The live threat map: real attacks on this site, GDPR-compliant
The threat dashboard includes a world map of attacks against this very website - not stock imagery, not a vendor’s marketing feed. Every data point is a request our own edge actually blocked. This post walks through the pipeline, including the part most “live attack map” pages skip: doing it without violating the GDPR.
The pipeline
Every request to sudodudes.com passes through our edge proxy with an OWASP Core Rule
Set WAF in front of the application. Blocked requests - SQL injection probes, path
traversal attempts, scanner fingerprints, rate-limit violations - are logged to our
self-hosted log aggregation stack, where they are retained for 30 days for security
operations (our legal basis: Art. 6(1)(f) GDPR, legitimate interest in securing the
service).
Once a day, an aggregation job:
- queries the log store for blocked requests,
- resolves each source IP to a country using a locally-bundled GeoIP database (no lookup service is called - the database file sits on our disk),
- counts blocks per country and per rule category,
- publishes only those aggregate counts as a static JSON file.
The map in your browser renders that JSON onto a bundled SVG world map. Your browser makes no third-party requests, and the raw logs never leave our infrastructure.
The GDPR part most attack maps get wrong
IP addresses are personal data (CJEU, C-582/14 Breyer). A map that publishes individual attack events with source IPs - or even city-level precision plus timestamps - is publishing personal data of (admittedly hostile) people, and needs a legal basis for that publication.
Country-level aggregate counts are different: “1,742 blocked requests from country X last month” cannot be related back to any individual. The personal-data processing stops at our log store, under the same 30-day retention and legitimate-interest basis as ordinary security logging. What gets published is anonymous statistics - out of GDPR scope entirely.
That distinction - process internally under legitimate interest, publish only anonymized aggregates - is the same pattern we recommend to clients for security telemetry, abuse dashboards, and status pages.
Why bother?
Because “we take security seriously” is a sentence, and a live view of our own perimeter is evidence. The internet’s background radiation - constant scanning, credential stuffing, exploit spraying - hits every public endpoint, including ours. Showing it, honestly and compliantly, is the story: this is what the baseline threat environment looks like, and this is how little of it should ever reach your application.
Get new posts by email
Security engineering, compliance without theatre, open-source threat intel. No tracking, no forwarding your address, unsubscribe in one click.