DECEPTION GRID HNY · jr-sensor-01

> Honeypots.

Tripwires that look like soft targets. A honeypot has no legitimate use — so every connection it sees is, by definition, someone who shouldn't be there. Below is a live sensor on a hardened public node, plus decoy profiles that imitate the exact systems behind the breaches you read about — enterprise, hospital, and lab. Each is something I'll stand up for you, tuned to your stack.

see the decoy profiles ↓ commission a custom honeypot →

SENSOR ACTIVITY LIVE

7,616events / 30d

1,201unique sources

12decoy services

7616peak day

05-14 daily connection attempts → 06-12

by decoy service

mysql 3,696

portscan 1,931

ssh 1,183

telnet 476

mssql 194

http 85

vnc 21

redis 18

dicom 5

ftp 3

hl7 3

snmp 1

top sources

213.209.159.115 3,614 hits 2026-06-12 22:06

223.181.75.237 176 hits 2026-06-12 22:23

95.220.204.16 141 hits 2026-06-12 18:31

59.86.240.226 122 hits 2026-06-12 20:36

159.65.226.119 120 hits 2026-06-12 19:37

161.248.201.12 120 hits 2026-06-12 19:51

103.132.243.250 120 hits 2026-06-12 21:18

181.215.45.8 120 hits 2026-06-12 21:22

43.163.91.181 120 hits 2026-06-12 21:14

190.99.17.59 118 hits 2026-06-12 22:02

113.161.39.122 114 hits 2026-06-12 21:39

64.89.163.149 79 hits 2026-06-12 21:10

# updated 2026-06-12 22:23 · refreshes live every 60s · passive sensor · connection metadata only.

DECOY PROFILES11 POTS

honeypots tuned to real breaches

# each pot imitates the surface of a named CVE so the right attackers engage it. live armed planned

enterprise — blackhat favorites

CVE-2021-44228 live

Log4Shell

Apache Log4j

Any Java web app was a target. We log the ${jndi:ldap://…} probes that never stopped coming.

HTTP headers — JNDI lookup

⬡ internet-wide JNDI exploitation, Dec 2021 — still scanned daily

CVE-2025-61882 armed

Oracle E-Business Suite

Oracle

Unauthenticated RCE in the EBS Concurrent Processing tier. We present the /OA_HTML login attackers fingerprint before firing.

HTTP — /OA_HTML BES servlet

⬡ Cl0p mass-exploitation of Oracle EBS, 2025

CVE-2023-34362 armed

MOVEit Transfer

Progress

A SQLi-to-RCE in the transfer portal that fed one of the largest extortion campaigns on record.

HTTPS — managed file transfer portal

⬡ Cl0p mass data theft from 2,700+ orgs, 2023

CVE-2021-34473 armed

Exchange ProxyShell

Microsoft

Auth bypass to RCE on Outlook Web Access — webshells dropped on tens of thousands of servers.

HTTPS — /autodiscover OWA

⬡ mass on-prem Exchange compromise, 2021

CVE-2023-4966 planned

Citrix Bleed (NetScaler)

Citrix

Leaked session tokens straight out of memory — bypassed MFA at hospitals and agencies alike.

HTTPS — NetScaler Gateway

⬡ session-token theft hitting healthcare + govt, 2023

CVE-2024-21762 planned

FortiOS SSL-VPN

Fortinet

The perimeter device that was supposed to keep them out became the way in.

HTTPS — SSL-VPN portal

⬡ pre-auth RCE on edge firewalls, ransomware entry point

healthcare & hospital

unauthenticated DICOM C-STORE live

DICOM / PACS Imaging

Medical Imaging

Medical imaging servers sit on the internet with no auth. We answer the DICOM association requests scanners send and log every one.

TCP 11112 — DICOM upper layer

⬡ thousands of exposed PACS leaking patient scans, ongoing

CVE-2024-1709 armed

Healthcare Claims Portal

ScreenConnect-class

An auth-bypass on a remote-access tool took down claims processing for a third of US healthcare. We bait the same surface.

HTTPS — remote-access auth bypass

⬡ Change Healthcare / ALPHV, 2024 — US claims processing halted

CVE-2023-43426 armed

OpenEMR

The EHR running in clinics worldwide. Auth bypass plus file write equals patient-record access.

HTTP — /interface login

⬡ RCE chain in the most-deployed open-source EHR

laboratory science

unauthenticated MLLP live

HL7 v2 Interface

Health Data Exchange

Lab results and orders flow between systems over HL7 with no authentication. We accept the MLLP frames and log the senders.

TCP 2575 — MLLP

⬡ lab + EHR feeds exchanged in cleartext, no auth

exposed LIMS web console planned

Lab Information System (LIMS)

Laboratory Science

The systems that hold sample chains, assay results, and research data — often one default credential from exposure.

HTTP — LIMS console

⬡ research + clinical lab data, weak-auth web consoles

see honeypot pricing →

CUSTOM BUILDSSCOPED

what a custom honeypot gets you

decoys that look like you. services that imitate your real hostnames, banners, and login portals — or the exact CVE surface you're worried about.
signal, not noise. nothing legitimate touches a honeypot, so there are no false positives. every alert is real.
your alerting. hits pipe to your slack / teams / siem in the format your soc already reads.
sector-aware. hospital, lab, OT, or enterprise — the lure is tuned to what your attackers actually hunt.
legal & passive. public blue-team deception on infrastructure you own. it records, it never attacks back.