Flagship Project
A self-hosted threat intelligence platform that watches honeypot servers, records how each attacker operates, and builds long-term behavioral intelligence about who is attacking — based on how they behave, not which IP address they came from.
Runs entirely on operator-controlled infrastructure. No cloud service. No vendor. No subscription. The operator owns the data, the analysis, and the conclusions.
LegionTrap is built on a simple idea: behaviour is harder to change than infrastructure.
Behind the name
A reference to the French Foreign Legion, where Stefan served. Beyond that personal history, a legion implies structure, discipline, and a systematic approach to difficult problems. That operational mindset — preparation, precision, and methodical execution — shapes how this project is built and how investigations are approached.
In cybersecurity, a trap is a mechanism for detection, observation, and understanding. Traps do not simply block threats — they reveal how threats operate. The goal here is not only to defend, but to investigate: to understand attacker behaviour, expose hidden patterns, and build knowledge from direct engagement with real security problems.
Together, the name reflects the project's character: disciplined investigation into how threats operate.
Why it exists
Most threat intelligence is organised around indicators: IP addresses, domain names, file signatures. The operational logic is simple — observe a bad thing, add it to a list, block it.
The cost of changing has collapsed. A new IP address is essentially free. A new domain costs a few dollars. A new server in a different country takes minutes. AI tooling now lets attackers rotate infrastructure, regenerate attack variants, and cycle credential lists at industrial scale. The useful life of any given indicator — how long it stays relevant — is getting shorter every year.
Defenders end up on a treadmill. Block the IP. The attacker rotates. Block the next one. The list-based model has a structural problem: it tracks exactly the things that are cheapest to change.
Imagine trying to identify a burglar who keeps hitting houses in your neighbourhood. The traditional approach is to write down their licence plate. That works once. Then they get a new car, and the licence plate is useless.
The alternative is to describe how they operate: they prefer corner houses, arrive between 2 and 3 in the morning, use a specific technique. That description survives the new car — and the one after that.
LegionTrap builds the behavioural description. Not the licence plate.
Behavioural patterns change slowly because they reflect real investment. The tools an attacker has refined, the sequences they have learned, the timing their infrastructure produces — changing all of that costs real time and money. A behavioural fingerprint built from months of observation stays useful for months or years. A list of bad IP addresses can be worthless in hours.
The intelligence model
LegionTrap has two structurally isolated paths. The ingest path runs on every event and builds behavioural intelligence automatically. The reasoning path runs on operator request. Removing the reasoning path leaves the ingest path fully functional.
A honeypot is a deliberately exposed server with no legitimate users. Anyone who connects is doing something they shouldn't. LegionTrap ingests everything honeypots observe over HTTP.
For every source observed, LegionTrap builds a fingerprint across five dimensions: timing, probe sequence, protocol behaviour, credential patterns, and target selection. This describes how an attacker operates, not where they came from.
Fingerprints that share behavioural characteristics are grouped into campaigns using a deterministic similarity algorithm. The same data always produces the same result. The reasoning behind every assignment is stored and auditable.
Campaigns move through states: active, dormant, reactivated, historical. When a dormant campaign's behavioural pattern reappears with new infrastructure, the platform detects the reactivation. Intelligence accumulates over time.
Operators create actor profiles and link campaigns to presumed responsible parties. The system suggests connections based on fingerprint similarity. Attribution decisions are always made by the operator — never assigned automatically.
On operator request, an AI layer reads structured, deterministic data and produces natural-language campaign summaries and threat briefs. AI is a writer, not a judge. It produces no automatic actions and every output is stored with a full audit trail.
Current capabilities
Design principles
IP addresses are what attackers use. Behaviour is how they operate. LegionTrap tracks the second, because it survives the rotation of the first. A behavioural fingerprint built from months of observation stays useful long after every observed IP address has been replaced.
Every clustering decision is stored with the per-dimension similarity scores that produced it. An analyst who disagrees with a campaign assignment can inspect the exact evidence and reasoning behind it. The system justifies its conclusions — it does not just produce them.
LegionTrap surfaces information. Operators make decisions. No attribution is assigned automatically. No action is triggered without operator review. AI analysis is generated on request — it never acts on its own. The platform is an intelligence aid, not an autonomous system.
The longer LegionTrap runs, the more valuable it becomes. Behavioural history accumulates. Campaign reactivations become recognisable. The institutional memory the platform builds — about specific attackers, their evolution, their dormancy patterns — cannot be purchased from any vendor. It is built by continuing to run.
Honest limitations
Long-term vision
LegionTrap is being built with a specific long-term thesis: as AI makes traditional indicators cheaper to rotate, behavioural intelligence becomes the primary surviving category of threat intelligence. The platform is a bet on that future, built to be the infrastructure layer for it.
Near term — Phase 8: Behavioural federation. The architecture for sharing behavioural fingerprints across independent deployments — without sharing raw events, source IPs, or operator identity — is fully designed. Phase 8 begins when two real operators agree to a pilot bilateral exchange. Each deployment would benefit from the other's observed patterns without surrendering the data sovereignty that defines why they chose a self-hosted platform.
Medium term: Predictive intelligence. The longitudinal fingerprint history the platform is accumulating today is specifically designed to eventually support forecasting — which dormant campaigns are likely to return, when a campaign's behaviour is about to shift. This is not yet built. The data structures that will make it possible are already being populated.
Long term: Compounding sovereign intelligence. A LegionTrap deployment that has been running for two or three years holds institutional memory about specific attackers, their evolution, and their dormancy patterns that no commercial product can replicate — because no commercial product has access to that specific operator's observations. The longer it runs, the harder it is to replace. That compounding is the long-term moat.
Project status
Phases 0–7 complete · v0.34.0
1,553 tests across 71 test files. Behavioural fingerprinting, campaign clustering, actor intelligence, AI reasoning, and export pipelines operational.
Current focus
Phase 8 pilot — bilateral federation between two operators
LegionTrap is not being built as a finished product.
It is being built as an evolving record of learning, investigation, and continuous improvement.
The objective is not to appear knowledgeable. The objective is to understand more tomorrow than today.