TrapLayer Live Observatory

Live deception intelligence. AI-era attacks, observed in the wild. Public signal. Commercial-grade feeds.

Loading attack map... Auto-updating
LIVE

TrapLayer Observatory

Threat intelligence from attackers who take the bait.

TrapLayer turns controlled deception infrastructure into public-safe research, paid IOC feeds, SIEM-ready telemetry, and AI-agent attack intelligence.

Live collection Public-safe aggregate view
AI-agent traps

Prompt probes, autonomous browsing, tool misuse, and agent-like traffic patterns.

Cloud credential lures

Metadata, `.env`, Terraform, kubeconfig, and CI secret hunting without real secrets.

Supply-chain telemetry

Git, CI/CD, container registry, Kubernetes, and package registry reconnaissance.

Protocol collectors

SSH and SCADA/OT facades that reveal attacker intent while staying isolated.

AI Attack Intelligence

Agent Behavior Signals

No AI signal yet

No reportable AI-agent events are available in this window.

AI events0
Prompt attacks0
Tool abuse0
RAG/memory probes0

Tactics

Observed AI Patterns

No AI-agent attack signals yet0

Public vs Private

What This Observatory Shows

Public pages show enough signal to prove coverage and trends. Raw evidence, canaries, headers, payloads, and customer controls stay private.

Get customer telemetry
PublicAggregate trends

Counts, severity, category, coarse geography, and sanitized event summaries.

CustomerStructured feeds

JSON, STIX-style JSON, and SIEM CEF outputs with confidence and taxonomy fields.

PrivateRaw evidence

Payloads, request traits, canary lineage, collector details, and operational notes.

RoadmapIndustry stacks

Energy, SaaS, fintech, healthcare, legal, security, and DevOps-focused lure networks.

Why TrapLayer Wins

Threat intelligence built from live attacker behavior, not stale lists.

TrapLayer combines public observability with private customer telemetry from realistic lure companies, cloud traps, protocol collectors, canaries, and AI-agent bait.

Compare plans
Traditional feeds

Static indicators and delayed context

Most feeds center on IPs, hashes, domains, or retroactive enrichment. Useful, but often thin on attacker intent.

  • Fast to ingest, but easy for attackers to rotate around
  • Limited visibility into hands-on behavior and payload goals
  • Usually detached from customer-specific lure campaigns
Generic honeypots

Signals without productized delivery

Standalone traps can catch noise, but often lack tenant controls, analyst workflows, billing, SIEM formats, and public proof.

  • Harder to package for SOC teams and customers
  • Often focused on one protocol instead of full attack journeys
  • Less emphasis on clean reporting and human-readable value
CapabilityTrapLayerTraditional feedsGeneric honeypots
Live attacker intentNativeLimitedPartial
AI-agent lure coverageBuilt inRareRare
Industry-specific campaignsEnergy, SaaS, fintech, healthcare, DevOpsBroad tagsManual setup
Customer-ready feedsJSON, SIEM, dashboardsUsually yesUsually no
Public proof layerLive observatory and reportsMarketing claimsUncommon

14-Day Activity

Threat Categories

scanner 494
benign 4

Severity

high 212
medium 282
info 4

Top Classifications

unknown_suspicious282
exploit_scanner212
benign_unknown4

Top Lures

/favicon.ico16
/.env10
/.env.production8
/.env.local7
/wp-admin/install.php7
/config.json6
/.env.bak5
/.git/config5

Client Types

browser394
unknown69
tool35

Sanitized Evidence

Recent Anonymized Events

Open report
TimeTypePathCategoryClassSeverityRiskSummary
2026-07-10 06:03:53 scanner_probe /wp-admin/install.php scanner exploit_scanner high 80 Open
2026-07-10 05:54:49 scanner_probe /wp-admin/install.php scanner exploit_scanner high 80 Open
2026-07-10 05:44:51 scanner_probe /wp-admin/install.php scanner exploit_scanner high 80 Open
2026-07-10 05:24:50 scanner_probe /wp-admin/install.php scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /.aws/credentials scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /backend/.env scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /.env.local scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /config.env scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /api/.env scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /.env.production scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /.env.bak scanner exploit_scanner high 80 Open
2026-07-10 05:14:19 scanner_probe /app/.env scanner exploit_scanner high 80 Open