In general, attackers carry out scanning or probing against a certain network when they start to attack their victims. Because of this, darknet is very useful to observe the scanning activities of attackers who want to find their victims that have security vulnerabilities in operating systems, applications, services, and so on. Thus, by observing and analyzing darknet traffic, it is able to obtain an insight into malicious activities that are happening on the Internet and to identify potential attackers who sent attack packets to the darknet. However, darknet has a fatal limitation that most of the darknet traffic has no payload data. This means that we cannot collect the real attack codes from the original darknet traffic. To cope with this problem, we propose a security monitoring and response model to analyze cyber threats trend and to trace potential attackers based on darknet traffic. We have evaluated the proposed model using one /24 darknet IP addresses and TMS alerts that were obtained from TMS. The experimental results provided the statistical information of all the incoming darknet traffic so that we could obtain the global cyber threats trend. Furthermore, the experimental results demonstrated that we could obtain malicious attack patterns and attack codes that were not detected by TMS. Copyright © 2013 John Wiley & Sons, Ltd.