Every dark port is a
sensor, trap, and witness.

DarkPort Enterprise turns your entire unused port surface into a full-spectrum detection grid — monitoring 65,535 ports, fingerprinting 27 protocols, and generating automated threat intelligence with zero false positives. Powered by DarkIP, our 1M+ dark IP global telescope that watches if your assets are compromised from the outside in.

darkport-controller
$ sudo bash setup.sh --slug acme --tier medium --email admin@acme.com
[ok] PostgreSQL + ClickHouse configured
[ok] mTLS certificates generated
[ok] 11 systemd services installed
[ok] 6 backend honeypots deployed (SSH, HTTP, DB, SMB, RDP, OT/ICS)
[ok] DarkPort Enterprise is live. Dashboard: https://acme.darkport.io
$ # On remote host:
$ curl -fsSL "https://ctrl.darkport.io/api/v1/install-script?token=ENROLL_TOKEN" | sudo bash
[ok] Agent enrolled — monitoring all 65,535 ports
0
Ports Monitored
Ships day one
0
Protocols Fingerprinted
IT + OT out of the box
0
Protocol Emulators
Included by default
0
Backend Honeypots
Production-ready at deploy
The Problem
Your unused ports are
an attacker's playground.

Traditional security monitors what you serve. Attackers probe what you don't. Every connection to a closed port is adversary reconnaissance — and you're ignoring all of it.

65,000+ Blind Spots

You run services on a handful of ports. The other 65,000+ are invisible to your SIEM, IDS, and SOC — yet attackers scan them systematically to map your infrastructure.

Silent Reconnaissance

Port scans generate kernel RST packets and vanish. No log entry, no alert, no evidence. Attackers complete full network surveys without triggering a single detection rule.

OT/ICS Exposure

Industrial protocols like Modbus, S7comm, DNP3, and BACnet are scanned daily by nation-states and botnets. Most OT environments have zero deception capability.

Manual Threat Intel

Correlating AbuseIPDB, GreyNoise, and GeoIP data manually is slow and error-prone. By the time you build a blocklist, the attacker has already moved laterally.

Alert Fatigue

Your IDS generates thousands of alerts on legitimate traffic. Meanwhile, connections to unused ports — which are 100% malicious by definition — go completely unmonitored.

Complex Deployment

Most deception platforms require Docker, Kubernetes, or cloud infrastructure. Deploying to hardened bare-metal servers in air-gapped or regulated environments is impossible.

The Solution
Every port becomes a
high-fidelity sensor.

DarkPort Enterprise transforms your entire unused port surface into an intelligent detection grid that fingerprints, deceives, and generates actionable threat intelligence — automatically.

Full-Spectrum Port Monitoring

The DarkPort agent binds listeners on all 65,535 TCP ports, minus your known services. Every probe is captured, analyzed, and enriched — turning silence into signal.

RST Suppression

27-Protocol Fingerprinting

Identifies the actual protocol spoken by the attacker — not just the port number. From SSH and HTTP to Modbus, S7comm, and OPC UA, DarkPort knows what they're really after.

IT + OT/ICS

21 Protocol Emulators

Full interactive emulation keeps attackers engaged while capturing credentials, commands, and malware. Escalates to 6 backend honeypots for deep interaction.

Credential Capture

Automated Threat Intelligence

Every IP is enriched in real-time with GeoIP (sub-ms), AbuseIPDB abuse scores, GreyNoise mass-scanner classification, and IPInfo network data.

4 Intel Sources

Scan Pattern Detection

Four proprietary algorithms — Waterfall, Layer Cake, Sandcrawler, and Loom — identify distinct scanning methodologies and attribute them to known threat actor tooling.

4 Algorithms

Automated Blocklists

Three-tier blocklists regenerated hourly — Conservative, Recommended, and Extreme. Export as JSON or plain text. Direct import into pfSense, iptables, and Cisco ASA.

Hourly Generation

Cross-Org Correlation

IPs observed attacking multiple organizations are correlated into a global threat feed, amplifying your intelligence with the entire DarkPort community's visibility.

STIX 2.1 Feed

Port Rotation and Evasion

Periodic port shuffling with 7-day cooldowns defeats scanner fingerprinting. Attackers can't learn which ports are traps — because the traps keep moving.

Anti-Fingerprint
Architecture
From probe to blocklist
in under a second.

A lightweight agent intercepts probes and escalates to backend honeypots. Events flow through mTLS-secured ingest, get enriched, and power your dashboards and blocklists.

1
Probe Detected
Scanner hits a dark port. Kernel RST suppressed. Connection accepted.
2
Fingerprint
Agent identifies the protocol from 27 known signatures in real-time.
3
Emulate and Trap
Local emulator or backend honeypot engages the attacker. Captures creds, commands, malware.
4
Enrich
GeoIP, AbuseIPDB, GreyNoise, IPInfo. Stored in PostgreSQL + ClickHouse.
5
Block and Report
Hourly blocklists. 10-tab dashboard. STIX 2.1 feed. Firewall auto-import.
Protocol Coverage
IT and OT.
One agent.
SSHHTTP/STLS+SNIFTPSMTPTelnetMySQLMSSQLPostgreSQLMongoDBRedisElasticsearchSMBRDPVNCLDAPSIPDNSMQTT ModbusS7commEtherNet/IPDNP3BACnetIEC-104OPC UA SSHHTTP/STLS+SNIFTPSMTPTelnetMySQLMSSQLPostgreSQLMongoDBRedisElasticsearchSMBRDPVNCLDAPSIPDNSMQTT ModbusS7commEtherNet/IPDNP3BACnetIEC-104OPC UA
Built to Grow
Extensible by design.
Future-proof by default.

DarkPort's modular architecture means new protocols, emulators, and honeypots plug in without touching the core engine. Your coverage grows as the threat landscape evolves.

Protocol Fingerprinting

27 today — no hard limit. Add new protocol signatures as simple pattern definitions. The fingerprinting engine matches against an extensible rule set, so emerging IT and OT protocols are a config change away.

27 active
Unlimited capacity

Protocol Emulators

Each emulator is a self-contained module with a standard interface. Write a new emulator — for any proprietary or niche protocol — and drop it in. The agent auto-discovers and deploys it on the next cycle.

21 active
Plug-in architecture

Backend Honeypots

6 production honeypots ship out of the box — SSH, HTTP, database, SMB, RDP, and OT/ICS. Need a custom honeypot for a proprietary service? Register it as a new systemd backend and the agent proxies traffic to it automatically.

6 active
Add your own

IT and OT Coverage

From enterprise IT (SSH, RDP, databases, web) to industrial OT/ICS (Modbus, S7comm, DNP3, BACnet, IEC-104) — and everything in between. As new industrial protocols emerge or legacy systems need protection, DarkPort scales to cover them.

IT + OT
Any protocol domain
Automated Blocklists
Three tiers. Hourly refresh.
Zero manual effort.

Choose the aggression level that fits your risk tolerance. Every tier exports as enriched JSON or plain-text IP lists ready for direct firewall import.

Conservative

High Confidence Only

Safe for automated blocking. Only IPs with overwhelming evidence of malicious intent make the cut.

100+ events/24h AND (5+ ports OR honeypot interaction OR 80%+ pattern match)
Recommended

Balanced Coverage

The sweet spot for most deployments. Catches active scanners and all honeypot-interacting IPs with minimal false positives.

50+ events/24h OR 5+ ports OR any honeypot interaction OR detected pattern
Extreme

Maximum Protection

Catches everything — including low-and-slow scanners that probe just a few ports per day to evade detection.

3+ events/24h — all honeypot IPs included automatically
Deployment
Bare metal. One script.
No containers required.

DarkPort deploys directly on Linux with a single setup command. No Docker, no Kubernetes, no cloud dependency. Perfect for hardened, air-gapped, and regulated environments.

SMALL

Up to 50 Agents

PostgreSQL + Redis. All honeypots included. Ideal for single-site deployments.

MEDIUM

Up to 500 Agents

Adds ClickHouse analytics engine. Multi-site visibility with deep historical queries.

LARGE

Up to 10,000 Agents

Enterprise-scale fleet management. Full ClickHouse analytics. Rolling deployments.

one-command deploy
# Deploy the controller
$ sudo bash setup.sh \
--slug myorg \
--tier medium \
--email admin@example.com
# Enroll agents (one-liner)
$ curl -fsSL \
"https://ctrl.darkport.io/api/v1/install-script\
?token=ENROLL_TOKEN" | sudo bash
[ok] Agent live — 65,535 ports armed
Integrations and Outputs
Fits into your stack.

Firewalls

pfSense, iptables, nftables, Cisco ASA

SIEM / SOAR

JSON API, STIX 2.1 threat feed, Prometheus metrics

Threat Intel

AbuseIPDB, GreyNoise, IPInfo, MaxMind GeoIP

Analytics

ClickHouse, PostgreSQL, 10-tab dashboard

INCLUDED — GLOBAL INTELLIGENCE
DarkPort watches your doors.
DarkIP watches the internet.

Every DarkPort Enterprise customer gets automatic access to DarkIP — our global network telescope spanning 1,000,000+ dark IP addresses worldwide. If any of your organization's IPs are observed probing dark space on the internet, DarkIP flags it. No deployment. No sensors. Just ground truth from the outside in.

DarkPort — Inside Your Network

Inbound + Lateral Detection

Agents deployed on your hosts turn every unused port into a sensor and trap. Catches external attackers scanning in, and compromised insiders pivoting laterally.

External → Internal (inbound reconnaissance)
Internal → Internal (lateral movement)
You deploy agents on your hosts
Protocol emulation + honeypot deception
+
DarkIP — Global Telescope

Outbound + Reputation Intel

Our 1M+ dark IPs passively observe internet-wide traffic. When your org's IP addresses appear scanning this dark space, it means you have compromised hosts, active malware, or misconfigurations — and we alert you automatically.

Your IPs → Internet dark space (compromise signal)
Your IPs → Scanning patterns (malware propagation)
Nothing to deploy — we operate the telescope
Continuous monitoring of your org's IP reputation

1M+ Dark IP Telescope

We operate a globally distributed network telescope spanning over one million routed-but-unannounced IP addresses. No legitimate traffic should ever reach them — so every packet we capture is a signal of scanning, malware propagation, or misconfiguration.

Global Infrastructure

Compromised Asset Alerts

When one of your organization's IPs is observed probing our dark space, it's a high-confidence indicator of compromise. DarkIP correlates the scan pattern, targeted ports, and timing to classify the threat — worm, botnet, or targeted reconnaissance.

Zero False Positives

Outbound Threat Visibility

Your firewall sees traffic leaving your network, but can't tell you if it's malicious. DarkIP can — because if your IP shows up scanning dark space, the intent is unambiguous. See what your perimeter tools miss.

Outside-In View

Malware Propagation Detection

Worms and botnets scan the internet for new victims. Our telescope captures these scans in real-time. If a host on your network starts scanning, we see it — often before your own IDS does, because the scanning happens outside your perimeter.

Early Warning

Org IP Reputation Score

DarkIP continuously computes a reputation score for your organization's IP ranges based on observed scanning activity, protocol targeting, and frequency. Track your security posture from the attacker's perspective.

Continuous Score

Unified with DarkPort

DarkIP alerts flow into the same DarkPort dashboard, blocklist engine, and STIX 2.1 feed. Correlate what attackers are doing to your network (DarkPort) with what your network is doing to the internet (DarkIP) — in a single pane of glass.

Single Dashboard

How It Works — Nothing to Deploy

Register your organization's public IP ranges with DarkPort. Our telescope continuously monitors whether any of those IPs appear in dark space traffic. If they do, you're alerted instantly.

1M+
Dark IPs Monitored
0
Sensors to Deploy
24/7
Continuous Observation
0%
False Positive Rate
API Reference
Two APIs. Full control.
Built for automation.

The Control Plane API powers multi-tenant management for MSSPs and admins. The Dashboard API gives each customer deep visibility into their own threat data. Both are RESTful, Bearer-authenticated, and ready for integration.

CONTROL PLANE

Multi-tenant management API for MSSPs, SOC teams, and platform admins. Create organizations, manage agents, deploy fleet updates, and access cross-org threat intelligence.

Customer Management
POST/api/v1/customers
GET/api/v1/customers
GET/api/v1/customers/{slug}
DEL/api/v1/customers/{slug}
PUT/api/v1/customers/{slug}/tier
Agent Management
GET/api/v1/customers/{slug}/agents
POST/api/v1/enroll
DEL/api/v1/agents/{serial}
GET/api/v1/install-script?token=TOKEN
Threat Intelligence
POST/api/v1/indicators
GET/api/v1/global-blocklist
GET/api/v1/threat-feed
Fleet Operations
GET/api/v1/fleet/health
POST/api/v1/fleet/deploy
GET/api/v1/admin/overview
DASHBOARD

Per-organization API for customers. Query events, honeypot interactions, threat intel, blocklists, traffic analytics, and alert rules — all scoped to your org.

Core
GET/api/v1/summary
GET/api/v1/events
GET/api/v1/agents
GET/api/v1/install-info
Honeypot
GET/api/v1/honeypot
GET/api/v1/honeypot/credentials
GET/api/v1/honeypot/commands
GET/api/v1/honeypot/downloads
GET/api/v1/honeypot/attackers
Blocklist
GET/api/v1/blocklist
GET/api/v1/blocklist/plain
Traffic and Threat Intel
GET/api/v1/threat/{ip}
GET/api/v1/traffic/by-country
GET/api/v1/traffic/timeline
GET/api/v1/traffic/comparison
Alerts and Webhooks
GET/api/v1/alerts
POST/api/v1/alert-rules
POST/api/v1/webhook/siem
All endpoints return JSON. Auth via Bearer token or ?api_key= query parameter.
Agent Deployment
One agent. Every method.
Linux and Windows.

Deploy agents with a one-liner, a PowerShell command, or a manual install. Each agent enrolls over mTLS, downloads its certificate, and begins monitoring all 65,535 ports immediately.

Ubuntu 22.04+Debian 12+RHEL / CentOSx86_64
linux — one-liner
# Enroll and start monitoring in one command
$ curl -fsSL "https://CONTROLLER/api/v1/install-script?token=ENROLL_TOKEN" \
| sudo bash
[ok] Downloaded agent files
[ok] Enrolled with controller — mTLS certificate issued
[ok] RST suppression rules applied (iptables)
[ok] systemd service installed and started
[ok] DarkPort Agent live — monitoring 65,535 ports
The install script auto-detects your distro, installs dependencies, enrolls the agent over mTLS, configures RST suppression via iptables, and registers a systemd service. Root access required.
Windows Server 2019+Windows 10/11PowerShell 5.1+
powershell — admin
# Run as Administrator
PS> irm "https://CONTROLLER/api/v1/install-script?token=ENROLL_TOKEN&os=windows" \
| iex
[ok] Agent files downloaded to C:\Program Files\DarkPort\
[ok] mTLS certificate enrolled
[ok] Windows service registered and started
[ok] DarkPort Agent live — monitoring 65,535 ports
The Windows installer uses Invoke-RestMethod to fetch the install script, configures the agent as a Windows service, and sets up Windows Firewall rules for RST suppression. Requires Administrator privileges.
Air-gappedCustom environmentsAny Linux
manual install
# 1. Download agent files
$ curl -O https://CTRL/api/v1/agent-files/enterprise_agent.py
$ curl -O https://CTRL/api/v1/agent-files/honeypot_emulator.py
$ curl -O https://CTRL/api/v1/agent-files/darkport_trap.py
# 2. Enroll with the controller
$ curl -X POST https://CTRL/api/v1/enroll \
-H 'Content-Type: application/json' \
-d '{"enrollment_token":"TOKEN","hostname":"'$(hostname)'"}'
[ok] Certificate issued — configure systemd and start
For air-gapped or custom environments: download the three agent Python files, enroll via the REST API, then configure as a systemd service (or your preferred init system) with the returned mTLS certificate.
verify enrollment
# Check agent status from the controller
$ curl -s -H 'Authorization: Bearer CP_API_SECRET' \
https://CTRL/api/v1/admin/orgs | python3 -m json.tool
# Check agent service on the host
$ sudo systemctl status darkport
$ journalctl -u darkport --no-pager -n 20
# Verify events are flowing
$ curl -s -H 'Authorization: Bearer API_SECRET' \
https://CTRL/api/v1/events?limit=5 | python3 -m json.tool
After enrollment, the agent appears in both the dashboard Agents tab and the admin panel. Events should begin flowing within seconds of the first external probe hitting a dark port.
Get Started
Stop ignoring 99% of
your attack surface.

Deploy DarkPort Enterprise in under 10 minutes. One script. Bare metal. Full-spectrum visibility from the first packet — plus instant access to DarkIP's global telescope monitoring your org from the outside in.

$ git clone https://github.com/darkport/enterprise.git
$ cd enterprise/deploy/bare-metal
$ sudo bash setup.sh --slug myorg --tier medium --email admin@example.com