Real-World Cybersecurity Research Based on Live Attack Data
SSHLab Research is an independent cybersecurity research initiative operated from production honeypot environments. There are no synthetic datasets, no vendor-sourced threat feeds, no borrowed scenarios. Every book in this series originates from direct observation of attacker behavior against internet-exposed systems.
About SSHLab Research
The methodology is built around three principles: authenticity — data is collected from real deployments, not controlled lab exercises; reproducibility — every setup, configuration, and analysis step is documented so researchers can replicate the environment independently; and technical depth — findings are not summarized for a general audience. They are written for engineers, analysts, and researchers who work with logs, protocols, and defensive infrastructure.
SSHLab Research does not simplify. It documents.
Built on Real Attack Data
The series is grounded in observed attack categories across multiple honeypot deployments. This is not a reconstructed threat model — it is a primary record of what actually reaches exposed infrastructure.
From Observation to Analysis
A repeatable analytical pipeline
Each book follows the same six-phase methodology. Observations are not presented as isolated events — they are traced through a full analysis cycle that ends in defensive conclusions a practitioner can act on.
SSHLab Research Publications
Cowrie SSH Honeypot
Cowrie is the most widely deployed SSH and Telnet honeypot — and the richest source of attacker session data available to defenders. This volume documents the full attack surface: credential enumeration strategies, session commands executed post-login, attacker toolchains, and behavioral signatures that distinguish automated campaigns from manual operators.
Readers get annotated log excerpts, session replay analysis, and a classification framework for SSH attacker profiles. If you run anything with port 22 exposed, this is the baseline reference.
OpenCanary Monitoring
OpenCanary spans multiple emulated services — HTTP, FTP, SMB, MSSQL, VNC, and more — making it uniquely suited for studying cross-protocol attacker behavior. This volume focuses on what attackers do when they encounter a network they can partially map: how they prioritize targets, which services they probe first, and what lateral movement patterns emerge.
Practical for internal network defenders and blue teams designing deception networks. Includes detection rule templates and canary placement strategy.
Dionaea Malware Collection
Dionaea captures malware payloads and exploit attempts at the network level. This volume is a documented case study of three high-signal attacks observed in production: an EternalBlue/WannaCry-derivative exploitation chain, a Mirai botnet recruitment attempt, and an MSSQL brute-force campaign. Each case includes raw capture data, payload analysis, and annotated timelines.
For malware analysts and incident responders who need a practical reference built from real samples — not synthetic replays.
Telnet Honeypot Activity
Telnet is obsolete — and that is exactly why it remains active attack surface. Telnethoney logs reveal the persistent presence of IoT-targeting botnets, default credential spraying campaigns, and Mirai propagation behavior that has barely changed since 2016. This volume documents the Telnet threat landscape with specificity: attack frequency, credential patterns, geographic clustering, and botnet family signatures.
Essential reading for engineers responsible for embedded systems, OT/IoT networks, or legacy infrastructure.
Suricata IDS Analysis
Suricata is not a honeypot — it is the detection layer that makes honeypot data operationally useful. This volume covers Suricata deployment, rule authoring, and alert triage against real traffic captured alongside honeypot sessions. It bridges passive observation and active detection: how do you write a rule for something you have seen in a log?
Includes complete rule sets developed from honeypot findings, performance tuning guidance, and SIEM integration patterns for forwarding structured alerts.
Attack Correlation
Individual honeypot logs describe single-service observations. This volume addresses the harder problem: correlating events across platforms, protocols, and time windows to reconstruct attacker campaigns. The methodology covers IP reputation analysis, behavioral clustering, campaign attribution heuristics, and the limits of attribution from honeypot data alone.
Designed for threat intelligence analysts and senior SOC engineers who need to move from isolated alerts to structured threat narratives. Includes worked examples using data from all five preceding platforms.
Complete Research Collection
The series was designed as a unified body of work. Each book is self-contained, but the full collection forms a coherent research infrastructure — from initial deployment and log collection through detection engineering and cross-platform threat correlation. Purchasing the bundle delivers the complete methodology from observation to actionable defense.
The bundle includes all six technical volumes, the full analytical methodology applied consistently across platforms, and all associated detection rules, configuration references, and log examples.
About the Author
D. Blanko
Founder, SSHLab Cyber · Technical Author · Security Researcher
D.Blako operates SSHLab Cyber, an independent research operation focused on honeypot infrastructure and log-driven threat intelligence. His work centers on a single principle: security knowledge that cannot be traced to observed data is speculative. The Security Research Series is the documented output of that operational philosophy.
Research specializations include honeypot deployment and operational security, SSH and multi-protocol attack analysis, malware behavior documentation from live captures, reproducible technical methodology for security engineering, and minimalistic documentation practices that prioritize precision over volume.
The series is written for practitioners, by a practitioner. No advisory board. No sponsored findings. The data speaks for itself.
Frequently Asked Questions
What makes this series different from other security books?
Every data point in these books comes from a real honeypot deployment — not a vendor feed, not a reconstructed scenario, not a textbook example. The attack logs, session data, payload captures, and behavioral patterns documented here were collected from internet-exposed systems. The analysis is original, the methodology is documented, and the findings are reproducible. Most security literature describes threat categories in the abstract. This series describes what those categories look like in logs.
Is this series suitable for beginners?
The series is written for practitioners with a working knowledge of networking, Linux, and log analysis. It assumes familiarity with concepts like SSH, SIEM, IDS, and basic attack taxonomy. Absolute beginners will find the technical depth challenging. Junior SOC analysts, security students with hands-on lab experience, and engineers moving into defensive roles will find it dense but accessible. The methodology sections of each book provide enough context to follow the analysis without prior experience with that specific honeypot platform.
Are the scenarios in the books reproducible?
Yes. Reproducibility is a core design requirement of the series. Each book documents the honeypot configuration, deployment environment, and data collection methodology in sufficient detail to allow independent replication. Researchers and engineers who want to build their own comparable infrastructure can use the books as deployment guides. You will not get identical attack data — the internet is not a controlled environment — but you will get the same analytical framework applied to your own captures.
Can teams use the series for internal training or workshops?
Yes. The series is structured so that individual volumes can serve as domain-specific training references, and the full bundle provides a coherent curriculum covering detection engineering, threat analysis, and incident response foundations. SOC teams have used the Cowrie and Suricata volumes for log triage training. The Correlation volume is particularly well-suited for senior analyst development.
Is the research platform-agnostic or tied to specific tooling?
Each book is centered on a specific honeypot platform or analytical tool — Cowrie, OpenCanary, Dionaea, Telnethoney, Suricata, and multi-platform correlation. The methodology, however, is transferable. Attack classification frameworks, log analysis patterns, and detection logic developed in one book apply broadly. The series is not a vendor endorsement; it uses open-source tooling that can be deployed and modified freely.
Contact
For research inquiries, collaboration opportunities, publication questions, or general feedback, please use the contact form below.