Your Database Is the New SSH: What 179 Million Honeypot Events Reveal About May 2026
HoneyDB Monthly Report
The internet never stops scanning. But what it’s scanning for keeps changing — and May 2026’s data from the HoneyDB global honeypot network offers a genuinely surprising look at where attacker attention has landed.
The Numbers
In May 2026, HoneyDB sensors recorded 179 million attack events originating from 181,749 unique source IPs. That’s nearly a thousand events per attacking host — a level of intensity that suggests this wasn’t just casual reconnaissance. Threat actors were persistent.
VNC at the Top
The most-probed service in May wasn’t SSH. It wasn’t even a database. It was VNC — Virtual Network Computing — the graphical remote desktop protocol that’s been around since the late 1990s. VNC accounted for over 45 million events, roughly 25% of all activity.
That number should raise eyebrows. VNC is rarely hardened the way SSH or RDP tends to be, often runs without authentication on internal networks that accidentally got exposed, and hands an attacker a full graphical desktop if they get in. It’s not glamorous. That’s exactly why it’s being hammered.
Databases Are Under Siege
Here’s the part that should keep a DBA up at night: MSSQL and MySQL combined for over 61 million events — more than a third of all May activity on their own. MSSQL logged 33.8 million events. MySQL hit 27.8 million. Attackers aren’t just looking for open ports anymore — they’re specifically hunting for database credentials. An exposed database isn’t an oversight. In today’s threat landscape, it’s an invitation.
And remote desktop isn’t far behind. RDP added another 26.8 million events, sitting just behind MySQL at #4. Pair that with VNC at the top and you have a clear message: remote access services — whether to a desktop or a database — are the primary target.
SSH Has Quietly Stepped Aside
For years, SSH was the canonical honeypot magnet. Every security team watched their SSH logs. In May 2026, SSH ranked sixth — accounting for just 4.4% of events, trailing VNC, three database/remote-access services, and even SIP (VoIP infrastructure, at 14.3%). The shift isn’t because SSH got safer. It’s because attackers found softer targets and pivoted accordingly.
VoIP infrastructure appearing at 14.3% of all events is its own story. SIP-enabled systems misconfigured or left exposed are a well-known vector for toll fraud and call interception — and the sustained scanning volume suggests those campaigns are alive and active.
The real question isn’t which protocol gets hit next. It’s whether your exposure is visible to you before it’s visible to them.
HoneyDB gives security teams direct access to this global threat intelligence — query attacking IPs via API, monitor specific ASNs or text patterns, or deploy your own honeypot sensor and contribute to the network. Sign up at honeydb.io and start seeing the internet the way attackers do.