Dashboard
Live statistics from 3,508 SSH sessions captured over approximately 3 days of deployment.
Global metrics
| Metric | Value |
| Total sessions | 3,508 |
| Unique IPs | 126 |
| Auth attempts | 3,610 |
| Successful auths | 1,193 |
| Total commands | 3,571 |
| Average duration | 86s (1.4 min) |
| Max duration | 2,179s (36.3 min) |
| Sessions > 1 min | 54 |
| Sessions > 5 min | 11 |
Signal vs noise
| Category | Count | % | Description |
bot_ephemeral | 2,552 | 72.7% | < 5 seconds, scanner pass-through |
bot_exec_scanner | 877 | 25.0% | No PTY, single exec command |
bot_recon | 1 | 0.03% | PTY but pure discovery only |
| Signal | 78 | 2.2% | Human-like, multi-tactic interaction |
MITRE ATT&CK coverage
Global (all 3,508 sessions)
| Tactic | Events |
| discovery | 1,155 |
| credential-access | 246 |
| command-and-control | 19 |
| privilege-escalation | 8 |
| exfiltration | 6 |
Signal only (78 sessions)
| Tactic | Events |
| discovery | 70 |
| credential-access | 65 |
| privilege-escalation | 5 |
5/5 key MITRE tactics observed in signal sessions.
Top commands
| Command | Count |
printf | 960 |
uname | 755 |
ls | 640 |
echo | 282 |
/bin/./uname | 148 |
cat | 140 |
find | 122 |
ps | 66 |
hostname | 64 |
ip | 63 |
Note: /bin/./uname (148 occurrences) is the Kinsing botnet signature — the dot-slash trick to evade simple command matching.
Top usernames
| Username | Attempts |
| root | 1,146 |
| admin | 294 |
| ubuntu | 259 |
| sol | 213 |
| user | 170 |
| debian | 99 |
| solana | 90 |
| solv | 66 |
| test | 60 |
| oracle | 39 |
The presence of sol (213) and solana (90) in the top 10 indicates scanners specifically targeting Solana validator nodes.
Top passwords
| Password | Attempts |
| 123456 | 186 |
| admin | 122 |
| Gr1zzly!Pr0d_2026 | 82 |
| 1234 | 75 |
| 123 | 68 |
| solana | 57 |
| ubuntu | 54 |
| password | 53 |
| 12345678 | 50 |
| root | 43 |
Gr1zzly!Pr0d_2026 is an internal test credential that leaked into brute-force wordlists within days. See Key findings for analysis.
| Persona | Signal sessions | Avg duration | Avg commands |
| fintech_trading | 34 | 94s | 1,349 |
| crypto_validator | 17 | 148s | 643 |
| corp_ad | 15 | 86s | 555 |
The fintech persona attracts 2.4× more interaction than corp_ad, likely due to the AWS credentials and trading API surface.
Dual-use output
| Stream | Events |
| Defensive | 8,668 |
| Offensive | 4,910 |
| Sessions processed | 3,337 |