T-Pot is a multi-honeypot platform and threat intelligence framework that deploys a collection of containerized decoy services to capture attacker behavior and network telemetry. It functions as a Docker-based deception system, simulating vulnerable network environments to gather intelligence on threat actors. The system features a distributed sensor network using a hub-and-spoke architecture, allowing remote sensors to transmit logs back to a central management hub. It integrates large language models to create a dynamic deception engine capable of adaptive interactions with attackers. The
MISP is an open-source threat intelligence sharing platform designed for collecting, storing, and distributing structured threat indicators and intelligence. At its core, it provides a distributed synchronization protocol for transferring events between instances, an attribute-based correlation engine that links matching indicators across events, and a REST API with an OpenAPI specification for programmatic access to threat data. The platform uses formal data formats for JSON, taxonomy, galaxy, and object templates to enable compatibility across tools and communities. The platform distinguish
T-Pot is a multi-honeypot orchestration platform and threat intelligence collector. It utilizes a Docker-based security sandbox to deploy and manage a collection of diverse decoy services that simulate vulnerable targets to lure attackers and record their activity. The system features a distributed sensor network where remote nodes capture attack logs and transmit them via encrypted communication to a central hub. This central hub employs an analytics stack to transform raw logs into geographic maps and interactive dashboards for adversary behavior visualization. To increase the realism of si
TheHive is a security incident response platform and multi-tenant case management system. It functions as a Security Orchestration, Automation, and Response (SOAR) tool and a threat intelligence platform designed to coordinate security investigations by managing alerts, cases, and observables. The platform is distinguished by its multi-tenant architecture, which isolates data across different organizations while supporting selective cross-tenant sharing. It features a SOAR automation engine capable of executing sandboxed JavaScript logic to automate workflows and trigger response actions thro