SYSTEM IDENTITY — ABOUT THE PLATFORM

Built by someone
who actually ships.

EZMCyber is a live deception engineering and threat intelligence platform — not a demo, not a concept. Real attackers probe it. Real data comes back. Built and operated by Niffy, solo.

Deception Engineering Threat Intelligence Breach Detection AI-Powered Defense Open Research
Who's behind this

Niffy — Founder & Solo Dev

I build security systems that work in production, not just in controlled environments. EZMCyber started as a personal experiment in deception engineering — planting traps in my own infrastructure and watching what real attackers do when they spring them.

Today the platform runs 77+ tracked attacker profiles, a live canary network, cryptographic data provenance, an AI-powered Hall of Mirrors, BGP hijacking detection, and an LLM prompt injection honeypot — all built and deployed solo.

Currently learning penetration testing through HackerOne and building toward bug bounty programs to fund continued platform development.

ROOT@EZMCYBER:~$ WHOAMI ONLINE
># System operator
>name = "Niffy"
>role = "Founder & Solo Developer"
>platform = "EZMCyber"
>stack = ["Flask", "Redis", "Neon PG", "Koyeb"]
>active_since = "2024"
>attackers_tracked = 77
>status = "ACTIVELY BUILDING"
>
77+
Attacker Profiles Built
8
Active Research Modules
24/7
Platform Uptime
5
Open Source Projects
Deception Traps Active
What the platform does

The full deception stack

Every module is deployed, running in production, and collecting real data from real attackers. This is not theoretical architecture.

ACTIVE
Quantum Canary Network
Fake users with 3–18 months of believable history. Canary records planted across every data layer. Any attacker who enumerates data hits a trap first.
ACTIVE
Hall of Mirrors
Recursive deception layers serving adaptive fake data. Attackers descend up to 5 layers deep, each revealing more convincing but false intelligence.
ACTIVE
Attractor Sandbox
Critical threat actors are moved into a synthetic environment. They operate, exfiltrate fake data, and believe they've succeeded — while you watch every move.
ACTIVE
Session DNA Profiling
Builds a behavioral fingerprint per session — timing patterns, navigation sequences, request cadence. Deviations trigger anomaly alerts.
ACTIVE
Cryptographic Provenance
Every exported data item carries a signed provenance token. When stolen data surfaces elsewhere, it traces back to the exact session, user, and timestamp.
ACTIVE
Immutable Audit Chain
SHA-256 hash-chained event log. Every canary trigger, sandbox entry, and provenance violation is permanently recorded. Tamper-detectable evidence trail.
ACTIVE
LLM Prompt Injection Honeypot
Fake internal AI API that catalogues real-world prompt injection attempts. Returns convincing fake responses with embedded canary tokens. First public honeypot of this type.
ACTIVE
BGP Hijacking Monitor
Monitors route announcements for your IP space via Cloudflare Radar and RIPE RIS Live. Alerts on unauthorized origin ASN changes or sub-prefix hijacking.
Open research

Research projects published to GitHub

01
Attacker Fingerprint Corpus
Live public threat intelligence feed built from real honeypot data. Query JA3 hashes, user agent patterns, attack path classifications via open API.
LIVE API
02
Deception Markup Language (DML)
Open specification for portable, tool-agnostic deception trap configuration. Like OpenAPI but for honeypots. Validator + Python reference implementation.
OPEN SPEC
03
LLM Prompt Injection Honeypot
Flask blueprint that presents as an internal AI service and catalogs MITRE ATLAS-classified prompt injection attacks from real threat actors.
DEPLOYED
04
BGP Early Warning System
Open source BGP route hijacking monitor for indie operators. Enterprise tools cost $500+/month. This is free, runs on Koyeb, integrates Cloudflare Radar.
OPEN SOURCE
05
Supply Chain Canary Injector
Injects runtime ping canaries, DNS watermarks, and zero-width character tokens into Python/npm packages before publishing. Detects unauthorized redistribution.
CLI TOOL
Technical architecture
Main Platform
Flask 3.0 on Koyeb. Neon PostgreSQL + Redis. All deception modules, canary engine, sandbox, immutable log. ezmcyber.xyz
Breach Monitor
Separate Flask service. Scans paste sites, GitHub repos, dark web sources. AI correlation engine. Telegram alerts. status.ezmcyber.xyz
Security API
Node.js Express. Email breach checks, URL scanning, IP reputation, file hash analysis, header analysis. api.ezmcyber.xyz
Get access

Ready to see the platform
in action?

Early access available for security operators and researchers. The architecture is the differentiator.

View Access Tiers Contact GitHub