Defused EX - Real-Time Perimeter Threat Intelligence (generally available soon)
Defused EX provides continuous, real-time visibility into attacks targeting your external attack surface - firewalls, VPN gateways, public webapps, cloud management endpoints, and other internet-facing infrastructure. Use it to detect exploitation attempts before they turn into breaches, collect fresh indicators and payloads, and rapidly harden detections.
Overview
Defused EX helps security teams discover active reconnaissance and exploitation against public infrastructure in real time. It’s built for pre-breach detection, rapid collection of 0-/N-day indicators, with zero-infrastructure deployment options.
Key Benefits
-
Pre-Breach Detection Identify active exploitation attempts against external infrastructure (firewalls, VPNs, remote admin panels, cloud consoles) before a compromise is confirmed.
-
Collect 0/N-Day IOCs Capture payloads, command strings, and novel indicators from attacks that target newly discovered or not-yet-catalogued vulnerabilities.
-
Improve Your Detections One-click deployable honeypots with high-fidelity filters let you detect and respond to attacker behavior very early in the attack chain, potentially eliminating breaches before they occur.
Core Capabilities
- On-demand Honeypots — Deploy targeted honeypots (firewalls, VPN gateways, public webapps, cloud management endpoints, and more) with a single click to collect and analyze threat traffic
- Payload & IOC Harvesting — Automatic capture of dropped files, command lines, URIs, and artifacts for analysis
- Alerting & Enrichment — Integrate with SIEM, SOAR, and other similar platforms; enrich events with reputation and context
- Export & Reporting — CSV exports and templated intel reports for customers or stakeholders
Example Use Cases
1. Pre-Breach Monitoring
- Deploy honeypot / decoy assets matching your organisation’s publicly visible asset base
- Receive alerts when exploitation patterns (e.g., unusual admin login sequences, exploitation attempts) are observed
- Triage, correlate with actual asset logs and contain before initial access occurs
2. 0-Day Detection
- Capture previously unseen payloads and command shells used against internet-facing appliances
- Extract IOCs and push high-confidence indicators to detection pipelines and blocklists
3. Detection Validation
- Deploy a honeypot clone of a vulnerable VPN or web admin panel with one click
- Observe attacker POCs and scanners in the wild, then author and validate detection logic against live events
Integration Options
- Web Console: Visualize attack timelines, payloads, and honeypot sessions
- API: Alert API access for automation and ingestion
- SIEM Connectors: Forward alerts and IOC lists to Splunk, Elastic, Sentinel, etc.
- Webhooks: Real-time push to SOAR workflows or custom pipelines
- Export Formats: CSV exporting
Getting Started
- Create an account on Defused EX
- Subscribe to Defused EX to access all available honeypot types
- Deploy honeypots to mimic critical external services or use the managed sensor network
- Monitor alerts for activity and fine-tune with custom rules
- Act on events of high severity
Example Event Output
Best Practices
- Replicate asset base closely - use honeypot types that match real asset base to get contextual threat data
- Correlate high-severity activity with real logs - cross reference IP addresses or payload indicators with actual log sources
- Leverage indicators quickly in response activity - e.g. blocklisting reconnaissance IPs may prevent exploitation in later stages of attack
Summary
Defused EX gives security teams the early warning and empirical evidence needed to stop attacks on their external attack surface. By collecting live payloads, enabling one-click honeypot deployment, and integrating directly into detection workflows, Defused EX transforms live adversary activity into actionable defense - with zero deployment or maintenance required.