0/N-day Searching

0/N-day Searching helps you identify early signs of active exploitation attempts across your subscribed honeypots. This includes newly emerging vulnerabilities (0-days) as well as known but not fingerprinted vulnerabilities (n-days). Defused provides tools to manually inspect request patterns and determine whether your decoys are receiving suspicious, low-frequency, or highly specific probes.

Workflow

1. Use the All Events View to Inspect Raw Activity

In the Intel Feed page, the All Events (24h) panel shows a sliding window of all observed requests across your subscribed decoys.
This view is designed for exploratory searching and pattern identification.

You can quickly observe:

Which honeypots were targeted
How many times each request occurred
Whether activity is concentrated on one decoy type or broadly distributed
Whether any payload resembles known exploit paths

This is often the first place where unusual scanning or early exploitation attempts appear.

2. Look for Low-Frequency, Single-Decoy Activity

A strong heuristic for discovering 0-day or early n-day signals is to identify:

Requests seen only against one honeypot type
Requests with very low total count, especially in the last 24 hour time span
Paths that look structured or exploit-like (e.g., long query strings, uncommon API routes, traversal patterns)

For example, a request path that appears only on FortiWeb and nowhere else, with 1-3 total hits, has similar pathing structure to known FortiWeb paths and doesn't yield any relevant matches on search engines or elsewhere is a potential 0-day.

3. Compare Paths Against Known Alerting Structures

Defused provides some references for path patterns monitored in the product card of each honeypot type (in Capabilities.)
You can compare suspicious requests with these known structures to determine whether something aligns with:

Authentication bypass attempts
RCE or deserialization routes
Admin panel discovery
Key configuration or metadata endpoints

Refer to the alerting pattern documentation here:
Product Features → Intel & Alerts

This comparison can help confirm whether a request resembles a variant of an already known exploitation path.

4. Flag Interesting Events for Follow-up

When an unusual request stands out, you can:

Apply filters (e.g., by decoy type or IP)
Export the related events as CSV
Cross-reference them with your internal telemetry or perimeter logs
Escalate for threat research or blocklisting actions

These manual steps enable targeted analysis of potential emerging vulnerabilities before widespread exploitation occurs.

5. Automated Anomaly Detection (TF Business)

For Defused TF Business accounts, anomaly detection is applied automatically.
This system:

Hourly evaluation of request patterns
Detects low-frequency anomalies
Identifies decoy-specific, emerging exploit paths
Surfaces these anomalies without requiring manual searching

This removes the need to manually monitor for early 0-day signals and provides proactive visibility into unusual attacker behaviour.

Workflow​

1. Use the All Events View to Inspect Raw Activity​

2. Look for Low-Frequency, Single-Decoy Activity​

3. Compare Paths Against Known Alerting Structures​

4. Flag Interesting Events for Follow-up​

5. Automated Anomaly Detection (TF Business)​