Open-Data Threat Map

Mansfeld-Südharz, Germany - December 9, 2025

Turning raw telemetry into a public civic dashboard without ever exposing a single resident’s identity

The first time we watched a ransomware probe bounce off the county library’s firewall, the packet capture looked like any other brute-force spray: a Bulgarian IP, a recycled password list, three failed SSH handshakes, then silence. What made the moment different was the line of code that followed. Instead of archiving the log into a private SIEM, we piped a distilled extract—time-slice, ASN, attack family, outcome—to a lightweight GraphQL endpoint whose terms of service are published under Creative Commons Zero. In practice that means a teacher in Köthen, a start-up in Bitterfeld or a journalist in Dessau can pull the same anonymised signal the Alliance’s analysts see, overlay it with population density or industrial zones, and tell a story that previously lived only inside a security operations centre. The goal is not spectacle; it is shared situational awareness, the civic equivalent of publishing daily pollen counts so citizens can decide whether to open a window or close a laptop.

The raw feed originates inside the Alliance’s shared SOC, a cluster of open-source collectors running Suricata, Zeek and our own deception sensors scattered across fifteen member networks. Before any packet is written to disk, a streaming transformer strips every field that could identify a person or a specific device: IP addresses are truncated to /24, user-agents are normalised to family level, and payloads are replaced with fuzzy hashes that can signal similarity without revealing content. The resulting tuple—roughly 180 bytes per event—lands in an internal Kafka topic that is mirrored to an air-gapped MinIO bucket every thirty seconds. A second pipeline, running entirely on public cloud infrastructure financed by the county’s open-data budget, reads the bucket and enriches each tuple with geolocation at city granularity and with MITRE ATT&CK classification tags. Because the enrichment data itself is drawn from public sources (MaxMind GeoLite, RIPE stat, MITRE JSON), the entire derivative work remains unencumbered by licensing, a deliberate design choice so that schools or newspapers can republish without lawyers.

Visualisation happens through a single-page application written in Svelte and D3, hosted on a subdomain that carries no authentication barrier. The default view is a time-series heat-map that aggregates events into one-hour bins, normalised per 1 000 residents so that a spike in a village of 500 people remains proportionally visible beside activity in the city of Dessau. Users can switch to a choropleth overlay that colours each municipality by the predominant attack family—ransomware, cryptominer, credential-stuffing—or drill down to a scatter plot that plots attack volume against median household income, a lens that often reveals which neighbourhoods can least afford a breach. Every visual element is downloadable as SVG or CSV; we even publish the Vega-Lite specification so that data-journalism classes can fork the design and embed it in their own stories. No query is throttled, no API key is required, and the only rate limit is a polite 200 requests per minute enforced by Cloudflare’s free tier, enough to prevent accidental scraping while leaving academic researchers free to poll every ten seconds during a live exercise.

What keeps the map honest is a parallel stream of methodological documentation. Each night a GitHub Action regenerates a markdown report that records the exact Suricata ruleset version, the geolocation database build, and the hash of the anonymisation script. The report is itself committed to the same repository that stores the front-end code, creating an immutable audit trail that researchers can cite in peer-reviewed papers. We also publish a “known gaps” page that openly lists what the feed does not capture: lateral movement that never touches the public internet, phishing that lands inside encrypted email gateways, and insider activity that by definition lacks an external source IP. That candour is a feature, not a concession; it prevents the dangerous illusion that any single dataset can describe the full attack surface and invites complementary projects—dark-web monitoring, scam-call tracking, postal phishing reports—to layer on top.

"Sunlight is still the best disinfectant—even when the infection travels by packet rather than pathogen."

Privacy protection is engineered at three independent choke points. The first is the truncate-and-hash routine that runs on the sensor itself, before data leaves the member premises. The second is a differential-privacy layer that adds calibrated statistical noise to any aggregate below fifty events, preventing re-identification through triangulation while preserving macro trends. The third is a legal moat: the entire programme is classified as voluntary statistics under German data-protection law, which means no personal data are processed and no consent management is required. The county’s data-protection officer reviews the pipeline every quarter, and the anonymisation script has been audited by an external penetration tester who was paid explicitly to attempt re-identification attacks; after six weeks of fuzzing they concluded that correlating an individual household to a single packet was mathematically equivalent to guessing a 128-bit UUID, a probability we are comfortable publishing.

Early usage patterns already challenge some cherished security myths. During the first ninety days of beta, the most attacked port in the county was not the canonical RDP-3389 but port 8554, a little-known RTSP variant used by cheap Chinese security cameras installed by local bakeries and hair salons. When we overlaid that signal with the business register, we discovered that 87 % of the targeted devices belonged to micro-enterprises that had never appeared on any critical-infrastructure list, yet their combined upstream bandwidth was enough to host a reflective DDoS swarm that could saturate the county’s single 40 Gbit/s uplink. The open map made the invisible visible: within two weeks the chamber of commerce ran a free firmware-clinic, and the attack volume dropped 64 %. Without public data that causal chain would have remained buried inside vendor support tickets.

The long-term ambition is to turn the threat map into a living lab for policy instruments. Next spring we will add an overlay that colours each building block by its NIS2 conformity score, calculated from a voluntary questionnaire that SMEs fill in when they apply for the Alliance’s voucher scheme. Over time the county administration will be able to observe whether visible transparency correlates with measurable risk reduction, feeding real evidence into the ongoing EU debate about mandatory incident disclosure. If the experiment succeeds, the same anonymisation engine can be containerised and gifted to any European region that signs the Alliance’s governance MoC, creating a federated mosaic of local threat weather without ever building a centralised European database that might tempt mass surveillance. The goal is not to watch citizens; it is to let citizens watch the storm.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.