Open to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time rolesOpen to internship & full-time roles
Selected work

Threat Intel · 2025 · Designer & Sole Engineer

SSH & HTTP Honeypot

High-interaction SSH and HTTP honeypots that emulate real services, capture attacker payloads end-to-end, and feed a structured logging pipeline for threat intelligence.

2
Emulated services
Full
Payload capture
Structured
Threat logs

Context

You learn the most about attackers by letting them in — safely. I built high-interaction honeypots that look and behave like real SSH and HTTP services, so probing tools and human attackers engage far enough to reveal their playbook.

Approach

  • SSH honeypot on Paramiko that accepts sessions, presents a convincing shell, and records every command, credential attempt, and uploaded payload.
  • HTTP honeypot on Flask emulating common endpoints and misconfigurations to attract scanners and capture request bodies.
  • An instrumented logging pipeline that normalizes captured activity into structured records suited for threat-intelligence analysis and enrichment.

Outcome

  • Full capture of attacker payloads and interaction traces across both services.
  • A clean, queryable log stream — the raw material for spotting campaigns, tooling fingerprints, and credential-stuffing patterns.

What I'd do next

Auto-tagging captured payloads against known malware signatures, and shipping events to a SIEM for correlation with live network data.

Built with

PythonParamikoFlask