LLM Honeypot Observatory

Real-time monitoring of scanning activity targeting exposed LLM endpoints
⚔ Attack Blogs
Live
ASSESSING
Analyzing threat landscape…
Total Captures
Unique IPs
Prompts Captured
Auth Attempts
Active Nodes
Regions
New Actors
Capture Volume (1 Week)
By Persona
Target Ports
HTTP Methods
Models Requested
Top Targeted Paths
⏱ Attack Rhythm — Hour of Day (UTC)
🎯 MITRE ATT&CK — Observed Techniques
🔟 OWASP LLM Top 10 — Attack Categories Observed
Loading…
☢ 0-Day Radar EXPERIMENTAL
Scoring novel URIs by coordination signals, path structure, exploit indicators, and behavioral anomalies. High scores indicate potential 0-day or emerging threat scanning not yet assigned a CVE.
Critical
High
Medium
Tracked
Loading radar…
TimeIPPortPersonaMethodPathRegionPrompt
CountUnique IPsPromptSystem PromptModelPersonasLast Seen
IPTotal HitsPortsPrompts SentPersonasRegionsFirst SeenLast Seen
CountUnique IPsUser AgentPersonas
TimeIPPersonaPathAuthorizationX-API-KeyRegion
RegionCapturesUnique IPsNodesPrompts
Loading campaigns…
Loading threat actors…
📋
SOC MORNING BRIEF
Auto-generated from live data — structured for analyst handoff
⬇ Download .txt
🔁 PERSISTENT ACTOR TRACKING — 28-Day Window
IPs appearing across multiple weeks are deliberate, persistent adversaries — not opportunistic scanners.
Loading…
🌐 INFRASTRUCTURE CLUSTER ANALYSIS — /24 Subnet Grouping
Multiple IPs from the same /24 subnet indicate coordinated scanning infrastructure under single operator control.
Loading…
Loading reports…
Select a report from the left to read the AI-generated CTI analysis.
Loading days…
Select a day from the left to view the daily analysis.
🔭 Novel URI Probe Detection
Daily diff of paths seen in last 24h versus the prior 30-day baseline. New URIs are classified against a CVE/exploit signature database (120+ signatures). Novel probes not matching any known pattern may indicate 0-day scanning activity.
Reports
Loading…
Select a report date from the left panel.