NoctisAPI

API Deception Platform · Self-Hosted

Detect real threat actors targeting your APIs.

NoctisAPI deploys honeypot API endpoints that capture attacker activity, fingerprint threat actors, and generate actionable telemetry - fully self-hosted on your own infrastructure.

Built for security teams, researchers, and corporate environments.

View GitHub Compare Core vs Pro
  • Self-hosted - no external dependencies or license servers
  • Deploy via Docker on VPS, internal server, or behind proxy
  • Dedicated domain + management UI + telemetry included

Product definition

What NoctisAPI is - and what it is not.

// What it IS

  • Honeypot API platform that exposes realistic decoy endpoints
  • Capture engine for malicious activity against your API surface
  • Actor fingerprinting and session timeline reconstruction
  • Telemetry pipeline for SOC workflows and research
  • Management panel for endpoint configuration and monitoring
  • Self-hosted deployment on your own infrastructure

// What it is NOT

  • Not a WAF - does not block or filter production traffic
  • Not an API Gateway - does not proxy or route real requests
  • Not an automatic vulnerability scanner
  • Not a pentesting or offensive security tool
  • Not a cloud-managed SaaS - all data stays on your infrastructure
  • Not a replacement for authentication or authorization controls

Value

Actionable outcomes from real attacker behaviour.

Visibility of real attacks

Observe automated recon, credential spraying, and API abuse as it happens - against endpoints attackers believe are real.

TTP and pattern capture

Collect attacker tools, techniques, and reconnaissance patterns. Build actor profiles from real hostile sessions.

SOC and research telemetry

Generate structured event data ready for SIEM ingestion, threat intelligence workflows, and security research.

Controlled self-hosted deployment

Run entirely on infrastructure you control. No data leaves your environment. Suitable for regulated and corporate contexts.

Architecture

High-level deployment overview.

EXTERNAL

Internet / Attackers

Automated tools · Scanners · Threat actors
DOMAIN

Dedicated Domain

api.yourdomain.com · DNS pointing to your deployment
PROXY · OPTIONAL

Proxy / CDN Layer

Cloudflare (proxied or DNS-only) · F5 · Nginx · Reverse proxy
NOCTISAPI

Honeypot Engine

Decoy endpoints · Capture engine · Actor fingerprinting · Event pipeline
LOCAL

UI · Storage · Licensing

Management dashboard · Event storage · JWT license validation

Use cases

Deployment scenarios for teams and organisations.

Controlled API exposure

Publish decoy API endpoints on a dedicated domain and capture real hostile traffic without exposing production systems.

Attacker research

Study real threat actor behaviour, tooling, and reconnaissance patterns against realistic API surfaces.

Detection validation

Validate and tune SIEM detections and alerting rules using real attacker-generated events from controlled honeypots.

Security training labs

Deploy in isolated lab environments to train SOC analysts against realistic attack scenarios and telemetry.

Corporate published via F5 or proxy

Deploy internally and publish through F5 BIG-IP, Nginx, or any reverse proxy. Suitable for regulated corporate environments.

Threat intelligence collection

Generate structured IOC and TTP data from real attack sessions to feed threat intelligence programs.

Editions

Compare Core and Pro at a glance.

Core

Free

No license required. Deploy and start capturing attacker signals immediately.

  • Realistic honeypot API
  • Attacker tracking and sessions
  • Admin dashboard
  • API behavior customization
  • Analytics and monitoring

Pro

Offline JWT license - cryptographically signed. No connection to license servers required. License file delivered to your email after purchase.

  • Everything in Core
  • Cases and investigations
  • Replay and evidence workflows
  • Campaign intelligence
  • Dynamic response mutations
  • Advanced detection logic
Feature Core Pro
Realistic honeypot API Yes Yes
Attacker tracking and sessions Yes Yes
Admin dashboard Yes Yes
API behavior customization Yes Yes
Analytics and monitoring Yes Yes
Cases and investigations No Yes
Replay and evidence workflows No Yes
Campaign intelligence No Yes
Dynamic response mutations No Yes
Advanced detection logic No Yes

Deployment

Flexible deployment for any infrastructure.

Public VPS

Deploy on any public VPS with Docker. Point a dedicated domain at the server IP. Suitable for internet-facing honeypot research.

Internal + Reverse Proxy

Run on an internal machine and publish through F5 BIG-IP, Nginx, or any reverse proxy. Recommended for corporate environments.

Cloudflare

Compatible with Cloudflare in both proxied mode and DNS-only mode. Use proxied for DDoS protection or DNS-only for direct exposure.

Container

Deploy via Docker container. All components - API engine, UI, and storage - run in a single controlled environment.

// Note

The service is typically deployed on a dedicated domain used exclusively for honeypot endpoints. This domain should not share DNS with production services.

Interface

Management panel and event capture views.

Dashboard

// Actor overview · Risk scores · Active campaigns · API health status

NoctisAPI Dashboard
Actors

// Real-time actor list · Stage progression · Risk scores · Signal tags

NoctisAPI Actors
Endpoint Configuration

// Decoy endpoint setup · Custom responses · Environment config

NoctisAPI Endpoint Config
Campaigns

// Campaign clustering · Score breakdown · Stage flow · Actor grouping

NoctisAPI Campaigns

Quickstart

Up and running in minutes.

01

Get the repository

$ git clone https://github.com/noctisapi/noctisapi-core
02

Configure domain and environment

$ cp .env.example .env
$ # Set your domain, ports, and config vars
03

Start the service

$ docker compose up -d
04

Open an SSH tunnel to the admin panel

$ ssh -L 9001:localhost:9001 user@your-server
# Keep this terminal open - the tunnel stays alive while connected
05

Access the management panel

http://localhost:9001/admin
# Public API traffic continues through your domain normally
View on GitHub

Resources

Everything you need to deploy and operate NoctisAPI.

GitHub

Repository

Source code, releases, and issue tracker for NoctisAPI Core.

FAQ

Frequently asked questions.

What is the difference between Core and Pro?

Core is free and requires no license. It provides decoy endpoints, actor dashboard, scoring, environment config, and health monitoring. Pro adds advanced investigation features - replay timelines, cases, campaign correlation, file pipeline, and custom API responses - enabled via an offline JWT license.

Is the system fully self-hosted?

Yes. NoctisAPI runs entirely on infrastructure you control. No data is transmitted to external servers. All event capture, storage, and the management panel operate locally.

Can it be deployed behind a reverse proxy or CDN?

Yes. NoctisAPI works behind any reverse proxy or CDN, both in proxied mode and DNS-only mode. It is compatible with standard corporate network architectures.

Does it require internet connectivity?

Yes. Inbound internet access is required so that attackers and scanners can reach the honeypot endpoints through your dedicated domain. Outbound internet access from the server is not required - the service does not phone home or connect to external license servers.

How does licensing work for Pro?

Pro uses offline JWT licensing. Your license is a cryptographically signed JSON Web Token validated locally by the application. There is no connection to a license server - validation happens entirely on your machine using the embedded cryptographic signature.

What happens if a license is suspended or revoked?

If a Pro license is revoked, the application falls back to Core functionality. Since validation is local, suspension takes effect at the next validation cycle without requiring connectivity. You retain full access to Core features indefinitely.

What are the network and machine requirements?

NoctisAPI is designed for low resource consumption. A small VPS (1-2 vCPU, 1-2 GB RAM) is sufficient for most deployments. A dedicated domain pointing to your server is required. Docker must be available. No specific network egress rules are needed.

Is it legal to deploy deception endpoints?

Yes, as long as telemetry is collected on assets you own or are authorised to monitor, and local regulations are respected. NoctisAPI is designed for authorised defensive use only.

Early Access

Request access to the validation cohort.

We are onboarding a limited number of security teams for early validation of Pro capabilities.

Start Free

Core

Free

Deploy immediately. No license required. Ideal to start observing real attacker signals against your decoy endpoints.

Early Access Cohort

Pro capabilities during validation: Cases, Campaigns, Advanced Scoring, File Pipeline, Custom API Response, and offline JWT licensing. License file delivered to your email after purchase.

Get started

Deploy NoctisAPI today.

Start with Core for free or request Pro access for advanced investigation capabilities.

Deploy Core - Free Compare Editions