Critical Events
3
Customer preview console
Customer Honeypot Console
Demo telemetry from a simulated SkynetProxy collector.
This preview uses synthetic telemetry. Do not send real customer data to this demo environment.
Collector Status
Collector: skynet-collector-demo-01
Status: Online
Last heartbeat: 4/28/2026, 7:31:00 PM
Version: 0.8.2-preview
Network segment: dmz-segment-a
Events last 24h: 12
High Events
5
Unique Source IPs
12
Top Targeted Service
vpn-portal
AI Triage Queue
7
AI-Assisted Triage Summary
Likely campaign pattern: Credential abuse with mixed reconnaissance and control-plane probing.
Top attacker behavior: High-frequency auth attempts followed by service discovery and admin path enumeration.
Recommended next steps:
- Prioritize review of critical canary credential and RDP events.
- Apply temporary blocking for repeat high-confidence source ranges.
- Validate exposed management services and tighten ingress policy.
- Escalate events with confidence >= 85 for analyst verification.
Confidence caveat: AI-assisted analysis is informational and should be reviewed by a human operator.
Event Stream (Synthetic)
Showing 12 of 12 events
Actions
high new
MFA fatigue simulation - Repeated push-notification approvals attempted against seeded user profile.
Technique: Credential Access (T1621) | Confidence: 79%
AI assessment: Pattern is consistent with push fatigue abuse tactic.
Recommended action: Enable number matching and lock account after repeated push denials.
Signal: MFA push requests: 18 within 11 minutes to single identity
low ignored
Directory traversal probe - Single request attempted traversal payload against static file route.
Technique: Initial Access (T1190) | Confidence: 58%
AI assessment: Low-volume opportunistic probe with no successful follow-up.
Recommended action: Maintain WAF rule and monitor for repeated source behavior.
Signal: GET /static/../../../../etc/passwd
high triaged
Port scan burst - Fast scan across 24 ports including RDP, SMB, WinRM, and admin web ports.
Technique: Discovery (T1046) | Confidence: 84%
AI assessment: Reconnaissance burst likely preceding exploit validation attempts.
Recommended action: Add temporary block and verify exposed service inventory.
Signal: SYN scan: ports 21,22,80,443,445,3389,5985,8080,8443 ... in 18s
critical new
Honey credential use - Decoy credential token was replayed against management endpoint.
Technique: Credential Access (T1078) | Confidence: 96%
AI assessment: High-confidence malicious activity due to canary credential trigger.
Recommended action: Escalate incident review and rotate adjacent real credentials immediately.
Signal: Auth success with canary credential id=decoy-admin-17 from untrusted source
medium ignored
Exposed admin panel probe - Requests targeted common Kubernetes and container dashboard endpoints.
Technique: Discovery (T1046) | Confidence: 72%
AI assessment: Generalized cloud control-plane reconnaissance pattern.
Recommended action: Restrict dashboard endpoints and audit public ingress rules.
Signal: GET /api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
critical new
Lateral movement probe - Sequential RPC probes attempted against decoy service mesh endpoints.
Technique: Lateral Movement (T1021) | Confidence: 90%
AI assessment: Likely post-compromise movement simulation by an external scanner set.
Recommended action: Review east-west ACLs and disable unused RPC exposure.
Signal: rpc bind attempts: svc-node-1 -> svc-node-7 over 135/tcp and 445/tcp
high new
Credential stuffing pattern - High-velocity login attempts with rotating user agents and reused passwords.
Technique: Credential Access (T1110.004) | Confidence: 88%
AI assessment: Distribution strongly indicates credential stuffing campaign.
Recommended action: Throttle login endpoint and enforce adaptive challenge controls.
Signal: POST /login 310 attempts | 124 usernames | 5 password variants
medium triaged
Suspicious DNS beacon - Periodic TXT lookups to newly observed domain every 90 seconds.
Technique: Command and Control (T1071.004) | Confidence: 69%
AI assessment: Could indicate low-volume beaconing, confidence limited by short window.
Recommended action: Sinkhole domain and capture endpoint process telemetry for validation.
Signal: dns query type=TXT host=sync-node-cache[.]com interval=90s
high new
Web admin path scan - Scanner hit 42 known admin paths including /phpmyadmin and /wp-admin.
Technique: Discovery (T1083) | Confidence: 82%
AI assessment: Automated path enumeration likely searching for exposed control panels.
Recommended action: Add IP filtering and remove public exposure of admin interfaces.
Signal: GET /admin /phpmyadmin /wp-admin /manager/html within 22s
critical new
RDP login attempt - RDP attempts targeted disabled service account followed by admin alias retries.
Technique: Initial Access (T1133) | Confidence: 91%
AI assessment: Behavior aligns with opportunistic internet RDP attack kits.
Recommended action: Disable direct RDP ingress and require VPN with MFA.
Signal: RDP AUTH FAIL sequence: svc_backup, administrator, admin01
medium triaged
SMB probe - Rapid SMB negotiation requests observed across multiple host aliases.
Technique: Discovery (T1046) | Confidence: 74%
AI assessment: Likely reconnaissance stage for lateral movement feasibility.
Recommended action: Restrict SMB exposure to approved internal segments only.
Signal: SMB NEGOTIATE request burst, dialect attempts: 3.1.1, 3.0.2, 2.1
high new
SSH brute force - 74 failed SSH logins in 3 minutes against admin-like usernames.
Technique: Credential Access (T1110) | Confidence: 86%
AI assessment: Pattern matches automated credential spray rather than manual probing.
Recommended action: Block source subnet and enforce key-only SSH authentication.
Signal: sshd[991]: Failed password for root from 185.220.102.244 port 51744 ssh2