test
7
default
6
guest
5
administrator
5
vstarcam2015
4
Login attempts per honeypot service
Passersystem
114
Fibernät & nätverks…
52
Process-SCADA (Siemen…
50
VPN-gateway (Ivanti)
14
Oklassificerat
12
Driftportal
11
IP-kameror (Hikvision…
6
Fastighetsautomation …
5
Säkerhetsaccess
4
Civilberedskapsportal
1
07

Attacker patterns · recurring actors and multi-endpoint attempts

6 482
Unique external IPs
20
Recurring actors · >1 visit
20
Targeted actors · 2+ distinct endpoints
# Requests Endpoint groups Service types OT focus
1 436 5 4 OT-targeted
2 76 5 4 OT-targeted
3 294 4 4 OT-targeted
4 176 4 3 OT-targeted
5 170 4 4 OT-targeted
6 165 4 4 OT-targeted
7 45 4 4 OT-targeted
8 40 4 4 OT-targeted
9 1 727 3 3 OT-targeted
10 1 425 3 3 OT-targeted
11 1 413 3 3 OT-targeted
12 1 222 3 3 OT-targeted
08

Time to first probe · how quickly each service was discovered

Time to first probe · per exposed service since 2026-03-08
VPN-gateway (Ivanti) +18h 5min
Passersystem +18h 47min
DevOps / CI-API +1 dagar
Credential-stöld +1 dagar
Fibernät & nätverkshårdvara +4 dagar
Säkerhetsaccess +5 dagar
ai_agent +69 dagar

Time after ports were opened until the first external request was recorded per service type

Want to know more?
Detailed analysis — attacker profiles, ISP data, credential trends — available on request for security researchers and industry peers.
Contact us ›
09

Geographic timeline · daily activity by origin country · last 7 days

Date NL
Nederländerna
US
USA
DE
Tyskland
BR
Brasilien
RO
Rumänien
HK
Hongkong
Total
2026-07-03 81 22 · 7 · 1 139
2026-07-02 143 93 4 9 19 12 330
2026-07-01 55 45 36 12 18 21 272
2026-06-30 178 97 4 8 18 15 385
2026-06-29 103 56 65 28 20 20 361
2026-06-28 109 50 36 11 · 6 262
2026-06-27 219 81 4 21 · · 352
2026-06-26 14 16 15 3 18 · 96

External traffic only. Dark cell = high activity from the country. Own IP addresses excluded.

10

Protocol scanning

OT protocols ranked by hit count
# Protocol Total Share Today Distribution
1 SSDP/UPnP :1900 6 385 47%
2 SSH Banner :2222 5 278 38.9%
3 Telnet :23 285 2.1%
4 Hikvision SDK :8000 252 1.9%
5 OPC-UA :4840 141 1%
6 Siemens S7comm :10102 138 1%
7 Niagara Fox :1911 135 1%
8 DNP3 :20000 112 0.8%
9 Modbus TCP :15502 105 0.8%
10 EtherNet/IP :44818 101 0.7%
11 iec104 91 0.7%
12 SIP :5060 90 0.7%
13 Dahua TCP :37777 86 0.6%
14 SNMP :161 78 0.6%
15 RTSP :554 76 0.6%
16 MQTT :1883 74 0.5%
17 GE SRTP :18245 58 0.4%
18 MELSEC SLMP :5007 52 0.4%
19 bacnet 41 0.3%
20 FTP :21 1 0%

All hits since launch. "Today" = requests on the current UTC day. Own IP addresses excluded.

11

Attack types explained

What is actually happening
Credential stuffing
0 unique IPs / 7 d

Automated Telnet connections systematically trying credentials from leaked databases. The goal is to take over routers and IoT devices to expand botnets.

CVE-targeted scanning
0 distinct protocols

Requests matching known CVE signatures — the attacker is looking for a specific vulnerability in industrial control systems, cameras or network equipment.

Disguised traffic
0 requests

OT protocol requests with browser user-agent (Mozilla/Chrome/Safari). The intent is to evade signature-based detection systems that filter out obvious scanner identities.

Counts refer to observations in honeypot data. Figures reflect attacker patterns, not actual breaches.

12

Trends

Requests per day over the last 30 and 90 days
Last 30 days
Last 90 days
13

Quarterly trends

Key KPIs per quarter — escalation over time
Quarter Requests Unique IPs High-signal Credential attempts Residential IPs
2026-Q1 18 256 2 551 112 470

Quarters with zero requests are excluded. Δ = change vs. previous quarter in the table.

14

Attack depth · resource targets, behaviour signatures and origin

What attackers are looking for
50 961
Protocol (TCP/UDP raw)
1 764
Login pages
1 612
Document files
853
API endpoints
155
Unknown
23
Directory structures
Behaviour signatures
29 464
Path enumeration
18 369
Human-like browsing
12 515
Vulnerability scanning
11 094
Configuration probe
10 105
Automated scanning
3 701
Mass scanning
2 297
API probing
1 907
No User-Agent
1 142
Backup probe
445
known_scanner
436
OT-targeted
286
Credential attempt
Attacker network operators
3 163
Google LLC
3 159
Digitalocean, LLC
2 408
TECHOFF SRV LIMITED
2 291
Secure Internet LLC uk
2 236
Censys, Inc.
Security researcher
1 489
FBW NETWORKS SAS
1 457
Pfcloud UG
1 305
Feo Prest SRL
1 138
Microsoft Corporation
1 019
DEDIK SERVICES LIMITED

No IP addresses shown. ASN data via passive geo-enrichment.

15

AI agent scanning · MCP protocol probing and known actors

MCP (Model Context Protocol) — AI agent protocol, probed since May 2026
Total (all time)
40
Last 7 days
6
Known protocols
JSON-RPC 2.0
MCP/2024-11-05
Anthropic v1
Known scanners (user-agent)
okänd 40

The honeypot exposes a full MCP interface with OT/ICS themes. Scanning is identified via endpoint_group=mcp_probe and attack_type=mcp_probe.