Introducing the CyberSift Attack Map

Cyber Attack maps are undeniably cool. They give a very intuitive visualization of what attacks are happening in a way that most people relate to very quickly. However, ever since Norse Corp imploded, security analysts have treated attack maps with much warranted caution, amid worries that the map is simply replaying recorded or fake data. We realised that as we were already collecting real data from honeypots across the world, as well as our own installations, we might as well try to recreate the ever-popular Norse Attack Map.

The result is the CyberSift Attack Map

Simply point your browser to http://attack-map.cybersift.io and enjoy seeing the attacks against the honeypots across the world whiz by in real-time. And yes, the data is about as real as it gets. Here’s a breakdown of the sources we used:

  • Our own CyberSift installations which gather attacker IPs from various IPS systems
  • T-Mobile’s DTAG Community HoneyPot Project: http://dtag-dev-sec.github.io/
  • A variety of honeypots setup by researchers around the world who very helpfully tweet whenever their honeypots are set off. For more information see:


It’s worth noting that even though the data is accurate, it would be a mistake to use such a system as a method of attribution for attacks. Most of the time, an attacker worth their salt would first compromise an innocent system and then use that as a launchpad for their subsequent attacks — meaning that the attacker is usually someone caught in the crossfire. Nevertheless, the visualisation does provide interesting insights into the attacks being launched — such as the types of attacks, the passwords attackers are using, and so on. We hope you find this resource useful, ping us at info[at]cybersift.io if you find any issues or have feedback — we’d love to hear it!