Fleet-wide incident response, in one console
For cPanel hosting providers, MSSPs, and IR teams. Catch compromise that scanners miss. Triage with live runtime evidence. Contain in one click. Prove cleanup stuck across thousands of hosts.
Hosts monitored
77K+
cross-provider Linux hosting
Events analyzed
2.7M
recon + active attack
IOCs tracked
11.5K
unique fingerprints
Verdict in
12s
median, p99 under one minute
Why incident response keeps slipping
The hosting industry's IR posture has been stuck on the same three problems for years. IOC Console is built around them.
Scanners miss live compromise
Static scanners check disk. They miss malware running in memory, listeners camped on a port, an operator typing into a hijacked session. Your host scans CLEAN; the attacker is still inside.
Compromise spreads faster than you can triage
By the time you finish investigating one host, the same operator has touched a dozen more. Block lists go out per-host; the campaign moves faster than the spreadsheet.
Your IR data lives in five places
SIEM logs, EDR alerts, ad-hoc scan outputs, customer tickets, a Slack channel. Pivoting from "this attacker IP" to "every host that has seen it" takes hours, not seconds.
The IR workflow, fused into one console
Five industry-standard incident response stages, mapped onto a single console. No swivel-chair between a SIEM, an EDR, and a spreadsheet of hosts.
Detect
Live runtime evidence surfaces compromised hosts in seconds. Process list, open connections, listening sockets, file changes, alongside the scanner verdict. Catches malware on disk and listeners on a port that static scans miss.
Triage
Per-host verdict, score, and kill-chain timeline. The full attack arc on one screen. CLEAN-rated hosts running live malware get auto-flagged; residual persistence on patched hosts gets surfaced before it bites again.
Contain
One-click block lists for any attacker IP, command-and-control domain, crypto wallet, or process name. Push to ipset, APF, iptables, or your existing firewall, fleet-wide. The known-bad list plus every host the attacker has already touched.
Eradicate
Per-host action playbook. Reimage where an encryptor staged. Rotate credentials, kill the listener, and scrub key files where an operator is on-keyboard. AI-assisted incident summary attached to every case.
Recover
Track which hosts cleared and which are still dirty across rolling scans. Compromise curve, retention rate, recovery rate. The numbers your post-mortem needs. Lessons learned attached to the case.
Active monetization
398
hosts running encryptors, miners, defacements, or PHP cron-bots in the published cohort
Operator on-keyboard
651
hosts with an active operator session and no destruction yet, intervention window still open
Residual persistence
184
patched hosts still carrying attacker backdoors; cleanup overdue
What you actually see
Six primary views, captured from the live console with sanitized fleet data. Click any to expand to full resolution.
What you do not get from a per-host scanner
Four capabilities that separate fleet-wide IR from scanning hosts one at a time.
Cross-fleet pivots
From "this attacker IP" to "every host that has been touched" in one click. Pivot on any indicator: IP, domain, wallet, file path, process name. Blast radius made obvious.
AI-assisted briefs
Per-host incident summary with the kill chain narrated, the verdict explained, and the rotation list (SSH keys, control-panel tokens, replication keys) generated. Hand it to your IR team.
Live runtime, not just scans
Process list, open connections, firewall state, file changes, all snapshotted with each scan. Catches the malware on disk, the listener on a port, the session that should not be there.
Open API, no lock-in
Every console view is backed by JSON. STIX / TAXII export. CSV everywhere. Bearer-token auth. Drop the data into your SIEM or SOAR; nothing trapped behind the UI.
JSON API, no lock-in
Every console view is backed by the same JSON API. Bearer-token auth for read endpoints, an upload token for intake. STIX / TAXII export wraps the same payloads. CSV from any view. Drop it into your SIEM, SOAR, or threat-intel platform.
/api/v1/ip/{ip}IP reputation lookupcurl
curl -H "Authorization: Bearer $TOK" \
https://api.signal.rfxn.com/v1/ip/45.82.78.104response
{
"ip": "45.82.78.104",
"score": 96,
"verdict": "MALICIOUS",
"country": "BG",
"asn": "AS50113",
"events": 20596,
"hosts_hit": 5904,
"first_seen": "2026-05-04T13:23:45Z",
"last_seen": "2026-05-08T06:41:50Z"
}/api/v1/feed/{slug}Pull a published threat feedcurl
curl -H "Authorization: Bearer $TOK" \
"https://api.signal.rfxn.com/v1/feed/cve-2026-41940?format=json"response
{
"slug": "cve-2026-41940",
"snapshot": "2026-05-08",
"license": "CC BY 4.0",
"attacker_ips": [
{"ip": "45.82.78.104", "events": 20596, "hosts": 5904},
{"ip": "80.75.212.14", "events": 14705, "hosts": 4562}
],
"c2_domains": [{"domain": "u.lihq.me", "kind": "gsocket-relay"}],
"wallets": [{"address": "423Gvxk9...", "pool": "c3pool"}]
}/api/v1/host/{id}/envelopeUpload an IR scan bundle from a hostcurl
# After running an IR scan on a cPanel host:
curl -H "X-Upload-Token: $TOK" --data-binary @ir-bundle.tgz \
https://intake.rfxn.com/sessionscribe-telemetry/response
{
"bundle_id": 124891,
"host_verdict": "COMPROMISED",
"score": 4963,
"live_indicators": 3,
"queued_at": "2026-05-08T11:20:31Z",
"processed_at": "2026-05-08T11:20:33Z"
}Or use the open-source tools, no console required
The console is fed by three open-source bash tools in the cpanel-sessionscribe repo. GPL v2, pure bash, no Python or Perl runtime dependencies. Run them standalone for one-off triage; pipe their output into the console for fleet-wide visibility.
sessionscribe-ioc-scan
on-host triage
Run on a cPanel host: fast indicator ladder, host and code verdict, kill-chain timeline, IR bundle. Detection-only by default; --full for the deeper forensic phases.
sessionscribe-mitigate
close the window
Phased mitigation orchestrator: patch check, firewall the cPanel service ports to your management CIDRs, deploy a ModSec rule pack. Idempotent, safe to re-run.
sessionscribe-remote-probe
runs anywhere with curl
Non-destructive 4-stage probe: VULN or SAFE per host. Runs from anywhere. Structured output keyed on host / version / timestamp for fleet roll-up.
# 1. Are we already compromised? (on-host triage)
curl -fsSL https://raw.githubusercontent.com/rfxn/cpanel-sessionscribe/main/sessionscribe-ioc-scan.sh \
| bash
# 2. Close the window (idempotent)
curl -fsSL https://raw.githubusercontent.com/rfxn/cpanel-sessionscribe/main/sessionscribe-mitigate.sh \
| bash -s -- --apply
# 3. Sweep a single host from anywhere (non-destructive)
curl -fsSL https://raw.githubusercontent.com/rfxn/cpanel-sessionscribe/main/sessionscribe-remote-probe.sh \
| bash -s -- --target HOST--json / --csv outputs ready for SIEM ingestion.Who the beta is for
Hosting providers
cPanel, Plesk, or DirectAdmin at scale. Catch live compromise that static scanners miss. One-click block lists across the whole fleet. Prove patch and cleanup outcomes to customers.
MSSPs and IR teams
Cross-tenant pivots, AI-assisted incident summaries, and a single console that turns process / connection / firewall data into a verdict and a rotation playbook. Bill the IR retainer, not the swivel chair.
Security researchers
Pivot on indicators across a working corpus. Validate findings, corroborate emerging operator patterns, cite numbers. Same data behind the public CVE-2026-41940 feed.
Private beta is open
We're onboarding small cohorts of hosting providers, MSSPs, and IR teams. Tell us what your fleet looks like and what you want out of the console.