Self-hosted security tool

Most tools hide
the noise.
We make it visible.

SignalTrace is a self-hosted honeypot and link tracker that scores every request for bot likelihood, generates threat feeds, and integrates with Splunk — all from a single PHP app and SQLite database.

Try Live Demo → View on GitHub

Open Source Splunk Ready Docker Ready Self-Hosted

Human-Likelihood ScoreLive

BOT< 25

SUSPICIOUS25–59

LIKELY60–74

HUMAN≥ 75

203.0.113.10Chrome/Win1090human

198.51.100.25curl/7.8112bot

192.0.2.50Python-urllib34suspicious

See it in action

A complete picture of every hit

From a single link click to a full Splunk SOC dashboard — here's what SignalTrace looks like in practice.

Reporting & Analysis

Enterprise Visibility with Splunk

SignalTrace provides the logic for deep-dive analysis. Deploy the included scripted inputs and Dashboard Studio templates directly to your environment.

SOC Overview Template Splunk SOC Overview Dashboard

A 24-hour tactical display for SOC monitors. Visualizes bot ratios, top attacking ASNs, and geo-distribution in real-time.

Detailed Investigation Splunk Investigation Dashboard

Pivot from trends to specifics. Filter by IP, CIDR, or specific token to trace exactly how a threat actor interacted with your links.

Knowledge Base

Operational Detail & Strategy

Beyond the code — deployment guides, tuning advice, and reference material for running SignalTrace in production.

Reference Scoring Reference

Complete reference for every detection signal, point values, and worked examples of score calculation.

Deployment Reverse Proxy Setup

How to configure TRUSTED_PROXY_IP so client IPs are recorded correctly behind Nginx or Cloudflare.

Deployment Nginx & PHP-FPM

Server block configuration and HTTPS setup for running SignalTrace under Nginx instead of Apache.

Integration Threat Feed Consumption

Consuming the blocklist via fail2ban, pfSense URL table aliases, or a generic cron approach.

Operations GeoIP Maintenance

Initial setup with geoipupdate, verifying databases, and automating weekly cron job updates.

Operations Tuning Guide

Approaching skip patterns, ASN rules, and scoring thresholds for different deployment scenarios.

Explore the Full Wiki →

When you're in the demo

What to try

The demo is a live SignalTrace instance capturing real internet traffic. Here's how to get the most out of it.

📋

Explore the Activity Feed

The Dashboard tab shows every hit in real time. Click any IP address to see all requests from that source, or click a token to filter by path. Expand any row with the Details button to see the full scoring breakdown.

🎯

Read the Score Reasons

Open a Details panel and look at the Scoring section. The Reason field lists every signal that contributed to the score — missing headers, spoofed UA, hosting provider ASN, or path risk.

🔗

Copy a Tracking URL

Go to the Tokens tab. The sample tokens have tracking URLs and pixel URLs pre-generated. Copy one and open it in a browser tab — your hit will appear in the feed within seconds, scored as human.

Live Demo

See real traffic, right now

The demo runs on real infrastructure and is capturing live traffic. It resets every 60 minutes.

Username

demo

Password

trysignaltrace

Open Live Demo →

No account needed · Resets hourly · Real traffic only

Open Source

Self-host it yourself

SignalTrace is MIT licensed and fully open source. One script gets you running on a fresh Ubuntu server or Docker in minutes.

View on GitHub →