Most security dashboards are trapped inside the tools that generated them. Splunk, Grafana, or proprietary SIEMs are excellent for internal monitoring, but they are often invisible to the outside world. I wanted to change that: to build a public-facing, professional-grade quarterly report based on real honeypot data that I could update in under an hour and ship to production with a single git push.
The Problem: Static vs. Stale
TOCE reporting is built on static HTML. It’s fast, secure, and requires zero CMS maintenance. However, “static” often carries a stigma: manual updates. Manual updates are the enemy of consistency; if a task is tedious, it eventually stops happening.
I realized that “static” doesn’t have to mean “frozen.” By building a pipeline that ends in a git push, you gain a versioned, auditable, and easily deployable content stream—without the overhead of a database or server-side rendering.
The Pipeline: Automating the Flow
The architecture is straightforward:
- Data Extraction: The source of truth is a Splunk instance running on a low-spec home VM. Every quarter, I execute a script that queries the Splunk REST API and exports CSVs for key datasets (protocols, countries, credentials, and attack patterns) directly into my project’s
/datadirectory. - AI-Assisted Processing: This is where Claude Code changes the game. Instead of manually parsing these 175M+ log events or struggling with JavaScript data arrays, I use Claude Code to ingest the raw CSVs. It understands my project structure, performs the data aggregation, and updates the JSON/JavaScript data files within the HTML report.
- Deployment: The report is a clean, single-page HTML file. It uses Chart.js for visualizations and CSS for layout. Because the data is “baked in” at build time, the page loads instantly and works offline. Deployment is a simple
git pullon the production server (served via Caddy), which brings the new report live immediately.

Why This Works
The brilliance lies in separating data collection from presentation. By versioning the Splunk queries alongside the HTML, the report becomes reproducible. Anyone reading the report can see the exact queries used to derive the findings. The data, the methodology, and the presentation exist in one repository.
Claude Code acts as the glue here. Rather than writing brittle glue-code for every new set of metrics, I can simply task it: “Analyze the new CSVs in the /data folder, update the Chart.js data arrays in index.html, and verify the formatting.” It reduces the “human step” from hours of manual data entry to a few minutes of review.
Looking Ahead
The current goal is full-cycle automation. I plan to move the data export to a quarterly cron job and use a headless Claude Code agent to patch the HTML automatically. The human role will shift from “data entry” to “editor and publisher.”
This principle isn’t just for honeypots. It applies to any data-driven cadence: monthly digests, annual security reviews, or any report currently maintained by hand. If your data lives in a queryable source, this pipeline can turn your static site into a dynamic data engine.
View the Q2 2026 report: https://sc.toce.ch/reports
