sikkerapi@prod ~$
Why SikkerAPI|
Sikker-CLISikkerGuard
Honeypot DatabaseEmail LookupUsername LookupDetection CatalogSubnet CalculatorEncoder / Decoder
Prices
|
Fail2BanCSF FirewallNginxiptables / ipset
|
Blog
OverviewIP CheckBlacklistReportBulk ReportTAXII FeedSikker-CLIConfidence Score Algorithm
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Database
CIDR Range AlertsIP AlertsUsername AlertsEmail AlertsBlacklist Web-UIInstall SikkerGuard
|login|signup
Loading
SikkerAPI

Open source threat intelligence from a global honeypot sensor network. Real attacker behavior, not purchased feeds.

Product
PricingDocumentationReport an IPThreat MapSystem Status
Resources
BlogFAQAboutContactComparisons
Tools
Sikker-CLISikkerGuardDetection CatalogSession DatabaseTAXII Feed
Browse
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Wall of Fame
© 2026 SikkerAPI
TermsPrivacyRemove Me

Why SikkerAPI

Intelligence from observed attacks — not purchased feeds.

Every data point in SikkerAPI comes from one of two places: our honeypot sensor network recording real attacker behavior, or community reports from security teams using the platform. No third-party list aggregation. No recycled data. Every confidence score is backed by observable events you can verify in the session database and detection catalog.

We capture the full attack lifecycle, not just connection logs.

Most threat feeds tell you an IP connected to a honeypot. SikkerAPI tells you what the attacker did after connecting. Our sensors accept every credential and record everything that follows — commands typed, files downloaded, payloads deployed, queries executed. This behavioral depth is what enables meaningful classification instead of simple IP lists.

17
Protocol
Honeypots
All
Credentials
Accepted
Full
Post-Auth
Capture
Public
Session
Database
$ Protocols captured
SSH
Full shell emulation, 105+ commands
HTTP
Request capture, exploit detection
MySQL
Query capture, auth logging
Docker
API emulation, container escape detection
Redis
Command capture, config manipulation
SMTP
Email probe detection
FTP
File operations, credential logging
Telnet
IoT botnet staging detection
MongoDB
Auth bypass, data exfil attempts
+8 more
PostgreSQL, SMB, RDP, VNC, SIP, RTSP, ES, LDAP

Every score is backed by evidence you can inspect.

Confidence scores are calculated from session frequency, protocol diversity, behavior severity, and community reports. The scoring methodology is documented. Every behavior classification in the detection catalog has a name, severity, and description. No black box. No “trust us.”

$ What you get per IP lookup
✓Confidence Score0–100%, severity label, scoring methodology link
✓GeolocationCountry, city, ASN, ISP, Tor/proxy flags
✓Activity TimelineFirst seen, last seen, first/last reported
✓Protocol BreakdownSessions, events, and reports per protocol
✓Behavioral ClassificationsNamed compound attack patterns with severity and count
✓Attack PrimitivesAtomic techniques observed (e.g. ssh_authorized_keys_write)
✓Community ReportsCategory, protocol, comment, date, reporter count
✓API FiltersmaxAge, protocols, exclude, verbose, ignoreWhitelist
1,000
Free Lookups
Per Day
10K
Bulk Check
Per Job
/16–/32
Subnet Lookup
Range

Intelligence reaches your defenses in the format they expect.

A threat database is only useful if it feeds into your actual security stack. SikkerAPI delivers intelligence through REST API, TAXII 2.1, plaintext blacklists, CLI tools, and automated firewall rules — whatever your infrastructure needs.

Dynamic Blacklist
✓8 Filter Flagsscore, country, ASN, protocol, severity, IP version
✓Plaintext ModeBare IPs, one per line, for iptables/pfSense/EDL
✓Cron-FriendlyRate limit headers, stable endpoint, idempotent
TAXII 2.1 / STIX 2.1
✓Full TAXII ServerDiscovery, collections, paginated objects
✓STIX Indicatorsipv4-addr patterns, labels, descriptions
✓Native IngestionOpenCTI, MISP, Splunk, QRadar, Sentinel
Integration Guides
✓Fail2BanAuto-report + blocklist pull
✓CSF FirewallBlock list integration
✓NginxDeny list from API
✓iptables / ipsetAutomated blocklist loading
Alert System
✓IP AlertsTrack adversary IPs
✓CIDR Range AlertsDetect compromised hosts
✓Username AlertsCredential stuffing detection
✓Email AlertsPhishing recon detection

One Docker command to protect your server.

SikkerGuard is a self-contained Linux firewall manager. It pulls from SikkerAPI, AbuseIPDB, and blocklist.de, merges and deduplicates IPs, applies iptables/ipset rules with atomic swap, monitors blocked connections in real time, and provides a web dashboard. No configuration required beyond an API key.

$ docker run sikkerapi/guardinstall →
[info] Sources loaded: SikkerAPI 8,441 (score ≥ 50) AbuseIPDB 4,220 (confidence ≥ 90) blocklist.de 2,108 (ssh + apache + bots) Custom 14 [info] Merged: 13,847 unique (936 overlap) [info] ipset swap: OK [info] Connectivity: gateway OK / DNS OK / API OK [info] Dashboard: http://localhost:7064
500K
IPs per
ipset
4
Threat
Sources
O(1)
Lookup
Speed
Auto
Rollback
on Failure
SikkerGuard capabilities
✓Atomic ipset SwapZero-downtime blocklist updates, staging set pattern
✓Connectivity TestingGateway ping + DNS resolve + API health check after every apply
✓Real-Time Block LogKernel log parsing, port-to-protocol mapping, source attribution
✓Safety WhitelistAuto-detects gateway, DNS, host IPs, RFC1918. Anomaly protection.
✓Web DashboardToggle, charts, live log, sources, settings, whitelist, updates
✓Docker Self-UpdateZero-downtime container swap via Docker socket
✓Automated ReportingReports blocked IPs back to SikkerAPI with packet deltas
✓17 Protocol Port Map33 default ports, user-extensible from dashboard

Every feature works from the terminal.

Sikker-CLI is a Go binary with 7 commands. Every command supports --json. Errors go to stderr, data to stdout. --fail-above enables shell gating. Environment variable auth for CI/CD. Cross-platform: Linux, macOS, Windows (x64 + ARM64).

$ sikker --helpnpm →
$sikker check <ip>Full reputation lookup with --fail-above threshold
$sikker blacklistDownload filtered blocklist, --plaintext for firewall piping
$sikker report <ip>Submit single abuse report with category and protocol
$sikker bulk-report <file>Upload CSV/JSON with up to 10K reports
$sikker taxii listSTIX 2.1 object listing with pagination
$sikker taxii get <ip>Single IP as STIX indicator
$sikker username <user>Credential attack database lookup
Automation example
# Block IPs scoring above 80, SSH only, from cron $ sikker blacklist --score-min 80 --protocols ssh --plaintext \ | xargs -I{} iptables -A INPUT -s {} -j DROP # Gate deployment on IP reputation $ sikker check $DEPLOY_IP --fail-above 50 --json | jq .confidenceLevel 0 # clean — proceed with deployment # Environment variable auth for CI/CD $ export SIKKERAPI_KEY=sk_live_abc123 $ sikker check 1.2.3.4 # no config file needed
Create Free AccountView PricingDocumentationInstall SikkerGuardInstall CLI
End of assessmentRef: SikkerAPI / Product / Public