Loading threats
Identifies systematic honeypot fingerprinting activity where an SSH session enumerates filesystem paths, configuration files, log artifacts, container indicators, and environment metadata associated with common deception frameworks (Cowrie, Kippo, OpenCanary, Endlessh, T-Pot). This behavior reflects adversary attempts to detect, validate, or evade interactive honeypot environments prior to executing payloads or post-compromise actions.
This behavioral pattern is part of the SikkerAPI detection catalog and is actively monitored across our global honeypot network. No IPs in the current retention window have triggered this detection signature.
When an attacker exhibits this behavior, matched IPs will appear here with confidence scores, geolocation, and session details. Browse other SSH detections or look up a specific IP to check its threat profile.