We Turned Our Cloudflare Workers Into Honeypots. Your Recon Is Now Our STIX Feed.
- Patrick Duggan
- Apr 4
- 4 min read
Updated: Apr 25
We did something stupid-simple that changes the economics of threat intelligence.
Every scanner on the internet hits /.env, /wp-admin/, /backup.sql, /.git/config. They've been doing it for decades. Every web server in the world logs these probes and throws them away.
We stopped throwing them away.
The Setup
Our Cloudflare Edge Shield worker already sits in front of everything — 300+ PoPs worldwide, inspecting every request against 1M+ IOCs before it reaches our origin. Today we added 30 canary paths that no legitimate user would ever visit:
Category | Paths | Why It's 100% Malicious |
Config exposure | /.env, /.env.bak, /.aws/credentials | We don't use PHP. We don't have .env files on our edge. |
Source code | /.git/config, /.git/HEAD | Our git repos aren't served via HTTP. |
WordPress | /wp-admin/, /wp-login.php, /xmlrpc.php | We don't run WordPress. |
Database dumps | /backup.sql, /dump.sql, /db.sqlite | We don't serve database files. |
Admin panels | /phpmyadmin/, /adminer.php, /_debug/ | We don't run PHP admin tools. |
API fishing | /api/v1/internal/keys, /api/v1/admin/users | These endpoints don't exist. |
Webshells | /shell.php, /cmd.php, /c99.php, /r57.php | We don't run PHP at all. |
Framework recon | /actuator, /actuator/env, /server-status | We don't run Spring Boot or Apache. |
Zero false positive rate. Not "low" — zero. No human, no browser, no legitimate bot visits /.env.production or /c99.php. If you're hitting these paths, you are scanning for vulnerabilities.
What Happens When You Hit a Canary
Here's where it gets fun. We don't return a 404. We don't return a 403. We return a 200 with convincing fake data.
Hit /.env? You get back what looks like real credentials:
None of it is real. Every value is randomly generated on each request. But the scanner doesn't know that. It'll try those AWS keys, those Stripe keys, those database credentials — and fail. We've wasted their time, and more importantly, we've captured their fingerprint.
Hit /wp-admin/? You get a WordPress login page. Hit /actuator? Spring Boot health check JSON. Hit /backup.sql? A MySQL dump header with fake table schemas.
While you're reading your fake .env file, we're indexing:
Your IP → new IOC in our STIX feed
Your ASN and org → attribution
Your User-Agent → scanner fingerprint
Your TLS version → client fingerprint
The CF datacenter that handled you → geographic context
Your bot score from Cloudflare's ML → confidence enrichment
The exact path you probed → attack classification
The server header says nginx/1.24.0 and X-Powered-By: PHP/8.2.0. We run Node on Azure Container Apps behind Cloudflare. The misdirection is intentional — it poisons their fingerprint database.
The Pipeline
From probe to global blocklist. Automated. No analyst. The scanner's recon attempt becomes the detection rule that blocks them everywhere else.
The Math
Shodan alone scans every IPv4 address roughly every 40 minutes. Censys, LeakIX, BinaryEdge, ZGrab — thousands of scanners run 24/7. Our domains get probed constantly. Before today, those probes hit our WAF rules and disappeared.
Now every probe is:
A free intelligence source — we didn't pay for this data, they delivered it
A STIX indicator — flows to 275+ consumers in 46 countries
A scanner fingerprint — UA, TLS, ASN, behavior pattern
A deception data point — they now have fake credentials in their loot database
The cost? Zero. Cloudflare Workers free tier. The honeypot runs on the same edge infrastructure we already use. No new VMs, no new containers, no new budget.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
Why This Is Different
Traditional honeypots require dedicated infrastructure. You spin up a server that looks vulnerable, put it on the internet, and wait. T-Pot, Cowrie, HoneyDB — they work, but they cost money and they're detectable.
Our honeypots are embedded in production infrastructure. The scanner can't tell the difference between our real API endpoints and our canary paths because they're served by the same Cloudflare Worker, on the same domain, with the same TLS certificate, at the same edge location. There's no separate honeypot network to fingerprint.
And because we serve fake data instead of errors, automated scanners can't distinguish our canaries from real misconfigurations. Their loot databases fill up with our garbage. Their AWS key testing tools burn API calls on our fake AKIA strings. Their credential stuffing lists include our randomly-generated passwords.
The Feed
These honeypot IOCs join everything else in our STIX feed:
Source | Count | Type |
Automated feeds (URLhaus, SSLBL, etc.) | 1,000,000+ | IPs, domains, hashes |
PreCog sweeps (OTX) | 16,800+ | Emerging threats |
Exploit Harvester (GitHub PoCs) | 83+ | Detection rules |
Edge Honeypots | Growing | Scanner IPs, fingerprints |
Point your SIEM at it:
Register free: analytics.dugganusa.com/stix/register (https://analytics.dugganusa.com/stix/register)
Your scanners are our sensors. Your recon is our product. Your probes fund our threat intelligence.
We didn't build a honeypot. We turned the entire edge into one.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.