Security research, threat intelligence insights, and product updates.
Our MongoDB honeypot captured a complete ransomware operation: three simultaneous connections from the same IP, systematic database enumeration, full data exfiltration, three dropDatabase commands, and a ransom note inserted into READ_ME_TO_RECOVER_YOUR_DATA. Total time on target: 711 milliseconds.
Our SMB honeypot captured a PsExec-style attack in full: an authentication probe, 13 seconds of silence, then a 2.5-second blitz through IPC$, the svcctl named pipe, and the Service Control Manager. The payload is a four-layer LOLBin chain ending in msiexec pulling an MSI disguised as a PNG from three C2 servers. Total time on target: under 17 seconds.
SikkerGuard is getting a local web dashboard, a first-run setup wizard, and the architecture to pull threat intelligence from multiple sources, not just SikkerAPI. Here's what we're building and why.
SikkerAPI's honeypot network now captures RDP attacks. Our sensors implement the full RDP negotiation stack — X.224, TLS, CredSSP with NTLM authentication — and accept credentials to extract client fingerprints from the MCS Connect Initial PDU. Every username, password, NTLM hash, client build, keyboard layout, and virtual channel request is recorded. 17 protocols, 44 sensors, all feeding into the same IP reputation engine.
Our HTTP honeypot captured a self-replicating exploit chain in the wild: 46 requests in 16 seconds, six different vulnerability families, and a payload designed to turn every compromised server into a new scanner. CGI shell injection, CVE-2024-4577, PHPUnit eval-stdin across 37 path variations, ThinkPHP RCE, pearcmd file inclusion, and a Docker API probe. Each exploit carries an MD5 verification canary. Each successful infection spawns a copy of itself. This is not a tool. It is a contagion.
We're opening our attack session database in public beta. Browse and search real SSH commands, HTTP exploits, MySQL injections, Docker escapes, and more, captured by our globally distributed honeypot network. Every session is curated, annotated with behavioral analysis and matched attack primitives, and free to access.
Our RTSP honeypots emulate unsecured IP cameras on port 554. Two sessions, same day. The first watched for 10 seconds and left. The second stayed for 45 seconds, sent a keepalive to avoid being disconnected, and never said goodbye. Both set up video and audio. Both thought they were looking through someone's camera. Neither was.
We added three new alert types to the dashboard. Set up alerts for your IP addresses, service account usernames, or email addresses — get an hourly digest when they show up in attacks on our honeypot network.
Our honeypot network captured an SSH attacker methodically appraising what it believed was a high-value GPU workstation. 55 commands in 100 seconds: hardware benchmarks, credential harvesting, and a paranoid honeypot detection sweep across six frameworks. It checked for Cowrie, Kippo, Dionaea, and more. Every check came back clean. The machine doesn't exist.