Threat Research

Defused enables threat researchers to capture real-world exploit attempts, observe attacker behaviour, and analyse payloads without exposing production systems. Honeypots act as controlled decoys, allowing you to study attacker tooling and techniques in a safe and repeatable environment.

Workflow

1. Monitor the All Events View

Use the All Events tab within the Intel Feed to review raw activity across every subscribed decoy.
This view exposes all incoming requests, their counts, and which honeypots observed them, making it suitable for broad threat-research scanning.

2. Identify Suspect Activity

Look for patterns that stand out from normal background noise, such as:

Events targeting a single decoy type (e.g., FortiWeb, Ivanti Connect Secure, SharePoint)
Low-frequency hits (one-off or a handful of events)
Requests containing unusual or structured paths, payloads, encoding, or uncommon HTTP verbs
Payloads resembling traversal, deserialization, or command-injection patterns

These characteristics often correlate with early 0-day or n-day exploitation activity.

3. Export and Analyse the Payloads

Once potential indicators are found, export the filtered events as CSV for analysis.
Typical follow-up steps include:

Inspecting payloads manually or in a sandbox
Comparing requests against known CVEs or PoCs
Decoding encoded parameters
Replaying requests safely in a controlled environment

4. Correlate With External Intelligence

Compare your findings with:

Vendor advisories
Known exploit chains
Public PoCs
Existing threat intelligence feeds

Cross-referencing helps determine whether the behaviour is new, a variant of a known exploit, or an early sign of a developing vulnerability.

5. Document and Feed Back Into Defences

Document relevant findings, such as:

Decoy type and timestamp
Request path and payload
Suspicious indicators (IP, headers, encoding)
Likely exploit purpose or technique

Use this information to build detections, enhance blocklists, or inform internal vulnerability management.

Example: Threat Research in the Wild

A real example of Defused telemetry being used for acute threat discovery was documented by PwnDefend, where suspected Fortinet exploitation activity was first observed through honeypots that mimicked FortiWeb appliances.

The researcher identified:

Low-frequency, highly specific HTTP requests
Activity isolated to FortiWeb decoys
Payloads and paths not seen in existing n-day exploit chains

This behaviour aligned with a suspected Fortinet zero-day being exploited in the wild, enabling early analysis prior to widespread disclosure.
Source: PwnDefend - “Suspected Fortinet Zero-Day Exploited in the Wild”
https://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/

Workflow​

1. Monitor the All Events View​

2. Identify Suspect Activity​

3. Export and Analyse the Payloads​

4. Correlate With External Intelligence​

5. Document and Feed Back Into Defences​

Example: Threat Research in the Wild​