Gateway - Hacker Identification

How to identify hackers based on your internal logs using Gateway features

Updated over a week ago

Note: The personal IP addresses of hackers are not shared through the Gateway logs due to compliance reasons. All of the Gateway hacker’s traffic will come from the same IP address(es). Hence, personal IP addresses will not be available in your internal logs, but the allowlisted Gateway IP addresses will be available.


  • Traffic log tracking on HackerOne Gateway should be enabled for your program.

  • Collect the request details from your internal logs:

    • Source IP address

    • URL / IP address

    • Method

    • UTC timestamp

  • The source IP address should match the allowlisted IP address(es) on your HackerOne Gateway program at the time of the request.

Identification Methods

You can identify hackers by filtering activities and/or searching in the log files. Here are the differences between these methods:

  • Log files contain more request details compared to the Activity page. However, all the requests show up in both places.

  • Downloaded log files provide more recent data that will include requests made 3-4 minutes earlier, whereas the logs are synced every 20 minutes to the Activity page.

Filter Activities

  1. Navigate to Program Settings > Hacker Engagement > Gateway > Activity

  2. Click the advanced filter button to see the Start and End timestamp fields

  3. Enter timestamps to match the UTC timestamp from your logs. Adjust the timestamp filter as needed.

  4. To further refine the search results, enter the request URL in the search bar

  5. You should see the results matching your query

Log File Search

  1. Navigate to Program Settings > Hacker Engagement > Gateway > Log

  2. Request and download a log for the intended date

  3. The downloaded file content is described here

  4. Search in the files for the request URL, method, and UTC timestamp to identify the hacker

Did this answer your question?