When CloudTweaks first covered live threat maps 10 years ago, the category felt genuinely new. A handful of vendors had built public-facing visualisations showing cyber attacks as animated arcs crossing a darkened globe, and the response from readers was immediate. The maps were arresting to look at, easy to share, and they communicated something that years of written warnings about cybersecurity had failed to land: that attacks were not occasional, targeted events but a constant, global background hum. We have included screenshots of the maps referenced throughout this piece for reference, as several have changed considerably in appearance and a few no longer exist at all.
A lot has changed since then. Some of the tools we featured are gone. The companies behind them collapsed, were acquired, or quietly let their public-facing products go dark as commercial priorities shifted. The threat landscape they were trying to represent has grown orders of magnitude more complex. And a new generation of AI-powered intelligence tools has emerged that makes the original maps look, in retrospect, more like lobby art than operational security.
It is worth going back to where it started, because the story of what happened to those early maps tells you something useful about how the threat intelligence industry actually works.
A decade ago, a California company called Norse Corp made cybersecurity briefly famous. Its live attack map, a dark globe crisscrossed by animated arcs showing hackers striking targets across continents, went viral in 2016 and earned its own writeup in Newsweek. Audiences who had never thought about network intrusion sat transfixed as coloured beams curved across oceans. Security teams started displaying it on office lobby screens. It became the face of a threat most people had never previously thought was visible.
The problem was that the map was more cinema than science. Norse maintained a network of honeypots designed to lure attackers, and what viewers were watching was not the full sweep of internet hostility but a curated sample of traffic hitting Norse’s own decoy infrastructure. When Norse Corp imploded in early 2016, following managerial chaos and a funding collapse documented by journalist Brian Krebs, it left behind a question nobody had thought to ask during the laser-beam spectacle: what do these maps actually measure?
That question has become more consequential, not less, as the live threat visualisation market has expanded, fragmented, and in several cases quietly collapsed. The landscape that existed in 2017, when roundups like this one were routinely published, looks very different today. Several tools that circulated on must-bookmark lists are gone. Others have aged poorly. A new generation of intelligence tools, built on AI rather than animation, has grown up alongside the survivors in ways that reframe what situational awareness actually means.
Starting with what has disappeared feels honest, because the graveyard is larger than most readers expect.
Norse’s map is gone, along with the company that built it. ThreatButt, which styled itself as a satirical commentary on the whole category and added comedic annotations to attack feeds, has not been meaningfully active for years. ThreatMetrix, which offered something genuinely different, a fraud-detection map tracking account takeover attempts and payment fraud by geography rather than raw network attacks was acquired by LexisNexis Risk Solutions in 2018 and its public-facing visualisation was folded into enterprise products unavailable to general visitors.
The Intel MalwareTech map, which blipped every time an infected machine pinged a tracking server, became briefly famous during the WannaCry outbreak of 2017 when researcher Marcus Hutchins used a related technique to identify a kill switch in the ransomware code. The map itself was never maintained as a standalone public tool after that moment passed.
FireEye’s threat map, which showed attack origins and destinations alongside the five most targeted industries in the previous 30 days, technically still resolves at its original address. But FireEye no longer exists in the form that built it. The company sold its product business to Symphony Technology Group in 2021, its threat intelligence arm became Mandiant, and Google acquired Mandiant in 2022. What sits at the old URL is a relic, not a maintained resource. Akamai’s real-time attack traffic tool, which was genuinely useful for understanding which regions were absorbing unusually high volumes of malicious traffic, has been rearchitected into a commercial product rather than a public-facing map.
This attrition follows a predictable logic. Building a compelling live map requires sustained investment in sensor infrastructure, data pipelines, and front-end engineering. When a company is acquired or pivots, public visualisation tools are typically the first things de-prioritised. The maps that have survived are almost exclusively those tied to the core commercial offering of a vendor that has remained independent and consistently invested in public brand visibility.
Seven tools from the current landscape are worth knowing about, and they differ from each other in ways that matter more than their surface similarities suggest.
- Check Point’s ThreatCloud map aggregates data from its commercial security gateways and displays attacks by origin country, target, and category. It resets daily, functioning as a rolling 24-hour summary rather than a genuine live stream. For practitioners, the most useful feature is the ability to filter historical data by date and see which attack types dominated on a specific day. It is a good tool for pattern recognition over time, and considerably less useful for real-time incident response.
- Kaspersky’s Cyberthreat Real-Time Map remains the most visually accomplished of the legacy tools. It draws on detection events from Kaspersky’s global endpoint and network security products, covering on-demand scans, on-access detections, web-borne attacks, and email malware, and lets visitors rotate a 3D globe, zoom into specific countries, and view per-country statistics broken down by threat type. The instinct is to treat it as a neutral global sensor network. The more accurate framing is that it reflects Kaspersky’s customer footprint, which is heavily weighted toward Eastern Europe and parts of Asia. Regions where Kaspersky has few enterprise customers will appear quieter than the underlying threat reality justifies.
- Fortinet’s FortiGuard Outbreak Threat Map draws on telemetry from FortiGuard Labs and distinguishes between ongoing attack types and specific outbreak events, making it particularly responsive to newly identified malware strains spreading rapidly across networks. In 2025, the FortiGuard Labs team reported processing and blocking 3.8 trillion vulnerability exploitation attempts. The map reflects the scale of that underlying infrastructure and is probably the most operationally current of the vendor-backed tools.
- The Digital Attack Map, originally built by Arbor Networks in partnership with Google Ideas and now maintained under NETSCOUT’s ownership, focuses exclusively on DDoS attacks. It allows filtering by attack size, duration, and source and destination port, and includes historical playback going back several years. For anyone studying large-scale volumetric events rather than malware campaigns, this is the most granular public tool still running. It has never tried to be everything, which is probably why it has lasted.
- Radware’s Live Threat Map takes a different approach to data collection entirely. Rather than relying on customer endpoint telemetry, Radware operates a dedicated deception network, infrastructure built to attract and log malicious traffic with no legitimate users behind it. This means it captures automated attack tooling more cleanly than maps that only register a threat once a customer device has already been in the path of one.
- NETSCOUT Cyber Threat Horizon focuses specifically on DDoS telemetry and draws on Arbor infrastructure embedded in a significant portion of global carrier networks. That positioning gives it a structural advantage in detecting large volumetric events that endpoint-focused tools miss entirely. It is particularly useful during geopolitical flashpoints, when DDoS activity predictably surges alongside real-world events.
- Bitdefender’s Threat Map makes a distinction the others tend to collapse: it separates active attacks from infections, which carries meaningfully different operational implications. A detected infection means a host is already compromised, a different response priority than an inbound attack probe. Bitdefender’s consumer and enterprise footprint in Western Europe makes the map particularly responsive to threats circulating in that region.
All seven share a structural limitation their designers understood but casual viewers rarely stop to consider. Each map renders only the traffic that passes through or is detected by that vendor’s own infrastructure. A ransomware group operating entirely outside a given vendor’s sensor network is invisible to that vendor’s map. A botnet communicating via encrypted traffic designed to mimic legitimate web browsing may register no signal at all. The common assumption is that a busier map reflects a more dangerous environment. The more accurate reading is that a busier map reflects a denser sensor footprint in the regions and industries that particular vendor serves. The display and the reality are not the same thing.
This is where the AI-powered intelligence layer, which has matured considerably since 2020, starts to matter in ways the map format cannot replicate.
IBM’s 2026 X-Force Threat Intelligence Index, published in February of this year, found that vulnerability exploitation became the leading cause of incidents observed in 2025, accounting for 40 percent of all engagements. Active ransomware and extortion groups rose by 49 percent year over year, driven partly by leaked tooling that has lowered the technical barrier to launching an attack. The report also found that large supply chain and third-party compromises had nearly quadrupled since 2020, and that infostealer malware had expanded its targets to include AI platforms, with over 300,000 ChatGPT credential sets appearing on dark web markets during the year. None of that intelligence surfaced from watching a map. It came from correlating forum data, incident response engagements, and endpoint telemetry gathered across months of careful analysis.
Platforms like Recorded Future and Cyble Vision represent a category of tool that has matured significantly since 2017. These are not visualisations. They are structured intelligence environments where analysts query threat actor profiles, track active campaigns, and receive AI-generated relevance assessments calibrated to their specific sector and geography. The shift from animation to analysis is where the real signal lives now.
For practitioners who still want a visual layer with genuine analytical depth, Fortinet’s FortiGuard platform comes closest to bridging the two worlds, layering AI-driven outbreak detection on top of its map interface so that anomalous patterns surface before they have been confirmed as incidents. That directional shift, from passive display of known events toward active flagging of emerging ones, is where the better vendors are heading.
There is a reason the Norse map went viral and threat intelligence briefings do not. Watching arcs of light cross a globe satisfies something visceral. It makes an abstract, distributed, largely invisible risk feel concrete and legible, and that has genuine value in board-level presentations and security awareness training. The surviving maps do that function well, some with considerably more rigour than Norse ever offered. But the organisations that suffered the most damaging breaches of the past decade were not blindsided by a lack of maps. They were undone by gaps in patch management, credential hygiene, and third-party risk monitoring.
Experian’s 2026 Data Breach Industry Forecast, published in December 2025, reported more than 8,000 global data breaches in the first half of 2025, with approximately 345 million records exposed. The attacks behind those numbers were not dramatic enough to generate impressive arcs on any map. They were credential stuffing campaigns, supply chain compromises, and misconfigured cloud environments: invisible, methodical, and entirely predictable to anyone with access to the right intelligence. The live cybercrime map is a useful window into the scale of the problem. The mistake is treating the window as the room.
By Randy Ferguson