About SikkerAPI

What is SikkerAPI?

SikkerAPI is an IP reputation and threat intelligence platform. We provide real-time confidence scoring for any IP address, backed by first-party behavioral data from our distributed honeypot network and community-contributed abuse reports. Every IP reputation score is evidence-based and transparent — derived from observable attack sessions, protocol-level activity, and classified attack patterns rather than opaque algorithms.

Systems administrators, developers, and security teams use SikkerAPI to check IP reputation via our REST API, generate filtered IP blacklists for firewalls and intrusion prevention systems, submit and query abuse reports, and consume structured threat intelligence through native STIX/TAXII 2.1 feeds. Every feature is available on the free tier — paid plans expand daily lookup capacity, not functionality.

How We Gather IP Reputation Data

Our IP reputation data comes from two sources: SikkerNet, our proprietary distributed honeypot network, and community abuse reports submitted by defenders running tools like Fail2Ban and CSF.

SikkerNet deploys custom honeypot sensors written in Kotlin that fully emulate 16 protocols — including SSH, HTTP, FTP, SMTP, MySQL, PostgreSQL, MongoDB, Redis, Docker, Telnet, Elasticsearch, MSSQL, IMAP, SMB, RTSP, and SIP. Unlike low-interaction honeypots that simply log connection attempts, our sensors accept all credentials and engage attackers in realistic environments. This captures the full attack lifecycle: brute-force credential attempts, post-authentication commands, lateral movement patterns, malware payload downloads, and data exfiltration techniques.

Community abuse reports complement our honeypot data by surfacing malicious IP addresses observed outside the sensor network. Together, these sources feed into a confidence scoring system that weighs behavioral evidence, protocol diversity, and report volume to produce a 0–100 confidence level for every observed IP address.

Behavioral Attack Classification

When an attacker connects to one of our honeypot sensors, we don't just record that a connection occurred — we capture exactly what they did. Our SSH honeypots implement over 100 realistic commands, returning convincing output for everything from uname and whoami to nvidia-smi and docker ps. This reveals real attack tooling, malware download URLs, and lateral movement patterns that low-interaction honeypots miss entirely.

Every captured session is analyzed by our editorial engine, which decomposes attack activity into two layers: primitives — atomic indicators like a specific command execution, download URL, or credential pattern — and behaviors — composite attack classifications built from multiple primitives using AND/OR logic. Each behavior maps to MITRE ATT&CK techniques and carries a severity level (critical, high, medium, low).

For example, ssh_host_fingerprint_and_shell_rc_immutable_removal (critical, 672K+ matches) identifies multi-command host fingerprinting scripts that also strip immutable attributes from shell initialization files — a common precursor to persistent access. ssh_authorized_keys_persistence_established (critical, 199K+ matches) detects attackers who remove filesystem protections from .ssh/ directories and inject new public keys. On Telnet, telnet_busybox_hex_stager_with_unknown_applet_execution (critical, 58K+ matches) captures automated IoT botnet propagation — hex-encoded payload reconstruction, multi-directory probing, and staged execution through randomly named BusyBox applets.

These aren't manual labels. The editorial engine currently tracks 138 behaviors and hundreds of primitives across SSH, Telnet, SIP, HTTP, and other protocols — giving defenders structured context alongside every IP reputation score. You can browse the full catalog on the threat catalog page.

The same depth of analysis applies across all 16 protocols. Our SMTP honeypots capture full email content from spam campaigns and phishing attempts — providing insight into active threats targeting mail infrastructure. Our database honeypots record SQL injection attempts and unauthorized queries. Every protocol produces structured behavioral evidence that feeds directly into IP reputation confidence scoring.

Built for Firewall & SIEM Integration

SikkerAPI is designed to slot into existing security infrastructure with minimal effort. The IP Check API returns confidence levels, geolocation data, behavioral classifications, protocol breakdowns, and community report data in a single request — ready for automated threat detection and IP blocking decisions.

Beyond single-IP lookups, SikkerAPI provides filtered blacklist generation (by country, ASN, protocol, severity, and confidence threshold), bulk abuse reporting for up to 10,000 IPs per request, and native STIX/TAXII 2.1 feeds compatible with Splunk, Microsoft Sentinel, Elastic Security, and QRadar. Integration guides are available for Fail2Ban, CSF, nginx, and iptables, and our CLI tool lets you query IP reputation and download blocklists directly from the terminal.

Confidence levels are derived from observable events — not opaque algorithms. You can inspect the exact behaviors, primitives, and session counts behind every score. When we discount a known-benign scanner like Googlebot or Censys, you can override it with a query parameter to see the raw undiscounted score.

Open Access & Community

SikkerAPI is founder-built and independent. We maintain a dedicated Researcher plan to ensure that students and university researchers have free access to high-quality IP reputation data and threat intelligence, and a Contributor plan for security professionals who actively report malicious IP addresses.

We believe that IP reputation data should be inspectable, well-documented, and accessible. Every feature — STIX/TAXII feeds, blacklist filtering, behavioral analysis, bulk IP checking, CIDR range alerts, username intelligence — is available on the free tier. No credit card required. Create a free account to get started.