Daily threat intelligence analysis generated by a local AI model running on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device.
Honeypot Threat Analysis — April 27, 2026
172 IPs reported to AbuseIPDB. High-severity day with 784 SSH connections, 362 OpenCanary events, and Git config scanning detected.
Honeypot Threat Analysis — April 26, 2026
90 IPs reported to AbuseIPDB — community reporting fully operational. ClaudeBot AI crawler detected scanning the honeypot.
Honeypot Threat Analysis — April 25, 2026
High-severity activity with 1,492 SSH connections and 83 Galah web requests. Funny password highlight: 1234567890%*().
Honeypot Threat Analysis — April 24, 2026
Galah HTTP LLM honeypot goes live with 54 web requests. Full tri-honeypot stack now operational across SSH, multi-protocol, and HTTP.
Honeypot Threat Analysis — April 23, 2026
OpenCanary goes live — 412 multi-protocol events detected. Attack surface expands to FTP, Telnet, MySQL, Redis, VNC, and Git.
Honeypot Threat Analysis — April 22, 2026
985 SSH connections with 204 post-auth commands. The root credential enters the top 5 password list for the first time.
Honeypot Threat Analysis — April 21, 2026
High-severity day with 1,540 connections and 424 post-auth commands — the most exploitation activity ever recorded.