Blue-Team

I finally got around to putting a honeypot on the public side of my home connection. I wasn’t trying to catch APTs. I wanted to see what hits a random residential IP when nothing is hiding it. This is a notes post about standing it up, how it’s contained, and what actually showed up in the logs after a month. Why bother Most threat intelligence I read describes the internet as a battlefield. Every unpatched device is five minutes from compromise. Every IP gets 30,000 probes a day. The numbers are usually correct. They aren’t useful unless you can map them to what your environment looks like. ...

The Illusion of Security Most environments aren’t completely unsecured. Firewalls are enabled. Logging exists. Alerts are configured. From the outside it looks fine, maybe even responsible. Controls aren’t usually missing. They’re inactive. In recent work I’ve seen environments where security features were technically enabled but effectively useless. Logs existed but nobody read them. Alerts fired and nobody came. Things broke and the outcome was the same either way. An organisation’s security is only as strong as the people interacting with it. The tooling matters less than whether someone looks at it. The architecture diagram matters less than whether someone notices when something breaks. ...