National Security Live Telemetry

Asymmetric Cyber Defence

FDRP in production defending mail.loftrek.ro: cross-model threat analysis, progressive disclosure, and multi-CERT coordination against nation-state TTPs and commodity botnets. All metrics below are live from the claude-admin intelligence store as of 2026-04-16.

46,492 Attacks Blocked lifetime
100% Block Rate 46,492 / 46,492
4 Attributed Campaigns ASN-level infra
7 HIGH Incidents Open + 1 resolved
32 Attack Patterns 6 MITRE domains
8 Active IOCs threat intel feed

30-Day Attack Volume — Blocked at the Edge

34,931 events · 4,993 unique IPs · peak 2,129 on 2026-04-11

Source: SELECT DATE(detected_at) d, COUNT(*) c FROM fdrp_attack_events WHERE detected_at > DATE_SUB(NOW(),INTERVAL 30 DAY) GROUP BY d · c6_mysql_intelligence · 2026-04-16 09:40 UTC

Attack Surface Distribution (7d)

IMAP credential-stuffing dominates, followed by SSH brute force and HTTPS probing. All three are fully mitigated: 100% of 7,888 week-over-week events were blocked before authentication or request processing.

4,159 IMAP · 52.7%
2,765 SSH · 35.1%
964 HTTPS · 12.2%

1,660 unique source IPs in the 7-day window · 344 unique IPs in the last 24h (872 events).

Attributed Campaigns

FDRP campaign correlation groups attack events by ASN, fingerprint, and MITRE technique cluster. Four campaigns are currently ACTIVE; none have progressed past reconnaissance or credential exhaustion.

Webshell · Active

AZURE-WEBSHELL-86 — "Cloud Shadows"

Member IPs73
Total Hits328,005
First Seen2026-03-01

ASN: AS8075 · Microsoft Corporation (Azure ingress abuse)

Scanner · Active

CONFIG-SCANNER-185 — FBW/Fiberway probes

Member IPs10
Total Hits334,904
First Seen2026-03-01

Concentrated probe of router management surfaces and ISP config endpoints

Scanner · Active

CF-WORKERS-ABUSE

Member IPs1,842
Total Hits25,000
First Seen2026-03-01

ASN: AS13335 · Cloudflare Inc. — Workers platform abused as probe fan-out

Credential Stuffing · Active

IMAP-CREDENTIAL-STUFFING-DO — "Jingle Shells"

Member IPs20
Total Hits1,904
First Seen2026-03-14

DigitalOcean + Alibaba + Baidu infrastructure, rotating IPs

Source: SELECT * FROM fdrp_campaigns WHERE status='ACTIVE' ORDER BY total_hits DESC · 6 campaigns total, top 4 shown.

Attack Pattern Coverage — 32 Techniques Across 6 MITRE Domains

Every blocked event is classified against a curated pattern library mapped to MITRE ATT&CK IDs. Detection regexes and prevention playbooks are stored alongside each pattern; ten critical/high-severity techniques span execution and persistence boundaries.

EXPLOITATION 10
  • COMMAND_INJECTIONT1059
  • WEBSHELL_UPLOADT1505.003
  • SQL_INJECTIONT1190
  • PATH_TRAVERSALT1083
  • CGI_EXPLOITT1190
  • SMTP_RELAY_ABUSET1071.003
  • XSS_PROBET1059.007
  • WORDPRESS_XMLRPCT1190
  • POSTSCREEN_DNSBLT1071.003
  • POSTSCREEN_PREGREETT1071.003
CREDENTIAL 8
  • IMAP_BRUTE_FORCET1110.001
  • SMTP_AUTH_SPRAYT1110.003
  • WEB_LOGIN_BRUTET1110.001
  • API_KEY_EXPOSURET1552.004
  • POP3_CRED_STUFFINGT1110.004
  • SSH_DICTIONARYT1110.001
  • ROLE_ENUMERATIONT1589.002
  • SSH_INVALID_USERT1110.001
CONFIG_DRIFT 5
  • CERT_EXPIRYT1588.004
  • PACKAGE_DOWNGRADET1195.002
  • FIREWALL_RULE_CHANGET1562.004
  • NEW_PORT_LISTENERT1571
  • PERMISSION_CHANGET1222
RECONNAISSANCE 4
  • VULN_SCANT1595.002
  • DIRECTORY_BRUTET1083
  • PORT_SCANT1046
  • USER_AGENT_BOTT1592
PERSISTENCE 3
  • CRON_MANIPULATIONT1053.003
  • SSH_KEY_INJECTIONT1098.004
  • CONFIG_BACKDOORT1543
DENIAL_OF_SERVICE 2
  • SMTP_FLOODT1499.001
  • AUTH_FLOODT1499.001

Source: SELECT domain, COUNT(*) FROM fdrp_attack_patterns GROUP BY domain · Pattern library is append-only; deprecated techniques retained for historical attribution.

Active Security Incidents

FDRP's detection layer raised eight incidents in the last 30 days. Seven remain in DETECTED state pending ongoing monitoring; the distributed POP3 botnet has been fully contained after 1,484+ failures/day peaked and decayed to baseline.

  • HIGH
    Attack spike — EXPLOITATION domain
    38 events/hr vs 6/hr baseline (6.3× ratio) · detected 2026-03-30 22:02 UTC · status: DETECTED
  • HIGH
    Attack spike — EXPLOITATION domain
    53/hr vs 16/hr baseline (3.3×) · detected 2026-03-16 21:03 UTC · status: DETECTED
  • HIGH
    Attack spike — CREDENTIAL domain
    599/hr vs 1/hr baseline (599×) · detected 2026-03-08 21:04 UTC · status: DETECTED
  • HIGH
    SSL certificate expiring — mail.loftrek.ro:587
    CERT_EXPIRY pattern triggered, 0 days remaining at detection · 2026-03-08 20:49 UTC
  • RESOLVED
    Distributed POP3 credential-stuffing botnet — 1,484+ failures/day
    82-513 rotating IPs across cloud providers, 97.5% POP3 PLAIN, 1 attempt/IP/~17min. No breach — all attacked usernames nonexistent.

Showing 5 of 8 incidents. Three additional HIGH spikes (CREDENTIAL 306×, EXPLOITATION 17× and 10×) logged on 2026-03-08 at baseline calibration.

FDRP Application — Progressive Disclosure

Findings are classified into three disclosure tiers. Verification processes are adapted to each tier's sensitivity constraints, and automated redaction gates prevent classified content from leaking downward.

Tier Audience Content Verification
Public General public, media, this page Aggregate counts, campaign naming, MITRE mapping Full cross-model (Opus + GPT-5.4 + Gemini 3.1)
Restricted CERTs, ISPs, critical infrastructure Source IPs, specific TTPs, full IOC set, fingerprints Dual-model with sanitized inputs
Classified National security, law enforcement Attribution, source intelligence, active operations Single-model with human review

CERT Outreach & Abuse Coordination

FDRP emits structured abuse reports to upstream providers and issues weekly threat digests to partner CERTs. Reports follow a shared finding schema so CERT-EE and CERT-Polska analysts can cross-reference against their own telemetry without re-normalization.

18 Open Abuse Reports
6+ Weekly Digests Issued
2 National CERT Partners

Domain-Specific Expert Expansion

Every finding tagged for external release is run through four domain experts, each prompted as an ultra-specialist per BIND-046:

  • Malware: binary analysis, packing detection, C2 reverse engineering
  • Network: traffic analysis, lateral movement detection, exfiltration patterns
  • Geopolitical: attribution frameworks, nation-state TTP correlation, diplomatic context
  • Legal: EU NIS2 compliance, cross-border evidence handling, disclosure obligations

Key Outcomes

100% Block Rate at Scale
46,492 attack events across six MITRE domains, every one intercepted before auth/request processing. No breach. No false-positive takedowns of legitimate traffic.
Campaign-Level Attribution
Four active campaigns tracked by ASN, fingerprint, and infrastructure provider. Cross-model verification each time new member IPs are added to a cluster; disagreements trigger mandatory human review.
Tiered Report Generation
A single analysis pipeline produces Public/Restricted/Classified outputs simultaneously. Redaction gates are enforced at pipeline boundaries, not trusted to the model.
Multi-CERT Coordination Protocol
Standardized finding format enables CERT-EE and CERT-Polska to cross-reference findings against their own intelligence, identifying shared threat actors operating across both nations.
← All Case Studies Fire Crisis Dashboard →