{
  "generated_at": "2026-07-12T17:45:56.947191Z",
  "window_hours": 24,
  "threat_index": {
    "value": 100,
    "label": "SEVERE",
    "basis": "volume vs a 200k/24h reference, plus observed high-severity techniques and hands-on activity"
  },
  "kpis": {
    "events": "235K",
    "unique_ips": "13,417",
    "protocols_covered": 3,
    "continents_covered": 3,
    "top_technique": {
      "id": "T1059",
      "name": "Command & Scripting Interpreter",
      "pct": 37
    }
  },
  "hourly_volume": [
    16085,
    17241,
    27964,
    22926,
    13259,
    11587,
    7180,
    4528,
    5621,
    6862,
    8040,
    6960,
    7107,
    9307,
    8061,
    10318,
    13568,
    11648,
    12545,
    10725,
    7952,
    8715,
    9547,
    10132
  ],
  "origins": [
    {
      "name": "Netherlands",
      "pct": 36
    },
    {
      "name": "United States",
      "pct": 13
    },
    {
      "name": "United Kingdom",
      "pct": 13
    },
    {
      "name": "Pakistan",
      "pct": 5
    },
    {
      "name": "France",
      "pct": 5
    },
    {
      "name": "Other",
      "pct": 28
    }
  ],
  "protocols": [
    {
      "name": "SSH",
      "pct": 78,
      "amber": false
    },
    {
      "name": "HTTP",
      "pct": 19,
      "amber": false
    },
    {
      "name": "SCADA-Modbus",
      "pct": 3,
      "amber": true
    }
  ],
  "credentials": [
    {
      "user": "admin",
      "pass": "admin",
      "count": 117
    },
    {
      "user": "support",
      "pass": "support",
      "count": 101
    },
    {
      "user": "guest",
      "pass": "123456",
      "count": 96
    },
    {
      "user": "root",
      "pass": "12345",
      "count": 94
    },
    {
      "user": "root",
      "pass": "root123",
      "count": 93
    },
    {
      "user": "user",
      "pass": "user",
      "count": 90
    }
  ],
  "mitre": [
    {
      "id": "T1059",
      "name": "Command & Scripting Interpreter",
      "pct": 37
    },
    {
      "id": "T1190",
      "name": "Exploit Public-Facing Application",
      "pct": 28
    },
    {
      "id": "T1110",
      "name": "Brute Force",
      "pct": 25
    },
    {
      "id": "T1082",
      "name": "System Information Discovery",
      "pct": 8
    },
    {
      "id": "T1105",
      "name": "Ingress Tool Transfer",
      "pct": 2
    },
    {
      "id": "T1003",
      "name": "OS Credential Dumping",
      "pct": 0
    }
  ],
  "map_origins": [
    {
      "name": "Netherlands",
      "lat": 52,
      "lon": 5,
      "pct": 36
    },
    {
      "name": "United States",
      "lat": 39,
      "lon": -98,
      "pct": 13
    },
    {
      "name": "United Kingdom",
      "lat": 54,
      "lon": -2,
      "pct": 13
    },
    {
      "name": "Pakistan",
      "lat": 30,
      "lon": 70,
      "pct": 5
    },
    {
      "name": "France",
      "lat": 46,
      "lon": 2,
      "pct": 5
    },
    {
      "name": "Germany",
      "lat": 51,
      "lon": 10,
      "pct": 5
    },
    {
      "name": "Vietnam",
      "lat": 16,
      "lon": 108,
      "pct": 3
    },
    {
      "name": "China",
      "lat": 35,
      "lon": 105,
      "pct": 3
    },
    {
      "name": "Bulgaria",
      "lat": 43,
      "lon": 25,
      "pct": 3
    },
    {
      "name": "Bangladesh",
      "lat": 24,
      "lon": 90,
      "pct": 2
    },
    {
      "name": "India",
      "lat": 21,
      "lon": 78,
      "pct": 2
    },
    {
      "name": "Brazil",
      "lat": -10,
      "lon": -52,
      "pct": 1
    }
  ],
  "feed": [
    {
      "proto": "HTTP",
      "origin": "US",
      "act": "path-permutation scan, config/.env harvest",
      "arch": "Web Exploit Scanner",
      "ac": "#94A3B8"
    },
    {
      "proto": "HTTP",
      "origin": "US",
      "act": "path-permutation scan, config/.env harvest",
      "arch": "Web Exploit Scanner",
      "ac": "#94A3B8"
    },
    {
      "proto": "HTTP",
      "origin": "US",
      "act": "path-permutation scan, config/.env harvest",
      "arch": "Web Exploit Scanner",
      "ac": "#94A3B8"
    },
    {
      "proto": "HTTP",
      "origin": "US",
      "act": "path-permutation scan, config/.env harvest",
      "arch": "Web Exploit Scanner",
      "ac": "#94A3B8"
    },
    {
      "proto": "HTTP",
      "origin": "US",
      "act": "path-permutation scan, config/.env harvest",
      "arch": "Web Exploit Scanner",
      "ac": "#94A3B8"
    },
    {
      "proto": "HTTP",
      "origin": "\u2014",
      "act": "path-permutation scan, config/.env harvest",
      "arch": "Web Exploit Scanner",
      "ac": "#94A3B8"
    }
  ],
  "nuisance_filtered": 474,
  "captures": {
    "window_days": 16,
    "events": 3762205,
    "sessions": 1013441,
    "unique_ips": 13417,
    "per_day": 235138,
    "per_week": 1645965,
    "per_month": 7054134,
    "alltime_estimate": 26162205,
    "alltime_floor": 26000000
  },
  "_notes": "Aggregated from real fleet captures. No node counts or sensor locations. Feed delayed >= 24h and redacted."
}