depth 3,800m // sensor active

Something is
always out there.

A honeypot sitting quietly in the dark. No announcements. No inbound links. The scanners find it anyway — drawn to any open port like creatures to a light at the bottom of the sea. This is what they do when they think no one is watching.

view live feed how it works ↓
865
sessions
day one
55
unique IPs
day one
805
login attempts
day one
176
commands run
day one
threat feed

What they do
when they get in.

Cowrie grants every attacker a convincing shell. What follows is a reliable playbook: enumerate the host, check for miners, drop a payload, disappear. Sometimes they're hunting Solana nodes. Sometimes Telegram sessions. Always automated.

honeypot-pi // cowrie  ● loading
Full event stream available in the live feed →
architecture

A trap in the dark.

A Raspberry Pi 4 running Cowrie, exposed on a non-standard port with no credentials worth stealing. Events stream from the Pi to bathysphere.tech, updating the feed in near real-time.

01
Raspberry Pi 4 // Cowrie SSH honeypot
A low-interaction SSH/Telnet honeypot that presents a convincing shell. Logs every keystroke, credential attempt, and uploaded file in structured JSON. Running on port 2222, visible to the open internet.
02
Log pusher // tail → Worker
A lightweight script on the Pi tails cowrie.json and POSTs new events to a Cloudflare Worker endpoint every 30 seconds. Events are validated, enriched, and written to KV storage.
03
Cloudflare Workers + KV
An ingest Worker authenticates and stores events. A read Worker serves the latest N events as JSON. No origin server — everything runs at the edge. KV retention keeps a rolling window of the last 10,000 events.
04
Cloudflare Pages // this site
The feed dashboard polls the read Worker every 30 seconds and appends new rows. No WebSockets needed — simple polling is plenty for this data rate. Deployed via wrangler pages deploy on git push.
sensors

What's listening.

The honeynet is expanding. Each node exposes a different attack surface. All events flow into the same feed.

SSH / Telnet
Cowrie on a Raspberry Pi 4. Port 2222. The original sensor — collecting since day one.
HTTP // port 80
Apache-based web honeypot. Coming online soon. Watching for scanner fingerprints and payload delivery attempts.
Expanding
SMB, FTP, DNS, and database surfaces planned across a stack of Pi nodes. All feeding this feed.
ready

See what's out there.

The feed is live. Events are real. All IPs are anonymized. No accounts, no tracking — just the data.

open live feed source on github →