
Honeypot sensor network providing IP/domain reputation scores and threat feeds.

Honeypot sensor network providing IP/domain reputation scores and threat feeds.
The Entire Cybersecurity Market, One Prompt Away
Connect your AI assistant to ... tools and ... vendors. Ask anything about the cybersecurity market.
BadBot.net (also referred to as BadBot Gateway) is an IP and domain reputation service that operates a worldwide network of honeypot sensors to detect and track malicious internet activity. The service aggregates abuse observations from these sensors, applies time-decayed scoring, and exposes the results through a public API, a lookup interface, and downloadable threat feeds. The sensor network deploys lightweight honeypot decoys across multiple geographic regions, each exposing over 60 trap endpoints that mimic vulnerable web infrastructure — including fake WordPress logins, exposed .env and .git files, cloud-metadata endpoints, admin panels, and API specs. Because no legitimate user would request these paths, any interaction is treated as a high-confidence abuse signal. Sensors classify requests using behavioral signals such as scanner user-agents, request bursts, submitted credentials, hidden honeypot fields, and header anomalies, then tar-pit connections and stream events to a central gateway. A key differentiator is multi-step escalation detection: the system correlates each source's activity over time to identify attack chains, such as a bot performing recon, fetching an API spec, and then targeting the advertised endpoints. Reputation scores are calculated on a 0-100 scale using severity-weighted, time-decayed abuse reports with a 14-day half-life. This means recent abuse carries more weight, and indicators that stop generating reports naturally drift back toward lower scores without manual intervention. Threat feeds are available in JSON, CSV, and TXT formats, covering high-risk IPs and full IPv4/IPv6 snapshots for use in firewalls, SIEMs, and deny-lists. The service tracks 15 abuse categories and offers read-only lookups and feeds with no account or API key required. The primary target audience is security and operations teams.