Skip to main content

Defused TF - Curated Honeypot Streams

Defused TF provides a real-time stream of attack data collected from distributed network of honeypots. It enables security researchers, detection engineers, IT personnel and threat intelligence teams to monitor and analyze live adversary behaviour against specific honeypot profiles.

TF uses a simple subscription-based flow which allows curating a feed out of profiles you are interested in.

Our honeypot profiles include many of the most popular enterprise technologies, and we are adding new honeypot types into the capabilities repository on a weekly basis.

Overview

Defused TF makes it simple to:

  • Subscribe to honeypot feeds across various technologies
  • Monitor live attack traffic including payloads
  • Correlate behavior across attacker infrastructure and campaigns
  • Export data for building detections, threat intel reports, blogs and other relevant media

Key Capabilities

CapabilityDescription
Real-Time Feed AccessSubscribe to livestreams of honeypot activity
Payload VisibilityInspect dropped or embedded payloads from active exploitation attempts
Data ExportExport individual events for further offline analysis (CSV)
Threat Intelligence EnablementUse collected data to inform blogs, advisories, and customer reports

Example Use Cases

Pre-emptive Threat Blocking

Identify malicious IPs targetting assets & applications you are running, and pre-emptively add them to your blocklist.

Example workflow:

  1. Find and subscribe to suitable intel streams on the capabilities page
  2. Watch for surges in login bruteforcing, exploits or other malicious activity, like version fingerprinting
  3. Bulk select associated events
  4. Use the export function to download associated IPs as a CSV file and use in your blocklist tooling

Threat Research and Intelligence

Track live exploit activity as it happens. Identify trends in exploit targets, payload delivery, and attacker infrastructure.

Example workflow:

  1. Subscribe to the Defused TF Cisco ASA Honeypot Feed
  2. Watch for surges in login bruteforcing, simulataneous exploits or similar anomalous activity
  3. Observe payloads for further pivots
  4. Export, correlate with existing / other data sources and publish findings in internal or public intel briefs

Threat Reporting to Customers

Deliver value-added reporting to clients based on observed activity.

Example workflow:

  1. Correlate Defused TF events with customer infrastructure
  2. Highlight relevant TTPs and indicators
  3. Include verified payload data in your intel reporting

Detection Engineering

Use real-time attacker activity to strengthen your defensive content.

Example workflow:

  1. Filter events by exploit signature or payload characteristics
  2. Generate detection logic (Sigma, YARA, Suricata, Splunk, or other)
  3. Validate rules against live incoming data
  4. Deploy detections to production SOC pipelines

Content Creation & Education

Leverage live attack streams for blogs, talks, and educational content.

Example workflow:

  1. Monitor high-volume exploit campaigns
  2. Visualize trends over time (e.g., surge in CVE-2025-64446 usage)
  3. Write technical breakdowns or advisories
  4. Embed anonymized live feed snippets for illustration

Integration Options

  • Web Console: Interactive UI to browse and replay activity
  • Export Formats: export selected intel events to CSV
  • Automated Integrations: Coming soon to TF Business/Enterprise subscriptions

Getting Started

  1. Sign up for a Defused account
  2. Choose feeds from interesting technologies
  3. Subscribe via UI
  4. Start analyzing live attack data immediately