FLEET STATUS — PUBLIC VIEW
BATCH-UPDATED EVERY 6H · LAST {{ lastUpdated }}
What the fleet is seeing
Aggregated observations from our global honeypot fleet. Everything on this page is measured, not modeled — and delayed by design, so it never tips a live capture.
THREAT INDEX (24H)
{{ threatVal }}
{{ threatLabel }}
{{ kpiEvents }}
EVENTS / LAST 24H
{{ kpiIps }}
UNIQUE ATTACKER IPS / 24H
{{ kpiProtoCont }}
PROTOCOLS / CONTINENTS COVERED
{{ topTechId }}
TOP TECHNIQUE · {{ topTechName }}
ATTACK VOLUME — LAST 24 HOURS
EVENTS PER HOUR · UTC
12:0018:0000:0006:0012:00
GLOBAL ORIGINS — LAST 24 HOURS
● ATTACK ORIGIN (SIZED BY SHARE)
◌ COVERAGE REGION
Marker position is the geographic center of observed source addresses per region. "Other" origins (28%) span 90+ countries and are not plotted. Coverage regions show where fleet sensors operate — we don't publish node counts or exact locations, for the same reason honeypots work.
TOP ORIGINS (24H)
Origin = source geography of observed connections. Attribution is where the packet came from, not who sent it.
PROTOCOL BREAKDOWN (24H)
SCADA-Modbus probes shown in amber — the traffic most vendors never see because they don't run OT decoys.
MOST-TRIED CREDENTIALS (24H)
#USERNAMEPASSWORDATTEMPTS
{{ c.rank }}
{{ c.user }}
{{ c.pass }}
{{ c.n }}
If any of these open something on your network, fix that today.
TOP MITRE ATT&CK TECHNIQUES (24H)
{{ m.id }}
{{ m.name }}
{{ m.pct }}
Techniques observed and auto-classified across all fleet sessions in the window.
CAPTURE FEED
REPLAY OF RECENT CAPTURES · DELAYED ≥24H · DETAILS REDACTED
{{ feed }}
{{ nuisanceNote }}
HOW THIS PAGE WORKS
Numbers are aggregated from real fleet captures and refreshed in 6-hour batches — not streamed live. The feed replays genuine sessions at least 24 hours old with identifying details redacted. We'd rather show you slightly-delayed truth than real-time theater.
© 2026 Deception Check, Inc.