Lure
A lure (UI term) is a deployed deception asset backed by a Docker image and runtime configuration. In APIs and database models you may still see honeypot—they refer to the same object.
Threat classification
Events carry a threat level (Low through Critical) and an attack type (SQLi, path traversal, CVE exploitation, etc.). Classification combines signature detection, Nuclei rule matches, and heuristics; unusual behavior may surface under Potential 0-Day when confidence is insufficient for a named CVE.
Campaigns and scanner groups
Scanner groups cluster similar scanning fingerprints across IPs and time. Campaigns tie together related malicious activity for export and blocking workflows. Both are maintained in Research and Admin—not automatic for every log line.
C2 tagging
An IP is tagged C2 only when the C2 detection pipeline finds positive evidence (JARM, OSINT, KE-LA Control, etc.). C2 is never applied by volume or reputation alone—reducing false positives in executive dashboards.