SSH client string
Non-OpenSSH clients (libssh, paramiko, Go) flagged as bot
high weight
Inter-command timing
Sub-100ms cadence between commands indicates scripted execution
high weight
Command sequence
Exact match to known playbooks (hardware survey, mdrfckr key, etc.)
medium weight
Session duration
Very short (<5s) or very uniform durations suggest automation
low weight
HASSH fingerprint
Known bot HASSH hashes matched against community database
medium weight
Recon pattern
Structured hardware profiling immediately post-auth
medium weight