🍯 DeceptionOps — AI-Powered Cyber Deception Platform
HoneyNet Intelligence · Autonomous SOC Agent · Claude AI Brain
DeceptionOps combines two powerful security layers into one autonomous platform:
Layer
Capability
🕸️ HoneyNet Intelligence
SSH, HTTP and FTP honeypot traps capturing real attacker TTPs
🤖 Autonomous SOC Agent
Zero human input: events → OSINT → CVE correlation → triage → incident report
👤 Attacker Profiler
GeoIP, AbuseIPDB, VirusTotal, Shodan per attacker IP
🗺️ MITRE ATT&CK Mapper
Heatmap of every tactic and technique observed
📋 Claude AI Brain
Attacker dossiers, kill-chain analysis, TLP:AMBER incident reports
deceptionops/
├── honeypot/
│ ├── simulator.py # SSH/HTTP/FTP trap simulator with realistic payloads
│ └── trap_manager.py # Per-attacker session analysis & threat scoring
├── osint/
│ └── profiler.py # Auto-profiles every attacker: GeoIP, AbuseIPDB, VT, Shodan
├── soc_agent/
│ └── triage.py # Fully autonomous SOC triage agent
├── zeroday/
│ └── feed.py # CVE feed correlated to observed attack types
├── llm/
│ └── brain.py # Claude AI hub (dossiers, triage, reports, Q&A)
├── data/
│ └── db.py # SQLite persistence layer
├── utils/
│ └── logger.py # Rich terminal output
├── main.py # CLI entry point
└── app.py # Streamlit dashboard (5 tabs, port 8503)
Attack Types & MITRE ATT&CK Mapping
Trap
Attack Type
MITRE Technique
SSH
Brute Force
T1110.001 — Password Guessing
SSH
Password Spray
T1110.003 — Password Spraying
SSH
Command Exec
T1059.004 — Unix Shell
SSH
Lateral Movement
T1021.004 — Remote Services: SSH
HTTP
Path Scanning
T1595.002 — Vulnerability Scanning
HTTP
SQL Injection
T1190 — Exploit Public-Facing Application
HTTP
Directory Traversal
T1083 — File & Directory Discovery
HTTP
Remote Code Execution
T1190 — Exploit Public-Facing Application
FTP
Brute Force
T1110.001 — Password Guessing
FTP
Anonymous Access
T1078.001 — Default Accounts
FTP
Data Exfiltration
T1048.003 — Exfiltration Over Unencrypted Protocol
pip install -r requirements.txt cp .env.example .env
# Edit .env and add your keys 3. Run the autonomous pipeline python -X utf8 main.py --dashboard # opens at http://localhost:8503 # Full autonomous pipeline (honeypot → OSINT → triage → incident report)# More attackers, custom seed# OSINT probe a specific IP# Dashboard on custom port
Tab
Description
🍯 Honeypot Feed
Live event timeline, trap breakdown, attack scatter plot
👤 Attacker Profiles
Per-IP dossiers with AI threat actor assessment
🚨 Incidents
Autonomous triage decisions + TLP:AMBER incident reports
🗺️ MITRE ATT&CK
Tactic × technique heatmap and coverage analysis
💬 Ask DeceptionOps
Claude-powered chat for honeypot intelligence Q&A
Honeypot Events
↓
Session Grouping (per attacker IP)
↓
OSINT Profiling (GeoIP + AbuseIPDB + VirusTotal + Shodan)
↓
CVE Correlation (match attack types to known vulnerabilities)
↓
AI Attacker Dossier (sophistication, kill chain, objectives)
↓
Triage Decision (BLOCK / INVESTIGATE / MONITOR / IGNORE)
↓
Incident Report — TLP:AMBER (P1 & P2 only, fully automated)
Priority
Decision
Threshold
P1
🔴 BLOCK
Threat score ≥ 7 or CRITICAL severity
P2
🟠 INVESTIGATE
Threat score ≥ 4 or HIGH severity
P3
🟡 MONITOR
Threat score ≥ 2
P4
⚪ IGNORE
Routine noise
All keys are optional — rule-based fallbacks ensure the pipeline always runs.
MIT License — see LICENSE