National Security Live Telemetry

Asymmetric Cyber Defence

FDRP in production defending the production mail infrastructure: cross-model threat analysis, progressive disclosure, and multi-CERT coordination against nation-state TTPs and commodity botnets. All metrics below are live from the claude-admin intelligence store as of 2026-05-10. Three different units appear on this pagelifetime blocked-attack count (cumulative since first deployment), 30-day rolling volume (April 2026 snapshot), and per-campaign hits (cross-campaign sums of correlated probe events, a different unit from raw attack events).

59,979 Attacks Blocked lifetime cumulative
100% Block Rate 59,979 / 59,979
5 Attributed Campaigns ASN-level infra
7 HIGH Incidents Open + 1 resolved
32 Attack Patterns 6 MITRE domains
8 Active IOCs threat intel feed

30-Day Attack Volume — Blocked at the Edge (April 2026 snapshot, frozen 2026-04-16)

34,931 events (30-day rolling) · 4,993 unique IPs · peak 2,129 on 2026-04-11

Source: SELECT DATE(detected_at) d, COUNT(*) c FROM fdrp_attack_events WHERE detected_at > DATE_SUB(NOW(),INTERVAL 30 DAY) GROUP BY d · fdrp_db · chart snapshot 2026-04-16 09:40 UTC · 30-day rolling total now 18,618 events as of 2026-05-10

Attack Surface Distribution (7d)

HTTPS probing and IMAP credential-stuffing dominate, followed by SSH brute force. All four services are fully mitigated: 100% of 2,045 week-over-week events were blocked before authentication or request processing.

868 HTTPS · 42.4%
726 IMAP · 35.5%
375 SSH · 18.3%

532 unique source IPs in the 7-day window · 242 unique IPs in the last 24h (275 events) · as of 2026-05-10.

Attributed Campaigns

FDRP campaign correlation groups attack events by ASN, fingerprint, and MITRE technique cluster. Five campaigns are currently ACTIVE; none have progressed past reconnaissance or credential exhaustion.

Unit note: the “Total Hits” figure on each card below is a campaign-hit total — the cross-campaign sum of correlated probe events (membership scans, fingerprint matches, signature hits) attributed to that campaign cluster. This is a different unit from the lifetime blocked-attack metric at the top of the page; the top-4 campaign-hit totals sum to ~689,813 across the four cards shown, which is not the same population as the 59,979 lifetime blocked-attack events.

Webshell · Active

AZURE-WEBSHELL-86 — "Cloud Shadows"

Member IPs73
Total Hits328,005
First Seen2026-03-01

ASN: AS8075 · Microsoft Corporation (Azure ingress abuse)

Scanner · Active

CONFIG-SCANNER-185 — FBW/Fiberway probes

Member IPs10
Total Hits334,904
First Seen2026-03-01

Concentrated probe of router management surfaces and ISP config endpoints

Scanner · Active

CF-WORKERS-ABUSE

Member IPs1,842
Total Hits25,000
First Seen2026-03-01

ASN: AS13335 · Cloudflare Inc. — Workers platform abused as probe fan-out

Credential Stuffing · Active

IMAP-CREDENTIAL-STUFFING-DO — "Jingle Shells"

Member IPs20
Total Hits1,904
First Seen2026-03-14

DigitalOcean + Alibaba + Baidu infrastructure, rotating IPs

Source: SELECT * FROM fdrp_campaigns WHERE status='ACTIVE' ORDER BY total_hits DESC · 5 active campaigns with hits, top 4 shown · as of 2026-05-10.

Attack Pattern Coverage — 32 Techniques Across 6 MITRE Domains

Every blocked event is classified against a curated pattern library mapped to MITRE ATT&CK IDs. Detection regexes and prevention playbooks are stored alongside each pattern; ten critical/high-severity techniques span execution and persistence boundaries.

EXPLOITATION 10
  • COMMAND_INJECTIONT1059
  • WEBSHELL_UPLOADT1505.003
  • SQL_INJECTIONT1190
  • PATH_TRAVERSALT1083
  • CGI_EXPLOITT1190
  • SMTP_RELAY_ABUSET1071.003
  • XSS_PROBET1059.007
  • WORDPRESS_XMLRPCT1190
  • POSTSCREEN_DNSBLT1071.003
  • POSTSCREEN_PREGREETT1071.003
CREDENTIAL 8
  • IMAP_BRUTE_FORCET1110.001
  • SMTP_AUTH_SPRAYT1110.003
  • WEB_LOGIN_BRUTET1110.001
  • API_KEY_EXPOSURET1552.004
  • POP3_CRED_STUFFINGT1110.004
  • SSH_DICTIONARYT1110.001
  • ROLE_ENUMERATIONT1589.002
  • SSH_INVALID_USERT1110.001
CONFIG_DRIFT 5
  • CERT_EXPIRYT1588.004
  • PACKAGE_DOWNGRADET1195.002
  • FIREWALL_RULE_CHANGET1562.004
  • NEW_PORT_LISTENERT1571
  • PERMISSION_CHANGET1222
RECONNAISSANCE 4
  • VULN_SCANT1595.002
  • DIRECTORY_BRUTET1083
  • PORT_SCANT1046
  • USER_AGENT_BOTT1592
PERSISTENCE 3
  • CRON_MANIPULATIONT1053.003
  • SSH_KEY_INJECTIONT1098.004
  • CONFIG_BACKDOORT1543
DENIAL_OF_SERVICE 2
  • SMTP_FLOODT1499.001
  • AUTH_FLOODT1499.001

Source: SELECT domain, COUNT(*) FROM fdrp_attack_patterns GROUP BY domain · Pattern library is append-only; deprecated techniques retained for historical attribution.

Active Security Incidents (snapshot 2026-04-16)

FDRP's detection layer raised eight incidents in the 30 days leading to the snapshot. Seven remain in DETECTED state pending ongoing monitoring; the distributed POP3 botnet has been fully contained after 1,484+ failures/day peaked and decayed to baseline.

  • HIGH
    Attack spike — EXPLOITATION domain
    38 events/hr vs 6/hr baseline (6.3× ratio) · detected 2026-03-30 22:02 UTC · status: DETECTED
  • HIGH
    Attack spike — EXPLOITATION domain
    53/hr vs 16/hr baseline (3.3×) · detected 2026-03-16 21:03 UTC · status: DETECTED
  • HIGH
    Attack spike — CREDENTIAL domain
    599/hr vs 1/hr baseline (599×) · detected 2026-03-08 21:04 UTC · status: DETECTED
  • HIGH
    SSL certificate expiring — the production mail host:587
    CERT_EXPIRY pattern triggered, 0 days remaining at detection · 2026-03-08 20:49 UTC
  • RESOLVED
    Distributed POP3 credential-stuffing botnet — 1,484+ failures/day
    82-513 rotating IPs across cloud providers, 97.5% POP3 PLAIN, 1 attempt/IP/~17min. No breach — all attacked usernames nonexistent.

Showing 5 of 8 incidents. Three additional HIGH spikes (CREDENTIAL 306×, EXPLOITATION 17× and 10×) logged on 2026-03-08 at baseline calibration.

FDRP Application — Progressive Disclosure

Findings are classified into three disclosure tiers. Verification processes are adapted to each tier's sensitivity constraints, and automated redaction gates prevent classified content from leaking downward.

Tier Audience Content Verification
Public General public, media, this page Aggregate counts, campaign naming, MITRE mapping Full cross-model (Opus + GPT-5.4 + Gemini 3.1, as verified at campaign date)
Restricted CERTs, ISPs, critical infrastructure Source IPs, specific TTPs, full IOC set, fingerprints Dual-model with sanitized inputs
Classified National security, law enforcement Attribution, source intelligence, active operations Single-model with human review

CERT Outreach & Abuse Coordination

FDRP emits structured abuse reports to upstream providers and issues weekly threat digests to partner CERTs. Reports follow a shared finding schema so CERT-EE and CERT-Polska analysts can cross-reference against their own telemetry without re-normalization.

18 Open Abuse Reports
6+ Weekly Digests Issued
2 National CERT Partners

Domain-Specific Expert Expansion

Every finding tagged for external release is run through four domain experts, each prompted as an ultra-specialist per BIND-046:

  • Malware: binary analysis, packing detection, C2 reverse engineering
  • Network: traffic analysis, lateral movement detection, exfiltration patterns
  • Geopolitical: attribution frameworks, nation-state TTP correlation, diplomatic context
  • Legal: EU NIS2 compliance, cross-border evidence handling, disclosure obligations

Key Outcomes

100% Block Rate at Scale
59,979 attack events across six MITRE domains, every one intercepted before auth/request processing. No breach. No false-positive takedowns of legitimate traffic.
Campaign-Level Attribution
Five active campaigns tracked by ASN, fingerprint, and infrastructure provider. Cross-model verification each time new member IPs are added to a cluster; disagreements trigger mandatory human review.
Tiered Report Generation
A single analysis pipeline produces Public/Restricted/Classified outputs simultaneously. Redaction gates are enforced at pipeline boundaries, not trusted to the model.
Multi-CERT Coordination Protocol
Standardized finding format enables CERT-EE and CERT-Polska to cross-reference findings against their own intelligence, identifying shared threat actors operating across both nations.
← All Case Studies Fire Crisis Dashboard →