The AI-Powered
Security Engine
for cPanel
BotSurgeon-Pro/AI combines a blazing-fast Bash triage engine with machine learning forensics to detect and neutralize threats that legacy security tools miss.
BotSurgeon-Pro/AI
Detect. Analyze. Neutralize.
AI-powered threat intelligence trained on 60,000 real production attacks. From evidence to action in 0.5 seconds. Full forensic evidence for every block — know exactly why an IP was blocked and have the proof to back it.
Why Hosting Providers Choose BotSurgeon
Modern bot attacks have evolved beyond simple rate limiting. They rotate user agents, distribute across subnets, probe for configuration files, and mimic legitimate browsers. Legacy security tools block known signatures and hope for the best. BotSurgeon uses machine learning to understand attack behavior — predicting threats before they reach critical thresholds and providing full forensic evidence for every decision it makes. Most security tools stop protecting the moment a license expires — leaving servers completely exposed during billing gaps. BotSurgeon's triage engine continues blocking threats even without an active license, because server protection should never have an off switch.
Predictive, Not Reactive
Static rules catch yesterday's attacks. BotSurgeon's RandomForest and IsolationForest ML models analyze behavioral patterns in real time, detecting zero-day exploits that exhibit bot-like characteristics before they match any known signature.
Forensic Transparency
Every blocked IP comes with a full forensic report: what paths were targeted, which domains were hit, what attack signatures were detected, and a scored risk assessment with confidence levels. No black boxes. No guessing.
Zero Context-Switching
BotSurgeon lives inside WHM. Native plugin registration, dashboard in your admin panel, security overview in cPanel Jupiter. You never leave the tools you already use.
Three Layers of Protection
BotSurgeon-Pro/AI is a 3-tier security intelligence platform. Each layer operates independently while feeding data to the next — creating a detection-to-action pipeline that responds in under 2 seconds.
BotSurgeon-Pro: Real-Time Triage Engine
The hardened Bash triage engine monitors Apache in real time via the splitlogs proxy. 22+ detection modes analyze connection states, request velocity, subnet patterns, and bot fingerprints. Multi-layer blocking through nftables, firewalld, iptables, CSF, and ModSecurity — with a watchdog that verifies blocks aren't silently removed.
Technology: Bash, iptables, nftables, firewalld, CSF, ModSecurity
BotSurgeon-AI: Machine Learning Intelligence
The Python ML layer elevates detection from reactive to predictive. RandomForest classifies known threat patterns. IsolationForest identifies anomalies that don't match any signature. Behavioral fingerprinting (SHA-256 profiles), campaign attribution (coordinated botnet grouping), and predictive signals (VELOCITY_SPIKE, PATTERN_SHIFT, SUBNET_SURGE) provide early warning before attacks reach critical thresholds.
Technology: Python, scikit-learn, SQLite
BotSurgeon Dashboard: Real-Time Operations
The web-based dashboard provides a complete security operations view inside WHM. Live KPI gauges, filterable threat intelligence table, full forensic report modals, AI-powered recommendations, and one-click emergency controls — all updating in real time via Server-Sent Events.
Technology: FastAPI, Alpine.js, SQLite, SSE
What's Under the Hood
Real-Time Threat Detection
0.5–1.5 second response time from log entry to block. The splitlogs proxy intercepts Apache's log pipeline without disrupting cPanel's native stats. Fail-open design means your logging continues even if BotSurgeon restarts.
AI-Powered Scoring & Auto-Blocking
Composite threat scores combine 8+ behavioral signals into a 0–100 risk rating. IPs crossing configurable thresholds are auto-blocked across all firewall layers simultaneously. Velocity and acceleration scoring detects attacks ramping up before they peak.
Full Forensic Reports
Per-IP deep-dive reports include: executive summary with risk score, top requested paths, targeted domains, request patterns with HTTP methods and status codes, attack signature matches with confidence levels, recent event timeline, user agent analysis, behavioral indicators, and prioritized recommended actions.
Threat Signature Database v2
Trained on 60,000 real forensic events from production cPanel servers — not synthetic benchmarks. 75MB+ of labeled attack data. Coverage includes PHPUnit RCE, Git exposure, WordPress enumeration, backup probing, credential stuffing, DDoS flooding, vulnerability scanning, and config file harvesting.
Analyst Ground-Truth Labeling
Three-button workflow to label any IP as Malicious, False Positive, or Benign — with optional training notes. Labels persist across re-ingestion and feed directly into the ML training pipeline. Your expert judgment makes the models smarter over time.
Emergency Lockdown
One-click activation drops detection thresholds to aggressive levels for active attack scenarios. Toggle from the dashboard or CLI. Full audit trail of every action taken during lockdown. Disable when the threat passes — all controls return to normal.
Everything Included in Every Tier
Click a category to expand the full feature list.
- 22+ detection modes including connection state tracking, request rate analysis, velocity/acceleration scoring, CIDR subnet analysis, and coordinated attack detection
- Bot fingerprinting with headless browser detection and user-agent rotation analysis
- Behavioral fingerprinting via SHA-256 profiling of user agents and request paths per IP
- Access log threat analysis scanning for suspicious paths, 404 scanners, probe patterns, and credential stuffing
- Domlog scanning with per-domain log analysis and cross-domain attack correlation
- Campaign attribution grouping coordinated botnet attacks by attack vector signatures
- Predictive signals providing early warning for velocity spikes, pattern shifts, and subnet surges
- RandomForest Classifier for threat prediction with 95%+ accuracy
- IsolationForest Anomaly Detection for zero-day pattern identification
- Threat Signature Database v2 trained on 60,000 real production events (75MB+ labeled data)
- Adaptive threshold adjustment driven by observed attack patterns
- Threat escalation prediction for currently-suspicious IPs
- AI scoring feedback loop between ML layer and triage engine
- Model caching with disk persistence to avoid retraining overhead
- Multi-layer blocking via nftables, firewalld, iptables, and CSF
- ModSecurity WAF rule generation from detected attack patterns
- Temporary blocks with configurable auto-expiry and permanent block support
- Block integrity watchdog that detects and re-applies removed blocks
- Cooldown/dedup system preventing duplicate blocks within configurable windows
- IPv6 full support with dual-stack detection and /64 prefix handling
- Clean unblock function across all firewall layers
- Native WHM plugin in navigation menu and cPanel Jupiter Security section
- Real-time KPI cards: total incidents, critical count, high severity, block rate, threat level
- Four gauge dials: incident rate, block effectiveness, average threat score, response time
- Incident severity distribution chart and security posture visualization
- Filterable threat intelligence table with IP, score range, classification, and date filters
- Pagination with configurable items per page
- Full forensic report modal with executive summary, paths, domains, signatures, timeline, user agents, indicators, and recommendations
- Bulk regenerate for mass report refresh with progress tracking
- Quick Copy summary and JSON export for forensic reports
- Auto-refresh at 5s, 10s, 15s, 30s, or 60s intervals
- Server-Sent Events for real-time dashboard updates
- Dual IP reputation via AbuseIPDB and SecureFeed APIs
- GeoIP country lookup with IPv6 support
- Subnet intelligence tracking threat density per /24 network
- AI recommendations with severity tags (HIGH/MEDIUM/LOW) and confidence percentages
- Analyst ground-truth labeling (Malicious/False Positive/Benign) with training notes
- Watchlist system with rolling observation windows, risk scoring, entropy, and path spray metrics
- Historical trending for incident pattern tracking
- Audit log with timestamped record of all actions
- One-click emergency lockdown with audit trail
- Webhook notifications for Slack, Microsoft Teams, Discord, and generic endpoints
- Quick Actions menu: Generate Report, Blocked IPs, Whitelisted IPs, Audit Log, Active Watchlist
- Whitelist management with CIDR notation, comments, and bulk import
- Dry-run mode for safe testing on production servers
- Forensic data sharing opt-in for community threat intelligence (disabled by default)
- One-command installation in under 5 minutes
- Splitlogs proxy with fail-open design — zero disruption to cPanel stats
- Systemd services (botsurgeon-api + botsurgeon-monitor)
- Automated cron triage every 5 minutes
- Pipeline self-check for health verification
- Automatic log rotation (size-based, maintenance-free)
- External configuration file with --generate-config
- Lock file and concurrency guard for safe cron operation
- Clean uninstall script
- Supported: AlmaLinux 8/9, CloudLinux 8/9, Rocky Linux 8/9, cPanel/WHM v110+
From Zero to Protected in Under 5 Minutes
chmod +x install.sh && sudo ./install.shThat's it. The installer handles all dependencies, service registration, cPanel plugin integration, and initial configuration automatically. Navigate to WHM → BotSurgeon-AI Security to begin.
Trusted by Hosting Providers
See what industry leaders say about BotSurgeon-Pro/AI
Customer stories coming soon. We're collecting feedback from early adopters and will feature real testimonials here.
Are you using BotSurgeon-Pro/AI? Share your experience
See BotSurgeon in Action
Watch a narrated walkthrough of BotSurgeon-Pro/AI detecting, analyzing, and neutralizing threats in real time.
Simple, Transparent Pricing
Choose the tier that fits your infrastructure. All tiers include the full stack.
Starter
1–5 cPanel accounts
- Full BotSurgeon-Pro/AI
- AI forensic analysis
- Threat Signature DB v2
- WHM dashboard
- Email support (24-48h)
Pro
Up to 30 accounts
Launch promo — $49/mo after 21 days
- Everything in Starter
- Up to 30 cPanel accounts
- Priority email support
Enterprise
Up to 100 accounts
- Everything in Pro
- Up to 100 cPanel accounts
- Mid-size host optimized
Unlimited
Server-wide protection
- Everything in Enterprise
- Unlimited cPanel accounts
- Full server coverage
Gold Founder
Unlimited servers
One-time • Lifetime • 10 slots only
- Unlimited servers
- Hall of Champions
- Direct builder access
- Early access to all updates
Order Summary
Coupons cannot be applied to Gold Founder purchases.
Not ready to commit?
Try BotSurgeon-Pro/AI free for 7 days. No credit card required.
All tiers include the full BotSurgeon-Pro Triage Engine, AI ML Layer, Dashboard, and Threat Signature DB.
Gold Founders — 10 Slots Only
The first 10 hosting providers to claim a Gold Founders slot receive unlimited server licenses for life — no monthly fees, ever. Gold Founders get permanent recognition in the dashboard Hall of Champions, a direct line to development for priority feature requests, early access to all future modules and AI engine updates, and the opportunity to shape BotSurgeon's evolution through production threat data that trains our next-generation models.
Running 5+ servers? Gold Founders breaks even in under 13 months. Running 10+? Under 7 months. Every month after that is pure savings — forever.
No time lock — scarcity only
0 of 10 claimed
Try BotSurgeon-Pro/AI Free for 7 Days
Full feature access. No credit card required. Protection in under 5 minutes. One trial per server — because that's all you need to see the difference.
How it works
Run install.sh on your cPanel/WHM server
The installer registers a 7-day trial automatically
Open WHM → BotSurgeon-AI Security and start monitoring
chmod +x install.sh && sudo ./install.shProtect Your Servers Today
Deploy BotSurgeon-Pro/AI in minutes. Plans from $14/month.