MIRAGE-SIGHT is a high-interaction threat intelligence feed powered by the Mirage-HoneyPot project. This repository serves as a source of Indicators of Compromise (IoCs) captured through a distributed network of deception sensors and traps deployed across the internet.
Unlike standard firewall logs which capture indiscriminate "internet noise," MIRAGE-SIGHT telemetry is derived from explicit, high-intent interaction with deceptive assets.
The system utilizes the Mirage-HoneyPot architecture to mimic vulnerable internal infrastructure. When an automated actor or AI agent interacts with a sensor, the system serves realistic (but fake) environment configurations, administrative portals, and LLM-specific instruction sets. This allows us to categorize attackers based on their explicit intent—distinguishing between general research crawlers and active credential harvesters.
- High-Interaction Traps: Serves unadvertised paths such as
/.env,/config, and/api/v1/admin/execute. - AI Signature Analysis: Utilizes a custom detection engine to categorize traffic via the
inferred_llmkey, identifying 2026-era AI agents vs. malicious scanners. - Network Attribution: Every interaction is mapped to its origin ISP to identify patterns in cloud-based reconnaissance.
- Automated Pipeline: Raw telemetry is archived daily from EC2 sensors to AWS S3 for long-term trend analysis and intelligence extraction.
The MIRAGE-SIGHT feed is natively integrated with an Agentic ecosystem. This integration bridges the gap between passive detection and active mitigation.
By consuming the telemetry generated by the Mirage-HoneyPot sensors, the Agents perform autonomous synchronization to create and deliver global blocklists. This "closed-loop" defense system ensures that verified and potential malicious actors can be identified, categorized, and blacklisted at the perimeter without human intervention. The agent periodically ingests updated IoCs to harden infrastructure against evolving reconnaissance patterns, providing a proactive "immune system" for cloud assets.
The data provided in this repository is for strictly defensive security research and educational purposes only. By accessing this intelligence feed, you agree to the following terms:
- Origin of Data: All telemetry is captured through the Mirage-HoneyPot sensor network. This infrastructure consists of unadvertised, non-production assets.
- Implied Consent: All logged interactions originate from unsolicited, third-party traffic. By attempting to access, probe, or interact with these private systems, the originating entities have initiated the data collection process.
- No Interception of Private Communications: This system does not intercept or monitor legitimate private communications. It is a purpose-built deception environment designed to record unauthorized reconnaissance and exploitation attempts.
- Accuracy & Liability: While the Mirage-Sight engine utilizes high-confidence heuristic and signature-based analysis, all data is provided "AS-IS" without warranty. The maintainers assume no liability for network disruptions, false positives, or any damages resulting from the use or ingestion of this blocklist into production environments.
This project is licensed under the MIT License.