Independent Security Research

We break things
to understand
how they work.

HexRoot is an independent security research group. We dig deep into vulnerabilities, malware, and the underlying mechanics of systems — not to exploit, but to understand, document, and defend.

Our Research Work With Us
hexroot ~ research
root@hexroot:~$ whoami
independent_security_researcher

root@hexroot:~$ cat mission.txt
// Research. Disclose. Defend.
No black hats here.
Only deep curiosity.

root@hexroot:~$ ls research/
0day/  malware/  OT_ICS/
AI_sec/  forensics/

root@hexroot:~$
CVE+Coordinated Disclosures
0dayOriginal Research
OSSOpen Tools Released
100%Defensive Focus
What we do

Research Areas

From architectural vulnerabilities to firmware analysis — we follow the signal wherever it leads.

Vulnerability Research
0-Day Discovery & Responsible Disclosure
Original vulnerability research with full responsible disclosure to vendors and CVE submission. We find it, document it, and make sure it gets fixed.
Malware Analysis
Reverse Engineering & Threat Intelligence
Static and dynamic analysis of malware samples, behavioral profiling, IOC extraction and STIX 2.1 output. We dissect threats so defenders can build better tools.
OT / ICS Security
Critical Infrastructure Research
Industrial control systems, SCADA protocols, and operational technology security. The attack surface nobody wants to touch — we do.
AI Security
Adversarial ML & Model Security
Prompt injection, adversarial attacks, model extraction, and the security implications of AI systems deployed in critical and high-stakes contexts.
Digital Forensics
Incident Analysis & Evidence Integrity
Forensic acquisition, chain of custody, artifact analysis, and memory forensics. When something breaks, we reconstruct what happened and why.
Privacy Engineering
Metadata Leakage & Protocol Analysis
Deep analysis of communication protocols, metadata exposure, and architectural privacy failures in systems that claim to be secure.
Open Tools

Built in the open.

Tools we build for our own research — released for evaluation to researchers and organisations that share our approach.

hexroot-honeypot · v1.0 · 2026 LIVE
Honeypot Intelligence Platform

We see
who's
scanning you.

A production-grade honeypot covering IT, SCADA/ICS, IoT and Medical protocols — with real-time semantic threat intelligence, CVE feed matching, YARA binary scanning, and a multi-tab analyst dashboard. No LLM. No cloud. No noise.

Request access Evaluation only ↓
spaceballs.hexroot.pl · live
$ systemctl status hexroot-sensor
● active · 28 listeners · 9 protocols

$ curl /api/stats | jq .
"total_events": 9103,
"unique_ips": 443,
"threat_level": "CRITICAL"

[CRITICAL] Campaign 4454d9f7
 state-sponsored · Modbus/ICS · 8.5/10
[HIGH] CVE-2017-9841 · 13 attempts
$
Sensor
28 Protocol Listeners
IT, SCADA/ICS (Modbus, DNP3, OPC-UA, EtherNet/IP), IoT (MQTT, ADB, TR-069), Medical (DICOM, HL7), DNS. Fake banners per protocol. Rust/Tokio core.
Intelligence
Semantic Feed — No LLM
Deterministic rule engine generates English threat assessments directly from sensor data. Campaigns, actor profiles, CVE matches, credential attack tracking.
CVE
CISA KEV + NVD Feed
1,700+ CVEs. HTTP path and payload matching. Auto-update every 24h. Hot-reloaded by correlator without restart.
YARA
Binary Scanner
9 built-in rules: Mirai, Cobalt Strike, Meterpreter, Log4Shell, Ransomware. External .yar rules supported. Automatic scan every 5 minutes.
LAN
Fake LAN Layer
SMB with NTLM capture, LDAP fake AD, IPP printer lure, NetBIOS/NBNS name service. Detects lateral movement and internal reconnaissance.
Analyst
ThreatBook Workbook
Standalone HTML analyst tool. Import reports, write Markdown analysis, IOC tables, actor profiles. Export to PDF or Markdown. No server needed.
Honeypot Intelligence Platform

Vediamo
chi vi
sta scansionando.

Un honeypot di livello produzione che copre protocolli IT, SCADA/ICS, IoT e Medical — con threat intelligence semantica in tempo reale, matching CVE feed, scansione YARA e una dashboard analitica multi-tab. Nessun LLM. Nessun cloud. Nessun rumore.

Richiedi accesso Solo su valutazione ↓
spaceballs.hexroot.pl · live
$ systemctl status hexroot-sensor
● attivo · 28 listener · 9 protocolli

[CRITICO] Campagna 4454d9f7
 state-sponsored · Modbus/ICS · 8.5/10
[ALTO] CVE-2017-9841 · 13 tentativi · NL,GB,US
[MEDIO] Credential stuffing SSH · IN · 1552 tentativi
$
Sensore
28 Listener di Protocollo
IT, SCADA/ICS (Modbus, DNP3, OPC-UA, EtherNet/IP), IoT (MQTT, ADB, TR-069), Medical (DICOM, HL7), DNS. Banner fake per protocollo. Core Rust/Tokio.
Intelligence
Feed Semantico — No LLM
Motore di regole deterministico genera valutazioni delle minacce in inglese direttamente dai dati del sensore. Campagne, profili attori, match CVE.
CVE
CISA KEV + NVD Feed
1.700+ CVE. Matching su path HTTP e payload. Aggiornamento automatico ogni 24h. Hot-reload senza riavvio del correlatore.
YARA
Scanner Binario
9 regole integrate: Mirai, Cobalt Strike, Meterpreter, Log4Shell, Ransomware. File .yar esterni supportati. Scan automatico ogni 5 minuti.
LAN
Fake LAN Layer
SMB con cattura NTLM, LDAP fake AD, stampante IPP lure, NetBIOS/NBNS. Rileva lateral movement e ricognizione interna.
Analista
ThreatBook Workbook
HTML standalone per l'analista. Import report, analisi Markdown, tabelle IOC, profili attori. Export PDF o Markdown. Nessun server necessario.
Honeypot Intelligence Platform

Widzimy
kto was
skanuje.

Produkcyjny honeypot obejmujący protokoły IT, SCADA/ICS, IoT i medyczne — z semantyczną analizą zagrożeń w czasie rzeczywistym, dopasowywaniem CVE feed, skanowaniem YARA i wielozakładkowym dashboardem analitycznym. Żadnego LLM. Żadnej chmury. Żadnego szumu.

Poproś o dostęp Tylko po ocenie ↓
spaceballs.hexroot.pl · live
$ systemctl status hexroot-sensor
● aktywny · 28 listenerów · 9 protokołów

[KRYTYCZNY] Kampania 4454d9f7
 sponsorowany przez państwo · Modbus/ICS
[WYSOKI] CVE-2017-9841 · 13 prób · NL,GB,US
$
Sensor
28 Listenerów Protokołów
IT, SCADA/ICS (Modbus, DNP3, OPC-UA, EtherNet/IP), IoT (MQTT, ADB, TR-069), Medical (DICOM, HL7), DNS. Fałszywe banery per protokół. Rdzeń Rust/Tokio.
Analiza
Semantyczny Feed — Bez LLM
Deterministyczny silnik reguł generuje czytelne oceny zagrożeń bezpośrednio z danych sensora. Kampanie, profile aktorów, dopasowania CVE.
CVE
CISA KEV + NVD Feed
Ponad 1 700 CVE. Dopasowywanie ścieżek HTTP i ładunków. Automatyczna aktualizacja co 24h. Hot-reload bez restartu korelator.
YARA
Skaner Binarny
9 wbudowanych reguł: Mirai, Cobalt Strike, Meterpreter, Log4Shell, Ransomware. Zewnętrzne pliki .yar. Automatyczny skan co 5 minut.
LAN
Fake LAN Layer
SMB z przechwytywaniem NTLM, fałszywe AD LDAP, przynęta IPP drukarki, NetBIOS/NBNS. Wykrywa lateral movement i wewnętrzny rekonesans.
Analityk
ThreatBook Workbook
Samodzielny HTML dla analityka. Import raportów, analiza Markdown, tabele IOC, profile aktorów. Eksport PDF lub Markdown. Bez serwera.
Sensor
Rust Tokio
Correlator
Python asyncio
API
Python FastAPI
Dashboard
JS D3.js
Database
SQLite WAL
CVE feed
CISA KEV + NVD
Binary scan
YARA 4.x
Processes
systemd

Available on evaluation only.

HexRoot Honeypot is not a public download. Access is granted after evaluation — consistent with our policy on all tools and research. Send an email describing your context and intended use.

Request access
Work With Us

Want to
cooperate?

We collaborate with researchers, security teams, and organisations that share our commitment to responsible, defensive security work.

Access to our codebase and research is granted on evaluation only.
No exceptions. No shortcuts. Just send us an email and we'll talk.

Responsible Disclosure Joint Research Academic Collaboration Threat Intelligence Sharing No Offensive Contracts No Black Hat