DECNET Development Roadmap

Core / Hardening

Attacker fingerprinting — Capture TLS JA3/JA4 hashes, TCP window sizes, User-Agent strings, and SSH client banners.
Canary tokens — Embed fake AWS keys and honeydocs into decky filesystems.
Tarpit mode — Slow down attackers by drip-feeding bytes or delaying responses.
Dynamic decky mutation — Rotate exposed services or OS fingerprints over time.
Credential harvesting DB — Centralized database for all username/password attempts.
Session recording — Full capture for SSH/Telnet sessions.
Payload capture — Store and hash files uploaded by attackers.

Real-time alerting — Webhook/Slack/Telegram notifications for first-hits.
Threat intel enrichment — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise.
Attack campaign clustering — Group sessions by signatures and timing patterns.
GeoIP mapping — Visualize attacker origin and ASN data on a map.
TTPs tagging — Map observed behaviors to MITRE ATT&CK techniques.

Web dashboard — Real-time React SPA + FastAPI backend for logs and fleet status.
Decky Inventory — Dedicated "Decoy Fleet" page showing all deployed assets.
Pre-built Kibana/Grafana dashboards — Ship JSON exports for ELK/Grafana.
CLI live feed — decnet watch command for a unified, colored terminal stream.
Traversal graph export — Export attacker movement as DOT or JSON.

SWARM / multihost mode — Ansible-based orchestration for multi-node deployments.
Terraform/Pulumi provider — Cloud-hosted decky deployment.
Kubernetes deployment mode — Run deckies as K8s pods.
Lifecycle Management — Automatic API process termination on teardown.
Health monitoring — Active vs. Deployed decky tracking in the dashboard.