ECHO// threat intelligence
// catalog

Tactics & tags

ECHO classifies activity at two levels. Behavior tags are derived per-IP from rolled-up activity (8 active). Event tags are applied per-event by ingestion rules (36 active). Click any tag for the live IP feed.

Behavior tags

ssh.bruteforce385

IPs with 10+ failed SSH attempts in the rolling window.

ssh.stuffing372

IPs trying 5+ distinct usernames with 10+ total failures — credential-stuffing pattern.

actor.persistent27

IPs active across 24h+ with 50+ total events — sustained, not opportunistic.

actor.multi_vm25

IPs hitting both ironcat AND ironcatlabs hosts — geographically distributed targeting.

probe.404flood11

IPs scanning 15+ distinct paths with 20+ 404 responses — directory-busting / path discovery.

actor.long_term5

IPs active across 7d+ with 200+ events — committed campaign infrastructure.

actor.heavy4

IPs with 1000+ total events. The truly relentless.

actor.cross_protocol2

IPs observed on both SSH and HTTP — sophisticated multi-vector reconnaissance.

Event tags (36)

ssh.enum74ssh.dictionary51probe.dotenv50probe.xmlrpc37probe.dotgit35probe.config29probe.actuator20probe.wp-login20probe.wp-admin18protocol.no-language17probe.backup14protocol.no-accept9probe.admin8client.scraper6probe.phpmyadmin5scanner.curl4probe.injection2scanner.go2scanner.python2probe.traversal1probe.dotssh1probe.cgi1client.short-ua1probe.xss1client.outdated1client.library1scanner.bare-go-client1client.headless1client.empty-ua1scanner.gobuster1scanner.nikto1scanner.nuclei1client.curl1scanner.sqlmap1probe.method_abuse1probe.sqli1