Intel & Alerts

Defused provides a multi-tiered alerting system designed to separate meaningful attacker activity from routine background noise. Honeypots may include programmed vulnerabilities to enable deeper detection of exploit behavior, and in some cases, additional superficial detections are added when they provide useful context. Alerts are classified by severity to help prioritize investigation and correlation.

Alert Structure

Defused generates the following alert classes:

1. Critical — High-impact activity such as zero-day or n-day exploitation, and (shipping Q1) post-breach behavior.

2. Major — Vulnerability exploitation attempts, remote code execution activity, and similar high-signal attacker behavior.

3. Medium — Targeted enumeration such as version fingerprinting, structured probing, and login attempts.

4. Minor — Low-context or uncategorized activity, including generic HTTP verbs and broad scanning patterns.

These tiers represent relevant alerts, which are surfaced because they provide actionable insight. Non-relevant alerts may still contain interesting details, but they are filtered out to reduce noise within each intelligence stream.

Managing Intel & Alert Data

In the Filter view, alerts can be narrowed by actor, payload, time range, asset type, or other criteria. Once a filter is active, the resulting alerts can be exported as a CSV file. For Defused TF subscribers on the base plan, up to 500 alerts can be exported per filtered view.