They came within 4 minutes of deployment. No announcement. No traffic. Just a fresh GCP instance with a honeypot running — and 240 seconds later, the first connection attempt hit. This is the story of CERBERUS: my AI-powered honeypot system, what I built it with, and the attack patterns I observed from real threat actors in the wild. Why I Built This I'm a cybersecurity student and independent researcher in Nairobi, Kenya. Academic labs are fine, but I wanted real data — real attackers, real TTPs, real behavior. Not simulated exercises. So I built CERBERUS: a honeypot deployed on GCP that doesn't just log attacks — it responds to them intelligently using an LLM layer, adapting behavior based on what the attacker does next. A honey trap that gets smarter the longer someone stays inside it. The Stack Core deception layer: Cowrie — SSH/Telnet honeypot. Emulates a real shell, logs every command, captures files they try to upload or download HoneyGPT — LLM-backed response layer.…