Each point is a real IP address recently reported as malicious to AbuseIPDB, a public threat-intelligence database — geolocated and refreshed hourly. This is real, sourced data shown on a stylised grid, not literal live telemetry from our own sensors.
cron/refresh-threat-map.php to run at least once with a valid AbuseIPDB API key — see the deployment guide.