Full Editorial Coverage Across All 16 Honeypot Protocols

SikkerNet now has full editorial coverage across all sixteen protocols

The last six editorial modules just went live: RTSP, MSSQL, MongoDB, SMB, SMTP, and HTTP/S. That brings SikkerNet's editorial engine to sixteen active modules, covering every protocol collected across the honeypot network.

The editorial engine is what turns raw honeypot telemetry into structured threat intelligence. Each module lets me take protocol-level data: queries, commands, requests, session sequences, and link them to primitives, which then combine into higher-level behaviors. The engine has been running for a while across protocols like SSH, Telnet, and SIP. These six were the remaining gaps.

With full coverage, IP lookups through SikkerAPI will surface significantly more context. Instead of just seeing that an address connected to a service, you'll see attached primitives and behaviors, things like RTSP stream enumeration, MongoDB authentication attempts, SMB share discovery, or SMTP relay testing. The sessions were already being captured by the Collector. Now every protocol has the editorial layer to break them down.

Existing data benefits too. As modules go live, previously unclassified events get retroactively mapped to primitives and behaviors. Some IPs will appear more active than before — that's not new activity, it's better classification of what was already there.

Sixteen modules is the baseline. New protocols and emerging attack patterns will get editorial coverage as they appear across the sensor network.