Platform Threat Intelligence Integrations Pricing Contact Sign In Request Demo
Integrations

Fits Into Your Existing Security Stack

ArmoPot delivers intelligence in the formats your tools already consume. Direct integrations with leading SIEM, SOAR, TIP, and firewall platforms — no custom parsing required.

ArmoPot

Intelligence Engine

Forwarders

Async dispatch

Your Stack

SIEM · SOAR · TIP · FW

Non-Blocking Architecture

Every integration uses asynchronous, bounded-channel dispatch with independent buffers per destination. Failures in one integration never impact others. Exponential backoff with automatic retry ensures reliable delivery without flooding downstream systems.

SIEM

Security Information & Event Management

Forward enriched honeypot events directly to your SIEM for correlation with production security events.

S

Splunk

HTTP Event Collector (HEC) integration with configurable index, sourcetype, and source fields. Batch delivery for high throughput.

E

Elasticsearch

Bulk API integration with structured document mapping. Direct indexing to your Elastic cluster with automatic field mapping.

SL

Syslog (CEF)

Common Event Format over UDP/TCP. Compatible with ArcSight, LogRhythm, and any CEF-compatible SIEM.

SL

Syslog (LEEF)

Log Event Extended Format for IBM QRadar. Structured field mapping for automatic DSM configuration.

J

Syslog (JSON)

JSON-structured syslog for custom SIEM deployments. Full event schema with all enrichment fields preserved.

MS

Microsoft Sentinel

Via STIX/TAXII connector or Syslog CEF. Azure-native ingestion with pre-built analytics rules for honeypot data.

SOAR

Security Orchestration, Automation & Response

Trigger automated playbooks when high-confidence threats are detected across your honeypot sensors.

TH

TheHive

Native webhook integration creating alerts with observables, TLP marking, and severity mapping. Auto-creates cases from critical honeypot events.

XS

Cortex XSOAR

Incident creation via webhook with custom field mapping. Pre-built playbook triggers for honeypot-derived IOCs and session data.

GW

Generic Webhook

POST events to any HTTP endpoint with configurable payload templates. Event type and severity filtering to control noise levels.

TIP

Threat Intelligence Platforms

STIX 2.1 and TAXII 2.1 compliant feeds for seamless integration with your threat intelligence platform.

MI

MISP

TAXII 2.1 feed ingestion. STIX 2.1 bundles with Indicators, Sightings, and AttackPatterns map directly to MISP events and attributes.

OC

OpenCTI

Native TAXII 2.1 connector support. Full STIX 2.1 relationship graphs including campaign and threat actor linkage.

TC

ThreatConnect

TAXII 2.1 feed integration. Indicators with confidence scores, tags, and ATT&CK technique associations.

AN

Anomali

STIX/TAXII feed consumption. Enriched IOCs with full provenance chain from sensor to indicator.

Firewall EDL

External Dynamic Lists for Firewall Vendors

Automatically block known attackers at the perimeter. ArmoPot generates continuously-updated IP blocklists in the native format for major firewall platforms.

PA

Palo Alto Networks

Panorama-compatible EDL format. Plain text IP list with configurable refresh intervals. Block malicious IPs directly in your security policies.

FG

Fortinet FortiGate

FortiManager-compatible external threat feed. Automatic policy updates with IP reputation scoring from honeypot data.

CP

Check Point

R81+ compatible external IOC feed. Configurable confidence thresholds ensure only high-quality indicators reach your gateway policies.

CF

Cisco Firepower

Intelligence feed in Firepower-compatible format. Integrate with Cisco SecureX ecosystem for broader threat visibility.

EDL Configuration Options

Filters: Minimum confidence score, minimum hit count, maximum age, result limit  |  Formats: Plain text, CSV, JSON, /etc/hosts sinkhole format  |  Update Frequency: Real-time (on new IOC) or scheduled intervals

REST API

Full Programmatic Access

Everything in the ArmoPot platform is accessible via REST API. Query IOCs, retrieve events, pull session data, and manage your subscription programmatically.

  • JSON responses with pagination and filtering
  • API key authentication with per-tenant isolation
  • Rate limits scale with subscription tier (100 to unlimited calls/day)
  • Comprehensive endpoint coverage: IOCs, events, sessions, sensors, reports
  • OpenAPI/Swagger documentation
API Documentation
API EXAMPLES
# Get recent IOCs
GET /api/v1/iocs?type=ip&minConfidence=70&limit=100
Authorization: Bearer {api_key}

# Get events by protocol
GET /api/v1/events?protocol=ssh&severity=critical
Authorization: Bearer {api_key}

# Get session details
GET /api/v1/sessions/{session_id}
Authorization: Bearer {api_key}

# Export STIX bundle
GET /api/v1/stix/iocs?since=2026-06-01
Authorization: Bearer {api_key}
Attack Map Widget

Embeddable Real-Time Attack Visualization

Embed a live attack map on your website, NOC display, or customer portal. Show real-time honeypot attacks with animated paths on an interactive world map.

🗺️

Interactive World Map

SVG world map with Canvas-animated Bezier arc attack paths, trail effects, and pulse animations. Protocol-coded colors. 32+ country outlines. Responsive and mobile-friendly.

Real-Time Streaming

Server-Sent Events for live updates with polling fallback. 50-event ring buffer for instant initial load. Obfuscated JavaScript (22KB gzipped) for secure deployment.

Security Note

The widget strips all sensitive data — no raw IPs, usernames, passwords, or commands are exposed to client browsers. Only anonymized attack metadata (country, protocol, timestamp) is transmitted. API key authentication with CORS headers for cross-origin security.

Ready to Integrate ArmoPot?

Our team will help you connect ArmoPot to your existing SIEM, SOAR, and firewall infrastructure.

Request Demo Documentation