threat.gg Agent

March 6, 2026 ยท View on GitHub

The honeypot agent for threat.gg, a honeypot-as-a-service platform for collecting and analyzing real-world attack data.

Overview

The agent is a Go binary that runs on honeypot nodes and emulates multiple network services. When attackers connect and interact with these fake services, the agent captures their activity (commands, credentials, payloads) and reports it to the threat.gg server via gRPC.

Supported Honeypots

ServiceDefault PortDescription
SSH22Captures brute-force credentials, shell commands, proxy requests, and malware drops
PostgreSQL5432Emulates a PostgreSQL server, captures authentication attempts and SQL queries
FTP21Captures FTP login attempts and file transfer commands
Elasticsearch9200Emulates an Elasticsearch REST API, captures search and index requests
HTTP8080Web server honeypot capturing HTTP request payloads
Kubernetes API6443Emulates the Kubernetes API server
OpenClaw18789WebSocket-based honeypot for custom protocol interactions
Kafka9092Emulates an Apache Kafka broker, captures client reconnaissance and SASL/PLAIN credentials
VNC5900Emulates VNC/RFB handshake and captures auth challenge-response + client preferences

Architecture

Each honeypot implements the honeypots.Honeypot interface (Start() + Name()) and is registered in main.go. Honeypots run concurrently as goroutines, listening on their respective ports.

Captured attack data is sent asynchronously to the threat.gg server via gRPC with TLS and API key authentication. The server stores the data in PostgreSQL and broadcasts events to the real-time dashboard feed via Redis pub/sub.

Building

make build        # Cross-compile static Linux binaries (amd64 + arm64)
make proto        # Regenerate protobuf code from the server's honeypot.proto
make test         # Run tests

Deployment

The agent binary is deployed to honeypot nodes at /root/honeypot and managed via systemd. An auto-updater checks GitHub Releases every 15 minutes for new versions (calver tags).

Configuration

Environment variables:

VariableDescriptionDefault
API_KEYAPI key for server authenticationrequired
GO_ENVSet to development for local testingproduction
SSH_PORTSSH honeypot port22
KAFKA_PORTKafka honeypot port9092