Honeypot Threat Intel
Live threat intelligence from an internet-facing SSH honeypot capturing 35,000-85,000 attacker events daily. Query brute-force login attempts (usernames and passwords), reconstruct full attacker sessions, profile IPs with their credentials/commands/SSH fingerprints, track captured malware with VirusTotal links, and pull aggregate statistics -- top passwords, top IPs, hourly attack patterns, and…
1 subscribers
9.1/10 popularity
822 ms avg latency
36% success rate
35 endpoints
The in-depth APIMemo review for this API hasn't been published yet —
the data below comes straight from the public marketplace listing.
Honeypot Threat Intel endpoints
| Method | Endpoint | Description |
|---|---|---|
| summary | ||
| GET |
getSummary /summary |
Returns a summary of honeypot activity for the specified time period. Defaults to the last 24 hours if no time range is provided. |
| events | ||
| GET |
getEvents /events |
Returns a paginated list of honeypot events such as login attempts, commands executed, and file downloads. |
| sessions | ||
| GET |
getSession /sessions/{id} |
Returns full details of a specific honeypot session including all commands executed, files downloaded, and connection metadata. |
| attackers | ||
| GET |
getAttackerProfile /attackers/{ip} |
Returns a detailed profile of an attacker by IP address, including all sessions, credentials used, commands executed, and SSH fingerprints. |
| stats | ||
| GET |
getStats /stats |
Returns aggregated statistics including top attackers, credentials, commands, and more. |
| downloads | ||
| GET |
getDownloads /downloads |
Returns a paginated list of files downloaded by attackers during honeypot sessions. |
| lookup | ||
| GET |
lookupHassh /lookup/hassh/{hash} |
Look up a HASSH fingerprint to see which IPs and SSH client versions have been observed using it. |
| GET |
lookupCredential /lookup/credential |
Look up a username, password, or username/password combination to see if it has been observed in honeypot login attempts. At least one of `username` or `password` must be provided. |
| search | ||
| GET |
searchUsernames /search/usernames |
Search for usernames observed in honeypot login attempts. Supports substring matching. |
| GET |
searchPasswords /search/passwords |
Search for passwords observed in honeypot login attempts. Supports substring matching. |
| GET |
searchCommands /search/commands |
Search for commands executed by attackers in honeypot sessions. Supports substring matching. |
| ioc | ||
| GET |
getIOCHashes /ioc/hashes |
Returns a feed of file hashes (SHA-256) from malware and tools downloaded by attackers during honeypot sessions. |
| GET |
getIOCPasswords /ioc/passwords |
Returns a feed of passwords used in brute-force attacks against the honeypot. Useful for password policy validation and threat intelligence. |
| GET |
getIOCIPs /ioc/ips |
Returns a feed of malicious IP addresses observed attacking the honeypot. Useful for threat intelligence and blocklist integration. |
| timeline | ||
| GET |
getTimeline /timeline |
Returns event counts bucketed by time interval. Useful for trend analysis, dashboards, and threat reports. Defaults to the last 24 hours with 1-hour buckets. |
| Other endpoints | ||
| GET |
getEvents /honeypot/events |
Paginated feed of raw honeypot events. Filter by event type (login, command, session, download, kex, etc.), source IP, and time range. Returns newest events first. Maximum 500… |
| GET |
getDownloads /honeypot/downloads |
Metadata for files dropped or downloaded by attackers during honeypot sessions. Includes SHA-256 hash, destination path, file size, and a direct VirusTotal lookup link. No binary… |
| GET |
getAttackerProfile /honeypot/attackers/{ip} |
Aggregated intelligence for a single IP address. Returns first/last seen timestamps, total events, session count, top credentials attempted, commands executed, SSH client… |
| GET |
getSession /honeypot/sessions/{id} |
Returns every event in a single SSH session, in chronological order. Shows the full attack timeline: connection, SSH handshake, login attempts, commands executed, files… |
| GET |
getDailySummary /honeypot/summary |
Dashboard in a single call. Returns today's event count, unique attacker IPs, login attempts, successful logins, commands executed, sessions, file downloads, and the top… |
| GET |
getStats /honeypot/stats |
Top passwords, usernames, attacker IPs, commands, SSH client versions, HASSH fingerprints, hourly activity distribution, and event type breakdown. Optionally filter to a time… |
| GET |
getAttackerProfile /attackers/{ip} |
Returns a detailed profile of an attacker by IP address, including all sessions, credentials used, commands executed, and files downloaded. |
| GET |
lookupHassh /lookup/hassh/{hash} |
Look up a HASSH fingerprint to see which IPs and SSH client versions have been observed using it. |
| GET |
getEvents /events |
Returns a paginated list of honeypot events such as login attempts, commands executed, and file downloads. |
| GET |
getIOCPasswords /ioc/passwords |
Returns a feed of passwords used in brute-force attacks against the honeypot. Useful for password policy validation and threat intelligence. |
| GET |
lookupCredential /lookup/credential |
Look up a username, password, or username/password combination to see if it has been observed in honeypot login attempts. At least one of `username` or `password` must be provided. |
| GET |
getIOCIPs /ioc/ips |
Returns a feed of malicious IP addresses observed attacking the honeypot. Useful for threat intelligence and blocklist integration. |
| GET |
getSummary /summary |
Returns a summary of honeypot activity for the specified time period. Defaults to the last 24 hours if no time range is provided. |
| GET |
getDownloads /downloads |
Returns a paginated list of files downloaded by attackers during honeypot sessions. |
| GET |
getIOCHashes /ioc/hashes |
Returns a feed of file hashes (SHA-256) from malware and tools downloaded by attackers during honeypot sessions. |
| GET |
searchUsernames /search/usernames |
Search for usernames observed in honeypot login attempts. Supports substring matching. |
| GET |
searchCommands /search/commands |
Search for commands executed by attackers in honeypot sessions. Supports substring matching. |
| GET |
getSession /sessions/{id} |
Returns full details of a specific honeypot session including all commands executed, files downloaded, and connection metadata. |
| GET |
getStats /stats |
Returns aggregated statistics including top attackers, credentials, commands, and more. |
| GET |
searchPasswords /search/passwords |
Search for passwords observed in honeypot login attempts. Supports substring matching. |
Honeypot Threat Intel pricing
| Plan | Price | Rate limit | Quotas |
|---|---|---|---|
| BASIC | Free | — |
|
