The username “sa” was first observed on 2026-01-23 and last seen on 2026-04-21. It has been used in 27,124 attack sessions across 5 different protocols, making it a frequently targeted credential in our honeypot sensor network.

Attackers use this username during automated brute-force and credential stuffing attacks. To protect your systems, ensure this username is either disabled or secured with a strong, unique password. Monitor login attempts with tools like Fail2Ban and check IPs against the SikkerAPI threat database. For automated protection, use our CLI tool or REST API.

Top usernames/SSH threats/Detection catalog/Top IPs/Pricing