How Port Watch scores yacht cyber-pressure

The regions

Seven regional buckets that cover the megayacht cruising loop. Each bucket spans multiple cities so no single famous marina maps 1-to-1 to a score.

• South Florida — Fort Lauderdale, Miami, Palm Beach, Stuart, North Palm Beach
• US Northeast — Newport RI, Mystic CT, Greenwich CT, Nantucket MA
• Eastern Caribbean — St. Maarten, St. Barths, Antigua, BVI, St. Lucia, Grenada
• Côte d'Azur — Monaco, Antibes, Cannes, Nice, Saint-Tropez, Beaulieu
• Balearics — Palma de Mallorca, Ibiza, Menorca
• Italian Riviera — Genoa, Viareggio, La Spezia, Imperia, Portofino, Sanremo
• UAE / Arabian Gulf — Dubai, Abu Dhabi, Doha

Signal 1 — Regional exposed services (0–3, Shodan)

Count of Shodan banner-grab hits in the region's cities matching products that show up in active CISA KEV entries: Fortinet, Cisco ASA, Palo Alto GlobalProtect, SonicWall, RDP, Outlook Web Access, Ruckus, Aruba. One Shodan /host/count per city per probe (free at this endpoint).

Signal 2 — Regional phishing infrastructure (0–3)

Count of URLhaus + OpenPhish entries where the abused host or URL path matches the region's phishing-terms dictionary (sub-port names, yacht agent / broker / shipyard domain stems). This is a sentinel signal: most cycles it sits at 0, and that's fine. When it fires, regional-themed phishing infrastructure has appeared in the public feeds — that's meaningful.

Signal 3 — Seasonal load (0–1)

A binary boost: +1 if the current month falls in the region's high-season window, otherwise 0. Med regions: May–September. Caribbean + Gulf: November–April / March. US Northeast: June–September. South Florida: November–April. This is a weighting we own and document, not a third-party feed.

Aggregate pressure

The exposure map

The map on each region page shows the geographic spread of internet-exposed devices that match our yacht-relevant Shodan probes. It's a visual aid for scale, not a directory of vulnerable devices. Three stacked protections keep it defamation-safe.

Layer 1 — ISP geo-IP precision is metro-level by construction. Shodan returns lat/lon based on the IP block's ISP routing, not the device's GPS. A "Fort Lauderdale, FL" coordinate is the ISP's metro-level approximation — never an actual marina address.

Layer 2 — We deliberately jitter every dot. On top of the ISP-level imprecision, we add a small random offset (~±1 km) to each dot's position. The offset is deterministic per snapshot (same seed → same offset within one day) but moves on the next refresh. Positions are visibly approximated.

Layer 3 — The base map has no marina labels. Only coastline + city anchors + city names. No streets. No buildings. No marina names. A reader literally cannot connect a dot to a specific marina because no specific marina is on the map.

Honest limitations

• Geo accuracy is city/metro, not marina. Shodan documents this. We never claim a specific marina is exposed — only that a region's metros contain N exposed services on yacht-relevant kit.
• Mass phishing feeds are not yacht-focused. Most cycles the phishing-infra signal is 0; that's expected. Yacht-themed phishing is a tiny slice of global mass-distribution.
• This is exposure, not attack. We do not see attack traffic. We see what's exposed in public scans and what's appeared in public abuse feeds.
• Score is bucketed. A region with score 4 and a region with score 2 both render as Elevated. The visible inputs let you see the difference.
• No history yet. v1 shows the current snapshot only. Week-over-week trends are on the roadmap.

Refresh + change log

Snapshot rebuilt daily at 02:30 UTC. Phishing-infra feed at 02:00. CISA KEV + NVD on the upstream /threat-intel hourly pipeline.

Current snapshot generated 39 min ago (2026-06-22T02:38:55+00:00).
Methodology v1 — published 2026-06-15. Future revisions will be dated here.