NullRoute - About

About

Most SSH intrusions are not independent attackers.
They are automated systems repeating the same behavior at scale.

NullRoute exists to measure that behavior directly - from live attacker interaction, not assumptions.

What is NullRoute

NullRoute is an independent behavioral threat intelligence research project built on live honeypot infrastructure.

It captures real attacker sessions across multiple sensors operated in different regions and studies what happens after access is obtained: command flow, persistence, tooling, sequencing, and repeatable tradecraft.

The goal is not to count noise. It is to isolate real intrusions, reduce them to deterministic behavioral patterns, and publish findings that can be verified from observed activity.

What you'll find here

NullRoute publishes behavioral investigations based on real attacker activity. Each report focuses on patterns that persist across sessions, infrastructure, and time.

Instead of tracking individual attackers, the analysis focuses on systems, automation, and repeatable behavior.

Start with the first investigation: 98% of SSH Intrusions Come from One Worm.

How it works

NullRoute operates a distributed set of internet-exposed sensors designed to collect real attacker interaction data under controlled conditions.

Distributed Sensors

→

Session Collection

→

Behavioral Analysis

→

Publications

Events are normalized, correlated, and reviewed through a custom analysis pipeline focused on post-auth behavior, session structure, and repeatability across nodes.

Research is published only when a pattern is supported by direct observation and can be described as behavior rather than inference.

Methodology

All analysis is deterministic. No machine learning, no probabilistic models. Every classification is derived from observable behavior and can be reproduced from raw session data.

// Behavioral fingerprints are derived from verb-sequence hashing, not signatures

// Intent classification uses score-based multi-signal analysis, not keyword matching

// Campaign correlation requires infrastructure or behavioral overlap across sessions

// Every decision in the pipeline can be audited through the evidence layer

Perspective

Most security telemetry is dominated by noise. NullRoute focuses on the subset that matters: sessions where attackers successfully authenticate and execute commands.

The goal is not to track more data, but to reduce it - until only meaningful behavior remains.

Infrastructure

NullRoute currently operates multiple sensors across several countries.

The infrastructure includes both general-purpose and purpose-built systems with distinct exposure profiles, credential surfaces, and collection goals. Nodes are operated independently to observe how attacker behavior changes across environments rather than within a single repeated setup.

This allows the project to compare recurring tradecraft, validate patterns across separate systems, and distinguish broad background activity from behavior that is specific, deliberate, and reproducible.

Who

NullRoute is a private research project by Jan Steck. Built to answer questions that dashboards don't ask: what do attackers actually do, why, and what does it mean?

Contact

Questions, feedback, or collaboration inquiries welcome.

[email protected] Instagram X

Start here

If you're analyzing SSH logs, running honeypots, or investigating intrusion patterns, start with the first investigation:

→ 98% of SSH Intrusions Come from One Worm

Correction: Erratum #1 - credential model correction published March 2026

Additional investigations will be published as patterns are validated across the dataset.