NoctisAPI

API Deception Platform · Self-Hosted

Detect real threat actors targeting your APIs.

NoctisAPI deploys honeypot API endpoints that capture attacker activity, fingerprint threat actors, and generate actionable telemetry - fully self-hosted on your own infrastructure.

Built for security teams, researchers, and corporate environments.

View GitHub Compare Core vs Pro
  • Self-hosted - runs entirely on your own infrastructure
  • Deploy via Docker on VPS, internal server, or behind proxy
  • Dedicated domain + management UI + telemetry included

Product definition

What NoctisAPI is - and what it is not.

// What it IS

  • Honeypot API platform that exposes realistic decoy endpoints
  • Capture engine for malicious activity against your API surface
  • Actor fingerprinting and session timeline reconstruction
  • Telemetry pipeline for SOC workflows and research
  • Management panel for endpoint configuration and monitoring
  • Self-hosted deployment on your own infrastructure

// What it is NOT

  • Not a WAF - does not block or filter production traffic
  • Not an API Gateway - does not proxy or route real requests
  • Not an automatic vulnerability scanner
  • Not a pentesting or offensive security tool
  • Not a cloud-managed SaaS - all data stays on your infrastructure
  • Not a replacement for authentication or authorization controls

Value

Actionable outcomes from real attacker behaviour.

Visibility of real attacks

Observe automated recon, credential spraying, and API abuse as it happens - against endpoints attackers believe are real.

TTP and pattern capture

Collect attacker tools, techniques, and reconnaissance patterns. Build actor profiles from real hostile sessions.

SOC and research telemetry

Generate structured event data ready for SIEM ingestion, threat intelligence workflows, and security research.

Controlled self-hosted deployment

Run entirely on infrastructure you control. No data leaves your environment. Suitable for regulated and corporate contexts.

Architecture

High-level deployment overview.

EXTERNAL

Internet / Attackers

Automated tools · Scanners · Threat actors
DOMAIN

Dedicated Domain

api.yourdomain.com · DNS pointing to your deployment
PROXY · OPTIONAL

Proxy / CDN Layer

Cloudflare (proxied or DNS-only) · F5 · Nginx · Reverse proxy
NOCTISAPI

Honeypot Engine

Decoy endpoints · Capture engine · Actor fingerprinting · Event pipeline
LOCAL

UI · Storage · Licensing

Management dashboard · Event storage · JWT license validation

Use cases

Deployment scenarios for teams and organisations.

Controlled API exposure

Publish decoy API endpoints on a dedicated domain and capture real hostile traffic without exposing production systems.

Attacker research

Study real threat actor behaviour, tooling, and reconnaissance patterns against realistic API surfaces.

Detection validation

Validate and tune SIEM detections and alerting rules using real attacker-generated events from controlled honeypots.

Security training labs

Deploy in isolated lab environments to train SOC analysts against realistic attack scenarios and telemetry.

Corporate published via F5 or proxy

Deploy internally and publish through F5 BIG-IP, Nginx, or any reverse proxy. Suitable for regulated corporate environments.

Threat intelligence collection

Generate structured IOC and TTP data from real attack sessions to feed threat intelligence programs.

Editions

Compare Core and Pro at a glance.

Core

Free

No license required. Deploy and start capturing attacker signals immediately.

  • Realistic honeypot API
  • Actor tracking and basic session views
  • Admin dashboard
  • API Modular configuration
  • API Health monitoring

Pro

Pro is not on public sale yet. Register interest to be notified when licenses are available.

  • Everything in Core
  • Cases and investigations
  • Session Replay and evidence workflows
  • Campaign intelligence
  • API mutation and advanced scoring
  • Analytics, log export, and file pipeline
Feature Core Pro
Realistic honeypot API Yes Yes
Actor tracking and scoring Yes Yes
Basic session views Yes Yes
Admin dashboard Yes Yes
API Modular configuration Yes Yes
API Health monitoring Yes Yes
Advanced analytics No Yes
Cases and investigations No Yes
Session Replay No Yes
Campaign intelligence No Yes
API mutation rules No Yes
Advanced scoring No Yes
File pipeline No Yes
Log export No Yes
Webhook endpoint packs No Yes

Deployment

Flexible deployment for any infrastructure.

Public VPS

Deploy on any public VPS with Docker. Point a dedicated domain at the server IP. Suitable for internet-facing honeypot research.

Internal + Reverse Proxy

Run on an internal machine and publish through F5 BIG-IP, Nginx, or any reverse proxy. Recommended for corporate environments.

Cloudflare

Compatible with Cloudflare in both proxied mode and DNS-only mode. Use proxied for DDoS protection or DNS-only for direct exposure.

Container

Deploy via Docker container. All components - API engine, UI, and storage - run in a single controlled environment.

// Note

The service is typically deployed on a dedicated domain used exclusively for honeypot endpoints. This domain should not share DNS with production services.

Interface

Management panel and event capture views.

Dashboard

// KPI counters · Activity timeline · Live actor feed · Risk heatmap

NoctisAPI Dashboard
Threat Actors

// Real-time actor list · Stage badges · Source IPs · Behavior signals

NoctisAPI Threat Actors
High Signal Alerts

// Severity-ranked alert feed · Credential abuse · Scanner detection

NoctisAPI High Signal Alerts
Campaigns

// Campaign clustering · Actor grouping · Hit counts · Stage flow

NoctisAPI Campaigns
Session Replay

// Full session list · Attacker timing · Request volume · Pagination

NoctisAPI Session Replay
Replay Detail

// Request timeline · Headers · Payload · Response inspection

NoctisAPI Replay Detail
Endpoint Configuration

// Templates · Extensions · Endpoint toggles · Pro mutation controls

NoctisAPI Endpoint Config
API Health Monitor

// Endpoint status grid · Latency tracking · Uptime monitoring

NoctisAPI API Health

Quickstart

Up and running in minutes.

01

Get the repository

$ git clone https://github.com/noctisapi/noctisapi-core
02

Configure domain and environment

$ cp .env.prod.example .env.prod
$ # Set your domain, ports, and config vars
03

Deploy

$ bash ops/vps/deploy.sh
04

Open an SSH tunnel to the admin panel

$ ssh -L 9001:localhost:9001 user@your-server
# Keep this terminal open - the tunnel stays alive while connected
05

Access the management panel

http://localhost:9001
# Public API traffic continues through your domain normally
View on GitHub

Resources

Everything you need to deploy and operate NoctisAPI.

GitHub

Repository

Source code, releases, and issue tracker for NoctisAPI Core.

FAQ

Frequently asked questions.

What is the difference between Core and Pro?

Core is free and requires no license. It includes the public honeypot API, actor scoring, basic session views, API Modular configuration, and API Health monitoring. Pro adds Cases, Campaigns, Session Replay, API mutation, advanced scoring, analytics, file pipeline, log export, and webhook endpoint packs.

Is the system fully self-hosted?

Yes. NoctisAPI runs entirely on infrastructure you control. Your captured event data and telemetry stay on your infrastructure. All event capture, storage, and the management panel operate locally.

Can it be deployed behind a reverse proxy or CDN?

Yes. NoctisAPI works behind any reverse proxy or CDN, both in proxied mode and DNS-only mode. It is compatible with standard corporate network architectures.

Does it require internet connectivity?

Yes. Inbound internet access is required so that attackers and scanners can reach the honeypot endpoints through your dedicated domain. Outbound internet access is recommended for image pulls, GeoIP updates, and license or status refresh tasks depending on your deployment mode.

How does licensing work for Pro?

Pro uses a cryptographically signed license plus customer-only install assets. After purchase you receive the install details needed to pull the Pro image and provision the licensed deployment.

What happens if a license is suspended or revoked?

If a Pro license is suspended or revoked, the application falls back to Core functionality at the next validation cycle. You retain full access to Core features indefinitely.

What are the network and machine requirements?

NoctisAPI is designed for low resource consumption. A small VPS with 1-2 vCPU and 1-2 GB RAM is usually enough for evaluation and small deployments, although sizing depends on traffic volume and enabled features. A dedicated domain, Docker, and inbound 80/443 are required.

Is it legal to deploy deception endpoints?

Yes, as long as telemetry is collected on assets you own or are authorised to monitor, and local regulations are respected. NoctisAPI is designed for authorised defensive use only.

Early access

Start with Core or register interest in Pro.

Deploy Core for free, or register interest in Pro while licensing is being prepared for public availability.

Start Free

Core

Free

Deploy immediately. No license required. Ideal to start observing real attacker signals against your decoy endpoints.

Pro

Advanced workflows for Cases, Campaigns, Session Replay, API mutation, advanced scoring, analytics, file pipeline, log export, and webhook endpoint packs.

Get started

Deploy NoctisAPI today.

Start with Core for free or join the Pro interest list for advanced investigation and export capabilities.

Deploy Core - Free Compare Editions