Long-term Malware Detonation PCAPs Feed Annual License

Deception.Pro Adversary PCAP Dataset

Data Product Features

• Full-fidelity packet captures with complete payloads, headers, and timing preserved
• TLS-inspected sessions where applicable, with decrypted payloads for in-honeynet traffic
• Multi-protocol coverage spanning Windows enterprise environments (SMB, Kerberos, LDAP, RDP, DNS, HTTP/S)
• Clean ground truth — every flow is adversarial or adversary-adjacent, with minimal benign noise

Distribution

• Data Volume: Multi-gigabyte corpus across hundreds of distinct intrusion sessions; ongoing collection with monthly delta releases
• File Format: raw .pcap (libpcap-compatible) Structure: Captures organized by honeynet operation ID and date

Usage

• NDR/IDS Model Training: Train and benchmark anomaly detection, intrusion detection, and traffic classification models on real adversary behavior rather than synthetic or lab-generated samples
• LLM/AI SOC Development: Provide ground-truth packet evidence to LLM-driven security analysts for retrieval, reasoning, and triage training
• Detection Engineering: Develop and validate Suricata, Snort, and Zeek signatures against authentic attacker tradecraft
• Threat Intelligence Enrichment: Extract IOCs, TTPs, and behavioral fingerprints from real intrusions to enhance threat intelligence platforms
• Academic Research: Support published research on attacker behavior, network forensics, and machine learning for security
• Red Team / Blue Team Exercises: Use real captures as reference traffic for training, tabletop exercises, and detection validation

Coverage

• Geographic Coverage: Global — adversary source IPs span all populated continents; honeynet infrastructure hosted across multiple regions
• Time Range: 2024 – Present (ongoing collection)
• Environment Coverage: Windows Server 2019/2022 Active Directory environments, member workstations, Linux edge services, and instrumented decoy services (file shares, version control, backup, object storage)
• Threat Coverage: Initial access via exposed services and credentials, post-compromise enumeration, credential theft, lateral movement, C2 beaconing, data staging and exfiltration

License

AI Training Rights

• Use the Data Product to train, fine-tune, and evaluate machine learning models, including large language models.
• Incorporate Data Product content into models and commercialize resulting model outputs.
• Create derivative works (model weights, embeddings, etc.) for any lawful purpose.

Restrictions:

• The Data Product itself may not be sold, redistributed, or shared outside of licensed usage.
• Licensee must comply with all applicable laws, including data protection and privacy regulations.

Who Can Use It

• AI SOC Companies: For training LLM-based security analysts, alert triage models, and autonomous detection agents on real-world attack telemetry
• Detection Engineering Teams: For signature development, rule validation, and false-positive reduction against authentic adversary traffic
• ML/Data Science Teams: For training and benchmarking network traffic classifiers, anomaly detectors, and behavioral models
• Threat Intelligence Vendors: For enriching feeds with adversary infrastructure, tooling fingerprints, and behavioral indicators
• Academic Researchers: For peer-reviewed work in network security, intrusion detection, and applied machine learning
• NDR/XDR Vendors: For product training, validation, and competitive benchmarking

Additional Notes:

• All captures are sourced from honeynet infrastructure with no real user data. Any credentials, hostnames, or document content observed in traffic are deception artifacts intentionally seeded by Deception.Pro.
• Correlated EDR and Suricata telemetry for the same intrusions are available as companion data products, enabling multi-sensor training datasets.
• Custom collection windows, targeted attacker profiles, or environment-specific captures are available on request for enterprise licensees. Data is delivered with chain-of-custody documentation suitable for research publication and product validation contexts.

https://blog.deception.pro