Skip to content
Live · 214 honeypots · 38 countries

Automated VoIP & SIP threat intelligence.

Stop SIP toll fraud before it happens. Real-time SIP IP blacklist feeds and on-demand PBX security audits for Kamailio, Asterisk, and 3CX, powered by a global honeypot network.

No credit card required · REST API · Drop-in Fail2Ban & iptables scripts

Compatible with

  • Asterisk
  • Kamailio
  • FreeSWITCH
  • 3CX
  • OpenSIPS
  • FreePBX

Trust & compliance

Built to the standards your security team already audits.

SipRadar is architected for regulated environments, from independent MSPs to enterprise call centers. Independent auditors, transparent controls, and data residency you can point at.

  • SOC 2 Type II

    Operational controls, audited annually

    Independent AICPA audit of our security, availability, and confidentiality controls. Report available under NDA.

  • ISO/IEC 27001

    Certified information security management

    End-to-end ISMS covering the honeypot fleet, threat graph, and customer-facing APIs. Recertified every 12 months.

  • GDPR

    EU data protection by default

    DPA on request, EU-hosted primary region, sub-processor registry, and full data-subject request tooling for your customers.

  • HIPAA-ready

    For healthcare call centers

    BAAs available for Enterprise plans. No PHI ever transits SipRadar honeypots; SIP metadata is minimized at capture.

What this means for you: procurement-ready security evidence, less back-and-forth with your compliance team, and controls that map directly to your vendor risk framework.

Trusted by VoIP operators

Protecting PBX fleets from Berlin to São Paulo.

Read case studies →
  • Nordvox
  • Telario
  • PBXWorks
  • CallForge
  • SipHaven
  • VoxMesh
SipRadar cut brute-force REGISTER attempts on our carrier edge by 96% in the first week. It replaced three homegrown scripts.
Marta K. · Head of Network Security, Nordvox
The honeypot feed catches attackers weeks before commercial IP reputation lists. It's now a hard requirement for every PBX we deploy.
Daniel R. · CTO, PBXWorks MSP
Their PBX audit found a misconfigured allowguest that would have cost us mid five figures in toll fraud. Paid for itself on day one.
Fatima A. · VoIP Operations Lead, CallForge

Honeypot lookup

Check any IP against our global SIP honeypot database.

See instantly whether an address has been recorded probing SIP endpoints, brute-forcing extensions, or attempting toll fraud. The same signal powers our Threat Intelligence API.

  • · Cross-referenced against 214 active honeypots
  • · First-seen and last-seen timestamps
  • · Attack pattern & suspected user-agent
Query/v1/ip/lookup
1,283,491
Attacks blocked, 24h
45,312
Malicious IPs on file
214
Honeypots online
9,847
PBX audits completed

Platform

Three layers of SIP defense.

SipRadar unifies passive threat collection, real-time blacklist distribution, and active vulnerability scanning, so your VoIP infrastructure stays a step ahead of the toll-fraud economy.

  1. 01

    Global honeypot network

    Passive intelligence

    A worldwide mesh of SIP honeypots silently records every scan, brute-force, and toll-fraud attempt, feeding fresh signals into our threat graph every second.

  2. 02

    Real-time blacklist API

    Drop-in integration

    Stream our curated SIP IP blacklist directly into Fail2Ban, iptables, Kamailio dispatcher, or Asterisk ACLs. One-line install scripts. Zero maintenance.

  3. 03

    Active vulnerability scanner

    On-demand audit

    Point SipRadar at your PBX to surface exposed port 5060, weak extension passwords, insecure SIP TLS, and dial-plan misconfigurations before attackers do.

Live feed

Real-time SIP attack telemetry.

Streaming from our global honeypot network. The same feed powers our GET /v1/threats endpoint.

Streaming · live128,412 events · last 60 min
Live attacks
185.243.115.84 · RU · score 98
185.243.115.84:5060· RU· score 9845.227.253.109:5060· PA· score 95193.32.162.44:5061· NL· score 91141.98.10.63:5060· LT· score 8789.248.165.201:5060· NL· score 84212.70.149.71:5060· BG· score 7977.83.36.219:5060· RU· score 72185.156.73.52:5062· RU· score 46103.145.13.9:5060· IN· score 885.188.86.174:5060· RU· score 9294.102.61.7:5061· NL· score 68162.243.144.55:5060· US· score 55185.243.115.84:5060· RU· score 9845.227.253.109:5060· PA· score 95193.32.162.44:5061· NL· score 91141.98.10.63:5060· LT· score 8789.248.165.201:5060· NL· score 84212.70.149.71:5060· BG· score 7977.83.36.219:5060· RU· score 72185.156.73.52:5062· RU· score 46103.145.13.9:5060· IN· score 885.188.86.174:5060· RU· score 9294.102.61.7:5061· NL· score 68162.243.144.55:5060· US· score 55
0–59 Watch60–84 High85–100 Critical

185.243.115.84

09:42:11

98Critical
Geo
RU
Port
5060
User-agent
friendly-scanner

45.227.253.109

09:41:57

95Critical
Geo
PA
Port
5060
User-agent
SIPVicious

193.32.162.44

09:41:33

91Critical
Geo
NL
Port
5061
User-agent
sipcli/v1.8

141.98.10.63

09:40:58

87Critical
Geo
LT
Port
5060
User-agent
VaxSIPUserAgent

89.248.165.201

09:40:22

84High
Geo
NL
Port
5060
User-agent
sundayddr

212.70.149.71

09:39:47

79High
Geo
BG
Port
5060
User-agent
SIPVicious

77.83.36.219

09:39:12

72High
Geo
RU
Port
5060
User-agent
friendly-scanner

185.156.73.52

09:38:41

46Watch
Geo
RU
Port
5062
User-agent
sipsak 0.9
Showing 18 of 20 filtered
1 / 3

PBX security audit

Audit your PBX in under 60 seconds.

SipRadar probes your public endpoint for exposed SIP ports, weak REGISTER credentials, verbose responses that leak extensions, and misconfigured TLS, then hands you a remediation checklist your team can ship today.

  • Detects open UDP/TCP 5060 & 5061 exposure
  • Enumerates weak or default extension passwords
  • Flags dangerous Asterisk allowguest and 3CX defaults
  • Exports remediation as Markdown, PDF, or Jira tickets
pbx-audit.reportCompleted
target        pbx.acme-corp.example
ports open    5060/udp   5060/tcp   5061/tcp
sip banner    Asterisk PBX 18.9.0 (exposed)
weak exts     3 found   1001, 1050, 2001
allowguest    yes  (toll fraud risk)
tls / srtp    disabled
blacklist     0 inbound from known bad IPs

recommended   rotate 3 extension secrets · disable
              allowguest · enable SIP-TLS on 5061 ·
              subscribe to SipRadar blacklist feed

Developer API

A REST API your ops team can wire in this afternoon.

Bearer-token auth, predictable JSON, generous rate limits, and 99.95% uptime SLA on paid tiers. Native SDKs for PHP, Python, and Node, plus drop-in scripts for Fail2Ban, iptables, Kamailio dispatcher, and Asterisk pjsip ACLs.

  • · Streaming /v1/threats feed (WebSocket + long-poll)
  • · 100 lookups/mo free · real-time on Single PBX+ · unlimited on Active Defense
  • · OpenAPI 3.1 schema · Postman collection · signed webhook events
Endpointsv1 · stable
  • GET/v1/ip/{addr}

    Reputation, first/last seen, attack pattern, geo, ASN.

  • GET/v1/threats

    Rolling stream of honeypot events. Filter by port, country, score.

  • POST/v1/scan

    Kick off an on-demand PBX audit. Returns a job ID + webhook.

  • GET/v1/blacklist.txt

    Plain-text blacklist for Fail2Ban / iptables. Refreshes every 60s.

  • POST/v1/report

    Submit a suspicious IP or SIP payload to the honeypot network.

Example

$ curl -H "Authorization: Bearer sk_live_..." \
       https://api.sipradar.net/v1/ip/185.243.115.84

{
  "ip": "185.243.115.84",
  "malicious": true,
  "score": 98,
  "first_seen": "2026-05-02T11:14:07Z",
  "last_seen":  "2026-07-15T09:42:11Z",
  "hits": 4127,
  "pattern": "sip-register-bruteforce",
  "asn": "AS49505",
  "country": "RU"
}

Pricing

Pay for real-time defense, not per-seat.

Start free with delayed threat intel. Upgrade when you need Fail2Ban and iptables scripts blocking attackers in real time, or Active Defense Pro to protect up to 10 PBX endpoints.

  • Community

    Free

    $0/ month

    For developers and sysadmins exploring SipRadar. Enough to find your first vulnerabilities and check suspicious IPs from logs.

    • 1 on-demand PBX scan per month
    • 100 API lookup requests per month
    • Threat feed with 48-hour delay
    • Community support (Discord)
    Start free
  • Single PBX

    Starter

    $29/ month

    For small businesses, solo call centers, and local IT admins protecting one PBX edge.

    • 1 active PBX IP (continuous monitoring)
    • Real-time Threat API for Fail2Ban & iptables
    • Weekly automated PBX audit (Monday email)
    • 7-day log retention
    Get started
  • Active Defense

    Pro

    Most popular
    $89/ month

    For MSPs and serious VoIP providers managing multiple customer PBX fleets from one account.

    • Up to 10 PBX IP addresses
    • Unlimited on-demand PBX scans
    • Webhook & Slack alerts on brute-force
    • PDF audit reports (MSP-ready)
    • 30-day log retention
    Get started
  • Enterprise

    Wholesale

    $249+/ month

    For telecom operators and large-scale VoIP infrastructure. Custom capacity and carrier-grade feeds.

    • Unlimited IPs and API requests
    • White-label PDF reports
    • BGP Blackhole / SIP-URI feeds
    • SOC 2 report, private honeypots, SSO
    • 99.95% uptime SLA · 24×7 on-call
    Talk to sales

Prices in USD, exclusive of applicable taxes. Annual billing available on Active Defense (−15%). Non-profit and academic discounts on request.

Stop toll fraud tonight

Point SipRadar at your PBX. Get a remediation checklist in 60 seconds.

Free audit · no credit card · no agent to install. Works with Asterisk, Kamailio, FreeSWITCH, 3CX, OpenSIPS, and FreePBX.

Early access

SipRadar Pro launches Q4 2026.

Reserve your seat and receive one month of complimentary Threat Intelligence API access at launch: unlimited lookups, the streaming feed, and priority honeypot signal.

One email at launch. No newsletters. Unsubscribe anytime.

FAQ

Questions we get from VoIP ops teams.

Straight answers on detection, integration, retention, and support. Missing something? Our team replies to security questions within one business day.

Ask a question →
  • We operate 214 SIP honeypots across 38 countries. Each pretends to be a live PBX and silently records every REGISTER, INVITE, OPTIONS, and SUBSCRIBE probe. Attack patterns are graded 0–100 by our threat graph and streamed to the /v1/threats API within seconds.