Threat Intelligence

Honeypots and Threat Intel

Name: Inner Warden
Author: Inner Warden

Attacker capture, fake-bot detection, AbuseIPDB sharing, live telemetry, campaign fingerprinting, and reporting workflows.

10 articles in this hub

Honeypots

How to Set Up an SSH Honeypot That Captures Attacker Behavior

Set up an LLM-powered SSH honeypot that responds to attackers naturally, captures credentials and commands, and auto-blocks after the session ends.

Mar 16, 20266 min read

Read

Honeypots

We Built a Honeypot That Attackers Can't Detect

Fake /proc/cpuinfo, /proc/self/cgroup, 25+ shell commands, and LLM fallback. How our honeypot passes the checks advanced attackers use to detect traps.

Mar 30, 20267 min read

Read

Real-World Security

What Happens When Your Server Gets Attacked: A Real 24-Hour Log

A real 24-hour narrative of attacks against a public VPS: SSH brute-force, web scanners, credential stuffing, and honeypot captures. All blocked automatically.

Mar 23, 20269 min read

Read

Threat Intelligence

How to Share Threat Intelligence: AbuseIPDB + Cloudflare Automatic Blocking

Automatically report blocked IPs to AbuseIPDB and push firewall rules to Cloudflare WAF. Detect, block, report, and protect other servers from the same attacker.

Mar 17, 20267 min read

Read

Bot Security

How to Tell Real Googlebot from Fake: Reverse DNS Verification

Attackers disguise as Googlebot to bypass security. Inner Warden verifies bot identity via reverse DNS. Real Google gets through, fakes get caught.

Mar 27, 20266 min read

Read

Threat Intelligence

Behavioral DNA: Fingerprinting Attackers Without IP Addresses

How behavioral DNA identifies campaigns across IPs using SHA-256 hashing of attack patterns and union-find clustering. 47 IPs, 8 countries, one botnet.

Apr 11, 20269 min read

Read

Threat Intelligence

Monthly Threat Report: Your Own CrowdStrike Intelligence

Auto-generated monthly reports with executive summary, MITRE heatmap, campaign detection, geographic distribution. Replace $100K/year consulting reports.

Apr 17, 20267 min read

Read

Engineering

How We Built a Live Attack Map with Real-Time eBPF Data

From kernel events to a world map in the browser: SSE endpoints, server-side GeoIP proxy, react-simple-maps, and the engineering behind innerwarden.com/live.

Apr 6, 20268 min read

Read

Field Notes

30 Days on a Fresh Ubuntu: Attacker Dwell Time and What They Did

Field notes from a server in observation mode. Connection attempts, top ports, top usernames, top countries, time-to-first-shell-attempt. Honest about what was reproducible.

May 2, 202610 min read

Read

Architecture

Collaborative Defense: How Game Theory Protects a Security Mesh Network

Ed25519 signed signals, tit-for-tat trust evolution, staging pools with TTL auto-reversal. How Inner Warden nodes share threat intelligence without letting anyone abuse the network.

Apr 3, 20269 min read

Read