Tooling

Honeypots — T-Pot, Cowrie, Dionaea

Catch attackers in the act, harvest IOCs, study TTPs.

Honeypots are deception assets — services that look real, log everything, and exist purely to be probed. They generate ground-truth threat-intel from the IPs and tools that actually scan you. For runtime detection see Runtime Security. For SIEM ingestion see SIEM (Wazuh / Graylog). For threat-intel feeds see Threat Intelligence (MISP).

All-in-one honeypot platform

  • ★ ★ T-Pot (Deutsche Telekom CERT) — Docker-based "every honeypot in one box": Cowrie, Dionaea, Honeytrap, ConPot, ElasticPot, Glutton, Heralding, Mailoney, Citrix Honeypot, Log4Pot, Tanner, Snare, MEDPot, ADBHoney, CiscoASA-Honeypot, RDPY, etc. Plus Suricata + ELK for analysis. The 2024–26 default. Free.

SSH / shell

  • Cowrie — medium-interaction SSH + Telnet honeypot; emulates a Linux shell with a fake filesystem; logs every keystroke and downloaded sample. Free. The classic SSH honeypot.
  • Kippo — Cowrie's predecessor; archived.
  • endlessh — tarpit; trickle SSH banners forever.

Web / HTTP

  • Glastopf / SNARE + TANNER — web app honeypots; emulate vulnerable PHP / WordPress.
  • HoneyHTTPD — simple HTTP banner honeypot.
  • Heralding — credential-collecting authentication-protocol honeypot.
  • Log4Pot — Log4Shell-themed HTTP honeypot.

Industrial / IoT

  • Conpot — ICS / SCADA honeypot; emulates Modbus, S7, BACnet, IEC-104, IPMI, etc. Free.
  • GasPot — ATG (gas pump) emulation.
  • HoneyThing — IoT.
  • MQTT-PWN / mqtt-honeypot — MQTT-shaped traps.

Database / cache

  • Dionaea — multi-protocol; SMB / FTP / HTTP / TFTP / MSSQL / MySQL / SIP; sample collection.
  • MongoDB Honeypot Proxy / ElasticPot — DB-shaped traps.
  • HoneyDB — feed of honeypot data; commercial / free.

Email / phishing-bait

  • Mailoney — SMTP honeypot.
  • MailHog / Mailpit — usually used as dev-mail-trap, not honeypot, but can be repurposed.

Network / canary

  • Canary tokens (Thinkst) — drop-in tripwires; Word docs / AWS keys / DNS / cloned-website tokens that ping you when triggered. Free public service at canarytokens.org; paid Canary appliance for enterprise.
  • Thinkst Canary — paid hardware / virtual canary appliance; one of the most-respected commercial deception products.
  • OpenCanary — Thinkst's open-source low-interaction honeypot daemon; SSH / SMB / HTTP / MSSQL / Telnet / RDP.
  • Honeytrap — multi-protocol; in T-Pot.

High-interaction / research-grade

  • Sebek / Honeynet Project gen-III — older but classic.
  • DRAKVUF — VMI-based; for malware sandbox-as-honeypot. See Malware Analysis.
  • HoneyPi — Raspberry Pi appliance.

Analysis layer

Deployment patterns

  • Sacrificial cloud VM — a $5 VPS running T-Pot collects 10k attempts/day for free.
  • DMZ-adjacent host with isolated logging path back; never let the honeypot reach production.
  • Internal canaries — drop OpenCanary in your own VLAN to detect lateral movement.
  • Canary tokens scattered — DNS, AWS, Word, Cloned-site — in your own infrastructure.
  • Don't run honeypots that can be weaponised as relays / amplifiers / sample-execution platforms. Cowrie etc. don't actually run code — keep it that way.
  • Network-segregate entirely from production.
  • Egress-firewall the honeypot — don't let it scan the internet on your behalf.
  • Local laws — running an SMB honeypot may attract liability / ISP attention; budget for tickets.

What honeypots are great for

  • Free, ground-truth IOC feed.
  • Detection of internal lateral movement (canaries on file shares).
  • Studying attacker TTPs / new tools.
  • Tar-pitting scanners; making your network noisier than the next.

What they're not

  • A replacement for real defences.
  • A solo IR signal — combine with SIEM (Wazuh).

Pick this if…

  • Default cloud honeypot box: T-Pot.
  • SSH-only deception: Cowrie.
  • ICS / SCADA test: Conpot.
  • Internal-network tripwires: OpenCanary or Thinkst Canary appliance.
  • Drop-in tokens: canarytokens.org (free) or Thinkst Canary (paid).
  • Internet-wide scanner attribution: T-Pot + GreyNoise correlation.

On this page