Welcome to HoneyLens — an independent research and educational project focused on network security, intrusion detection, and threat intelligence. Our honeypot sensor network captures, analyzes, and publishes real-time threat advisories on malicious IP addresses observed attacking internet-facing services.
Browse IP-based threat advisories generated by our sensor network. Each post includes threat analysis, IOCs, MITRE ATT&CK mapping, and payload samples.
263 advisories publishedSecurity research and vulnerability disclosures from the HoneyLens team. Responsible disclosure through CERT coordination.
Current development status of the HoneyLens platform, the Autonomous Fuzzing Agent, and our LLM-assisted security research.
Get in touch to report bugs, discuss research collaboration, or join the project.
Our sensors detected sustained automated probe activity from IP 79.124.62.134 (Bulgaria/AS207812) between April 1-June 9, 2026, targeting multiple network services including MySQL. This appears to be …
Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus …
Malicious activity detected from 93.123.109.127 (NL, AS48090). 629 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Düsseldorf, Germany (178.16.54.22) has been observed engaging in credential capture attempts and SMTP probing over a three-day period. The activity is assessed as noise but warrants…
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as …