Community Beta Open Access
Threat intelligence
built by the community.
Collect, enrich and share indicators of compromise with analysts worldwide. Real honeypots, real data, real-time.
5,364
IOCs indexed
6
Unique features
CHP
Honeypot protocol
SIEM
Splunk ready
LIVE
What we built
Everything you need, nothing you don't.
From automated IOC feeds to behavioral fingerprinting CRAABS gives your team intelligence tools that were previously only available to enterprise teams.
Free
Quick Check
Scan any IP, domain, hash or URL instantly across multiple threat engines.
Free
Threat Feeds
Auto-ingestion from Feodo, URLhaus and ThreatFox every 6 hours. Archiving keeps the database lean.
Free
MITRE ATT&CK
Every IOC auto-mapped to tactics and techniques. Browse the full matrix.
Dev
Canary URLs
Invisible traps in documents. Instant alert if a file is leaked or accessed without authorization.
Dev
Threat Forecast
24h attack window predictions built from 30 days of real honeypot data. Rising/Stable/Falling trend.
Dev
Attacker Dossiers
Auto-generated investigation files: timeline, credentials tried, commands executed, ASN, /24 peers.
Dev
Live Attack Heatmap
Real-time world map of honeypot attacks with animated arcs. Updated every 10 seconds.
New
Behavioral Fingerprint
SHA256 of attacker patterns. Unmask the same actor behind different IPs or VPNs.
SIEM
STIX 2.1 & Splunk
Export in STIX 2.1, CEF, Syslog. Auto-feed to Splunk KV Store via native API.
Works with your stack
Connect your SIEM in minutes.
CRAABS exposes a native Splunk-compatible API that automatically populates ip_intel, domain_intel, url_intel and file_intel KV Store collections every 5 minutes, zero manual work.
Auto-import every 5 minutes via modular input
Filter by score, age, TLP or tags
CIM-compliant works with your existing ES dashboards
JSON, CSV lookup and NDJSON batch formats
# 1. Configure in 30 seconds
api_key = YOUR_CRAABS_KEY
min_score = 50
index = threat_intel
# 2. Correlate firewall logs instantly
index=firewall
| lookup craabs_ip_intel src_ip
| where craabs_score >= 70
| table _time src_ip craabs_score country tags
Deploy anywhere
Deploy a honeypot in one command.
Connect any sensor using the open CHP protocol. Every event becomes shared community intelligence automatically enriched, scored and correlated.
One-line install on Linux or Windows
SSH, HTTP, FTP, RDP, Telnet, MySQL supported
Events auto-create IOCs and trigger dossiers
Bulk event API up to 100 events per request
# Install on any Linux server
$ curl -sSL https://cti.craabs.com/docs/install_honeypot.sh | sudo bash
# Send events via CHP API
$ curl -X POST https://cti.craabs.com/api/honeypot/event \
-H "X-Honeypot-Key: chp_xxxx" \
-d '{"source_ip":"185.220.101.47",
"honeypot_type":"ssh","score":87}'
# Response
{"status":"ok","ioc_created":true,"score":87}
Simple pricing
Free to start, built to scale.
Community
$0 / month
Perfect for analysts who want to check IOCs and explore the platform.
Quick Check (unlimited)
Browse all IOCs
MITRE ATT&CK mapping
Live threat feeds
REST API
Honeypot network
Create account
Most popular
Developer
$0 / month (beta)
For SOC teams and researchers who need full platform access.
Everything in Community
REST API + personal key
Honeypot network (CHP)
Canary URLs + Dossiers
Threat Forecast + Heatmap
Splunk KV Store feed
Get started free
Pro
$/ month
Advanced export, priority support and SLA for enterprise teams.
Everything in Developer
STIX 2.1 export
CEF / Syslog / CSV export
Priority support + SLA
Custom integrations
Coming soon
Talk to us
Get in touch.
Email
contact@craabs.com
Response within 24h
Response within 24h
Documentation
Full guides, API reference
and integration examples.
and integration examples.
Platform
https://cti.craabs.com
99.9% uptime SLA
99.9% uptime SLA
Ready to get started?
Community and Developer access are completely free. Canary URLs, Dossiers, Heatmap and Splunk feed included.
Create your free account