// Docs

Documentation

Everything you need to deploy honeypots, monitor threats, and integrate with the threat.gg platform.

// Quick Start

Quick Start

01. Create an account

Sign up at threat.gg/register to get your API key.

02. Deploy the agent

Download and install the threat.gg agent on any Linux server:

# Download the latest agent binary
curl -L https://github.com/joshrendek/threat.gg-agent/releases/latest/download/honeypot-linux-amd64 -o /root/honeypot
chmod +x /root/honeypot

# Set your API key and start
export API_KEY="your-api-key-here"
/root/honeypot

03. View attacks

Open the dashboard to see attacks arriving in real time. The live feed updates via WebSocket — no refresh needed.

// Concepts

Concepts

What are honeypots?

Honeypots are decoy services designed to attract and monitor attackers. They emulate real services (SSH, databases, web servers) but capture every interaction for analysis. Any connection to a honeypot is inherently suspicious — providing high-confidence threat intelligence with zero false positives.

How threat.gg works

The threat.gg agent runs on your server and spins up honeypot services on configured ports. When an attacker connects, the agent captures credentials, commands, and payloads, then forwards everything to the threat.gg server via encrypted gRPC. The server stores data in PostgreSQL and pushes events to connected dashboards via Redis pub/sub and WebSocket.

Architecture

Agent (gRPC/TLS) --> Server (Go) --> PostgreSQL
                         |
                         +--> Redis pub/sub
                                |
                                +--> WebSocket --> Dashboard
// Protocols

Supported Protocols

Protocol Port Data Captured
SSH22Credentials, commands, session logs
PostgreSQL5432Auth attempts, SQL queries
MySQL3306Credentials, query logs
FTP21Login attempts, file operations
Elasticsearch9200Search queries, injection payloads
HTTP/HTTPS80/443Request paths, headers, payloads
Kubernetes API6443API calls, auth tokens
LDAP389Bind attempts, search queries
Telnet23Credentials, commands
SMB445NTLM hashes, share access attempts
// API

API Access

Access your threat data programmatically via the REST API. Find your API key in your account settings. 

# Get dashboard stats
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://threat.gg/api/v1/dashboard

# List SSH attacks
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://threat.gg/api/v1/attacks?type=ssh&page=1

# Look up an IP address
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://threat.gg/api/v1/ip/1.2.3.4

See the full API reference for all available endpoints.

// MCP

MCP Integration

threat.gg exposes an MCP (Model Context Protocol) server that lets AI tools like Claude query your threat data using natural language. Connect via OAuth 2.1 at the /mcp endpoint.

Available MCP Tools

  • [+] Search attacks by type, IP, or date range
  • [+] Look up IP reputation and attack history
  • [+] Get dashboard statistics and trends
  • [+] View top credentials and commands
  • [+] Analyze malware samples
  • [+] Bulk IP checks