Executive Summary
This report covers threat intelligence collected by HookProbe's edge IDS deployment during June 2026. All data comes from a production Raspberry Pi 5 running the NAPSE AI-native intrusion detection engine, HYDRA threat intelligence pipeline, and AEGIS autonomous defense system.
HookProbe processed 19496713 security events this month, classified 455101 ML verdicts, tracked 392570 unique IP addresses, and analyzed 0 network flows totaling 0 GB of traffic.
19496713
Security Events
455101
ML Verdicts
392570
IPs Profiled
0
New IoCs
Threat Event Breakdown
The HYDRA threat intelligence pipeline processed 19496713 events across three defense layers:
Defense Layer
Events
Unique IPs
% of Total
Rate Limiting (DDoS/Brute-Force)
8610811
163
44%
Blocklist Enforcement
7319743
6720
37%
ML Score Threshold
3566159
3590
18%
ML Classification Results
The SENTINEL ML ensemble classified 455101 IP behaviors this month:
- Benign: 327984 (72%) — normal traffic, no action taken
- Suspicious: 56250 (12%) — elevated monitoring, behavioral tracking
- Malicious: 70867 (15%) — escalated to cognitive throttling or blocking
IP Risk Distribution
HYDRA profiled 392570 unique IP addresses with composite risk scores:
- Critical (0.8+): 2196 IPs (0%)
- High (0.5-0.8): 136278 IPs (34%)
- Medium (0.2-0.5): 213812 IPs (54%)
- Low (<0.2): 40284 IPs (10%)
Indicators of Compromise
0 new IoCs were discovered this month (4150 active total). All indicators are IP-based, sourced from behavioral analysis by the SENTINEL ML pipeline and correlated with Spamhaus DROP and FireHOL blocklists.
Attack Pattern Intelligence
The SENTINEL pattern mining engine discovered 2655 attack patterns and identified 0 coordinated campaigns. The predictive engine generated 107243 proactive alerts for preemptive defense.
Network Flow Analysis
NAPSE processed 0 network flows totaling 0 GB of inspected traffic. Autonomous blocking issued 0 throttle/block actions against 0 unique IPs.
Security Posture
The QSecBit security score averaged 87/100 throughout June 2026, maintaining GREEN (Protected) status. The score remained stable, indicating consistent defense posture without degradation events.
Key Takeaways
- Rate limiting remains the primary defense mechanism, handling 44% of all security events from just 163 aggressive source IPs
- The ML pipeline correctly identified 72% of traffic as benign — low false positive rate
- 2196 critical-risk IPs were identified and tracked — representing active threat actors
- All detection and response ran autonomously on a Raspberry Pi 5 with zero manual intervention
About This Report
This threat intelligence is generated from a production HookProbe deployment running on a Raspberry Pi 5 (8GB RAM). The system uses NAPSE (AI-native IDS), HYDRA (threat intelligence pipeline), SENTINEL (ML classification), and AEGIS (autonomous defense) — all open-source under AGPL v3.0.
Data is collected, processed, and published automatically. No data is fabricated or simulated. View the source code on GitHub.
Originally published at hookprobe.com. HookProbe is an open-source AI-native IDS that runs on a Raspberry Pi.
GitHub: github.com/hookprobe/hookprobe
Top comments (1)
I found the high percentage of benign traffic identified by the ML pipeline to be particularly interesting, with 72% of traffic being classified as normal. I'm wondering if the authors have considered exploring the false negative rate, as well, to get a more comprehensive understanding of the system's effectiveness. Additionally, I think it would be beneficial to include more information on the 2196 critical-risk IPs that were identified, such as their geographical distribution or common characteristics. This could provide valuable insights for further research and improvement of the HookProbe system.