Flagship product

SSH Honeypot
next-generation

A fully simulated Debian 12 environment. The client sensor is open source (MIT); the emulation engine is our managed service. It captures every command, download and credential — and turns them into actionable intelligence.

Quick Start View on GitHub See pricing Try the live demo →
Python 3 Docker ready MIT License JSONL logging
Architecture

Open client,
private engine

The SSH client is open source and deploys on your infrastructure. The emulation engine lives in the CipherSentry cloud and never leaves our servers.

Features

12 reasons to choose
CipherSentry Honeypot

Full authentication

Captures username, password, auth method and SSH client version.

Virtual filesystem

Complete Debian 12 directory tree. Isolated per session.

100+ commands

ls, ps, netstat, wget, curl, gcc, python3 and many more, with realistic output.

Payload capture

Downloads and stores files without running them. ELF/shell/ZIP type analysis.

Per-session timeline

Every event with a precise timestamp. Exportable to JSON.

Geolocation

Country, city and ASN per attacking IP. Built-in interactive map.

Pipelines & REPLs

Pipes, redirects, environment variables and interactive REPLs (Python, Perl).

Web dashboard

Web dashboard with advanced analysis, maps and terminal reconstruction.

SFTP & exec

Captures SFTP sessions and direct executions (no interactive shell).

Docker production

Lightweight image ready to deploy. Configurable environment variables.

Centralized logs

JSON events with full metadata, aggregated in a single place.

JSON API

Public statistics and per-tier intelligence (IOCs). More endpoints on the way.

Pricing

Choose the plan that
fits your team

The SSH client is always free and open source. The plans meter Shell API usage by commands per month. Start for free, with no credit card.

Free
€0 / forever
10,000 commands / month
200 sessions / month · 7-day retention
  • Open source SSH client (MIT)
  • Full Debian 12 engine
  • 100+ emulated commands
  • Payload capture
  • Monitoring dashboard
  • Per-IP analysis
  • Intelligence and threat feed
Start for free
Starter
€19 / month
100,000 commands / month
2,000 sessions / month · 90-day retention
  • Everything in Free
  • 10× more commands and sessions
  • 90-day log retention
  • Per-IP analysis of your sessions
  • Intelligence report
  • IOC export
Choose Starter
Enterprise
from €499 / month
Unlimited commands
For MSSPs, banking and government · unlimited retention
  • Everything in Pro
  • Unlimited volume and retention
  • Dedicated, isolated instance (on demand · in preparation)
  • Multi-honeypot management
  • Dedicated support
  • Custom integrations and volume
Talk to sales

Card payments coming soon. Write to us to activate your plan now.

Integrations

Connects with your stack

Standard JSON Lines logs: format-compatible with your stack (Filebeat→Elastic, Splunk, Grafana via datasource).

Elastic SIEM
Splunk
Grafana
Filebeat
Docker
REST API
Quick Start

Deployed in
under 5 minutes

1 · Install the sensor (one command)

bash
curl -fsSL https://ciphersentry.yoire.com/install.sh | bash

2 · Connect the node to your account

bash
bash node.sh enroll

It gives you a link: you log in and your node joins your Swarm.

3 · See activity live

bash
bash node.sh logs

Or from your web dashboard, in The Swarm: sessions, IPs and commands per node.

Tip: Deploy on a server with a public IP on port 22 for maximum capture. Use a firewall so you don't expose your real services on the same host.
FAQ

Frequently asked questions

Yes, with the right precautions. The honeypot never runs the attacker's real code — downloaded payloads are analyzed in a sandbox and any execution attempt is blocked in a controlled way. We recommend deploying it on an isolated VM or container with a firewall to separate it from real services.
It's hard but not impossible. CipherSentry emulates a full Debian 12 with realistic SSH fingerprints, plausible command responses and variable response timing. Highly sophisticated attackers can run environment tests, but ordinary bots and automated scripts rarely detect it. The SSH banner and server version are configurable.
Minimal and measured live: right now the sensor uses 52 MB of RAM and the emulation engine 60 MB. The virtual filesystem lives in memory, not on disk, and each component is capped by its container (128 MB the sensor, 256 MB the engine).
Yes. Logs are written in JSON Lines (JSONL) format, which is Filebeat's native format for ingestion into Elastic. For Splunk, the Splunk Universal Forwarder can monitor the file directly.
Yes. The CipherSentry SSH client is free software distributed under the MIT license: you can download it, audit it and deploy it at no cost. The emulation engine (the Shell API) is a proprietary CipherSentry service and its source code is not distributed — it's what keeps the honeypot's realism impossible to replicate.

Ready to capture
your first attacker?

Free plan up to 10,000 commands/month. No credit card.