// 28 Days Exposed
Open Season on a Cloud Honeypot
In February 2026, I deployed a T-Pot honeypot on Google Cloud Platform and left it exposed to the internet for 28 days.
What came back was 96 million events across the full deployment, covering everything from decade-old CVEs that should have been patched years ago, to a critical React vulnerability that had been disclosed less than two months before. This series works through the data one topic at a time, documenting the patterns, the actors, and what it all suggests about the current threat landscape.
All data was pulled directly from Elasticsearch using DSL queries through Kibana Dev Tools. Every number is verifiable against raw query output saved in the project repository.
Vulnerability Exploitation
Top CVEs by Event Volume
The three highest-volume CVEs across the full deployment. A 2019-patched Fortinet flaw still dominated at nearly 30,000 events, a TVT DVR authentication bypass ran steady every single day, and a React RCE disclosed two months before the deployment was already showing up in the data.
Read report →Most Recent CVE
How fast attackers picked up a newly disclosed CVE and started scanning for it in the wild.
Read report →Campaign Analysis: Fortinet FortiOS SSL VPN Scanning
29,938 scanning events targeting a 2019-patched Fortinet path traversal flaw, arriving in high-volume bursts across 15 of 28 days. The burst pattern points to automated scanning infrastructure switching on and off rather than one persistent actor.
Read report →Campaign Analysis: ELEVEN11 Botnet and TVT DVR Probing
1,878 events across all 28 days with no spikes and no silent days. That unbroken pattern points to ELEVEN11, a Mirai-based botnet actively recruiting TVT DVR devices by pulling admin credentials in cleartext with no login required.
Read report →Campaign Analysis: React Server Components RCE Scanning
1,527 events across all 28 days targeting CVE-2025-55182, a critical RCE flaw disclosed two months before this deployment. Activity peaked in the first week and steadily declined as patches spread, catching the tail end of a wave that started with exploitation within hours of disclosure.
Read report →Campaign Analysis: RDP Scanning and Authentication Bypass Attempts
321,116 RDP-related events in February 2026, with over 60% arriving in a single day. Background scanning ran the full 28 days, then 2026/02/17 produced 195,111 events including 60,911 authentication bypass probes before dropping back to normal two days later.
Read report →Campaign Analysis: DoublePulsar Backdoor Communication
13,522 events flagging DoublePulsar backdoor communication across 14 of 28 days, nearly a decade after the NSA implant was leaked by the Shadow Brokers. Scanners are still probing for already-infected machines on port 445 in 2026.
Read report →Campaign Analysis: SIP Scanning with sipsak
6,213 SIP scan events across just 3 of 28 days, with 73.5% landing on a single day. The only VoIP-related activity in the dataset, pointing to toll fraud reconnaissance rather than the server and device scanning seen everywhere else.
Read report →Infrastructure & Attribution
Geographic Attribution
The Netherlands, Brazil, Ukraine, and the US were the top source countries across 28 days, but a single Dutch hosting provider accounted for nearly a third of all traffic. Country labels reflect infrastructure location, not attacker origin.
Read report →Threat Actor Assessment
Three CVEs, three distinct operational patterns. Burst scanning, steady botnet activity, and post-disclosure opportunistic scanning each point to different infrastructure behind the top threats in this dataset. Attribution stops at behavioral pattern, but the patterns are clear.
Read report →Cloud Infrastructure Abuse
Three major cloud providers contributed 17.4 million events across 28 days, accounting for 18.1% of all inbound attack traffic. DigitalOcean alone was responsible for 14.3%, with a small cluster of VMs in the same subnet generating the bulk of it.
Read report →Behavioral Analysis
Credential Attack Patterns
28 days of Cowrie SSH and Telnet logs. Root was the top username, most passwords were weak defaults, and two IoT device credentials made up roughly 30% of global brute-force attempts embedded in scanning tooling. Service account names like docker, elastic, and postgres show up because management interfaces get exposed.
Read report →Port Targeting Analysis
Three ports accounted for 88% of all inbound traffic across 28 days. HTTPS, VNC, and an alternate HTTPS port dominated, with a concentrated SNMP burst hitting 1.3 million events in just 48 hours before going completely silent for the rest of the month.
Read report →Legacy Vulnerability Exploitation
Six CVEs from 2013 to 2016 that still generated meaningful scanning activity during the deployment. Shellshock, Drupalgeddon, and a 2013 Apache Struts flaw are still on the checklist for automated scanners in 2026.
Read report →Suricata Signature Analysis
A breakdown of the top Suricata signatures fired across 28 days, from 3.4 million VNC alerts to FortiOS exploitation attempts and DoublePulsar backdoor communication. Most of the high-volume traffic is automated scanning, but a few signatures point to active exploitation attempts with mature, widely available exploit code.
Read report →Strategic Assessment
Future Attack Trends
Three patterns from this deployment align with broader reporting from early 2026: a 2019-patched Fortinet flaw still leading by volume, uninterrupted IoT botnet scanning every single day, and a critical RCE active within two months of disclosure. New Fortinet flaws are being weaponized in days, not months.
Read report →