A honeypot is a deliberately vulnerable system or resource designed to attract attackers, record their activity and enable early detection. It generates no business value: any interaction with it is suspicious by construction. That clean signal makes the honeypot one of the most cost-effective defensive tools available when it is deployed properly.
Deception technology is the enterprise evolution. Instead of an isolated lab server, a platform plants credible decoys across the corporate network: fake accounts in Active Directory, files with embedded tracking, marked AWS keys, simulated endpoints in internal VLANs. An attacker moving laterally eventually interacts with one of those decoys and reveals themselves before reaching real assets.
This guide covers types (low-interaction, high-interaction, pure, honeytokens), defensive use cases, the most widely used commercial and open source platforms, how it fits into MITRE Engage and MITRE Shield, legal and operational risks, and how to plan an enterprise deployment without turning the honeypot into a liability of its own.
The essentials
- A honeypot is a system or resource with no business value whose only purpose is to be touched by an attacker so it generates a detection signal.
- The four operational categories are low-interaction, high-interaction, pure honeypots and honeytokens.
- The real defensive value lies in detecting lateral movement, insider threat and credential theft, not in "studying the attacker".
- Thinkst Canary dominates the commercial enterprise segment; T-Pot, Cowrie and Dionaea are the most established open source building blocks.
- MITRE Engage and MITRE Shield formalise deception as a defensive discipline with catalogued techniques.
- A poorly segmented honeypot becomes a pivot point into the real network: location and isolation matter as much as the decoy itself.
What a honeypot is: a precise technical definition
A honeypot is a computing resource whose value resides exclusively in being probed, attacked or compromised. The classic definition comes from Lance Spitzner with the Honeynet Project in the early 2000s. It has no legitimate users, exposes no services required by the business and any packet reaching it is by definition anomalous.
That property produces detection with a very low false positive ratio. A corporate SIEM ingests millions of events a day and requires complex rules to extract signal. A honeypot fires an alert when somebody tries to authenticate or reads a marked file, and it is almost always actionable.
Research honeypots aim to capture malware and generate intelligence for the community. Production honeypots, the focus of this guide, serve early detection inside one organisation. Architectures and vendors differ.
Honeypot vs honeynet vs deception platform
Honeypot. A single decoy system or resource. It can emulate a service (exposed SSH, fake login page) or be a complete isolated system.
Honeynet. A network of interconnected honeypots simulating a corporate segment. The Honeynet Project popularised the term. In enterprise environments, pure honeynets have largely been relegated to research and internal red team work; in production they have mostly been replaced by deception platforms.
Deception platform. Commercial product that deploys decoys distributed across the infrastructure: accounts, files, simulated endpoints, DNS records, secrets in repositories. It integrates centralised alert collection, SIEM and EDR integration and automated credibility maintenance. Thinkst Canary and, in their time, Illusive Networks or Cymmetria are examples.
The operational difference is scale. Deploying an isolated honeypot is a weekend exercise. Maintaining two hundred credible decoys across a corporate network, without them ageing or generating false positives from legitimate IT scans, requires a platform or a dedicated team.
Honeypot types
Low-interaction honeypots
They emulate services without providing a real operating system. A low-interaction SSH honeypot accepts connections, returns a convincing banner and simulates a shell with preconfigured responses, but does not allow real commands to be executed against the host. Examples: Cowrie in emulation mode, Dionaea, Honeyd.
Advantages. Quick to deploy, low residual risk, low resource footprint, easy to replicate.
Limitations. An experienced attacker detects the emulation within minutes through stereotyped responses and an incomplete filesystem. They serve to detect automated scans, not to capture the TTPs of an advanced actor.
High-interaction honeypots
A real operating system with real services, instrumented to log all activity. The attacker obtains a genuine shell and can execute binaries, modify configuration, install malware. Cowrie in proxy mode against a real container, virtual machines in a honeynet or commercial appliances all fit here.
Advantages. Very high fidelity, capture of real TTPs, live malware, authentic post-exploitation behaviour.
Limitations. Significant operational risk. If the honeypot is compromised without strict isolation, the attacker can pivot into the real network or use it as an exfiltration point. It requires rigorous segmentation, continuous monitoring and containment and reset procedures.
Pure honeypots
A complete production-grade system that looks operational but provides no real service. A web server with plausible content, a database loaded with generated records, apparent integration with other systems. Expensive to build and keep credible, reserved for environments with a very specific threat model (banking, defence, critical infrastructure). It is designed to withstand a coherence analysis, not just a surface interaction.
Honeytokens
Not systems but marked digital resources: an AWS credential, a database table entry, a clients.xlsx file in a share, a URL embedded in an internal page, an unused Office 365 account, a specific DNS record. Any use of the resource triggers an alert.
Advantages. Minimal cost, practically zero risk, detection of credential theft and unauthorised access to sensitive data, trivial mass deployment.
Limitations. They detect use, not attempt. And they depend on a telemetry channel: the marked AWS key only works if CloudTrail is queried for its usage. Even so, they are the category with the best cost-detection ratio in 2026 for organisations that haven't yet deployed full deception.
Defensive use cases where it adds value
Lateral movement detection
After the initial compromise, the attacker performs internal reconnaissance: enumerates shares, lists domain users, scans segments. A honeypot in a server VLAN or decoy accounts in Active Directory fire an alert before the attacker reaches real databases or domain controllers. An EDR detects what happens on endpoints; a honeypot detects what happens between them.
Insider threat early warning
Employees or contractors with legitimate access who start exploring beyond their working perimeter. A decoy account on a system where the user has no business being, or a salaries_2025.xlsx file in a share they shouldn't access, generate signal without needing to monitor general behaviour.
APT signaling
Advanced attackers invest time in reconnaissance. Honeytokens distributed across code repositories, internal wikis and corporate shares increase the probability that the attacker will touch one during that phase, at low marginal cost.
Credential theft detection
A honeytoken in the form of an AWS key embedded in code, an RDP credential in an accessible connections.rdp or a service account with no real use is one of the most effective methods for detecting credential theft via phishing, infostealer or developer compromise. When the credential is used from an unexpected IP, the alert is unambiguous.
Cloud honeypots
Platforms such as Thinkst Canary offer managed instances inside cloud accounts simulating S3 buckets with attractive names (backups, customers-export), EC2 with exposed services or Lambda. Detecting targeted cloud reconnaissance, where the traditional perimeter has dissolved, is one of the gaps where deception adds most value.
Platforms and vendors
Thinkst Canary. Dominant in the enterprise segment. Physical and virtual appliances simulating SMB, RDP, SSH, HTTP and databases, plus a managed canary tokens service. Low maintenance, SIEM integration, actionable alerts. Pricing per number of canaries.
Illusive Networks. Deception platform centred on distorting the attacker's reconnaissance phase. Acquired by Proofpoint in 2023.
Cymmetria. Pioneer in commercial deception with MazeRunner ("deception paths"). Wound down operations years ago; mentioned for historical context.
T-Pot. Open source distribution maintained by Deutsche Telekom. Complete stack (Cowrie, Dionaea, Honeytrap, ConPot, Glastopf, ElasticPot and more) on Docker with Kibana. Fastest starting point for research or pilot.
Cowrie. SSH and Telnet honeypot, modern fork of Kippo. De facto standard for exposed SSH.
Dionaea. Honeypot for Windows services (SMB, MSSQL, HTTP, FTP, TFTP). Useful for capturing network-propagating malware.
HoneyDB. Service that aggregates data from distributed honeypots and publishes indicators. Closer to threat intelligence than to deploying defensive deception of your own.
Canarytokens. Free Thinkst service that generates honeytokens (URLs, files, AWS keys, DNS records). Usual entry point before adopting a product.
Honeytokens specifically
Honeytokens are the cheapest lever for introducing deception into an organisation in 2026.
Marked AWS keys. Generate an access key with null permissions or restricted to a nonexistent bucket. Embed it in an internal repository, a test .env file, a wiki or a share. Configure CloudTrail to alert on any API call made with that key. Detects repository theft, insider exfiltration and developer compromise.
Fake Office 365 or Google Workspace accounts. Accounts with attractive names (finance.admin, ceo.assistant) with no real activity. Any login attempt fires an alert and captures targeted phishing or reuse of leaked credentials.
Documents with a tracking pixel. A director_salaries.docx in an internal share with an embedded image pointing to a controlled domain. Opening the document sends the HTTP request to the tracking server with metadata (IP, time, user agent).
Canary DNS records. A specific subdomain (internal-backup.example.com) with no real service. Any DNS query reaches a controlled resolver and detects internal enumeration and DNS tunnelling.
Database entries. Records with fictitious but plausible data. Any query or export returning them indicates anomalous access.
Honeyusers in Active Directory. User accounts with no real login and plausible descriptions. Any authentication, Kerberos query or group addition raises an alert. Combined with detection of Kerberos attacks, it produces a very clean signal for targeted Kerberoasting or AS-REP Roasting.
How to deploy an enterprise honeypot
Network location. DMZ (external reconnaissance), internal server VLAN (lateral movement after compromise) and cloud (targeted reconnaissance against IaaS accounts). The best value-detection ratio in modern environments is the internal one: the perimeter has been broken for years.
Convincing naming. srv-backup-fin01, dc-aux02, db-payroll-old. Names an attacker would read as targets. Avoid honeypot01. If the organisation has a naming convention, the honeypot must respect it.
Services coherent with the VLAN. A honeypot in a Windows VLAN exposes SMB and RDP; in a Linux VLAN it exposes SSH; in a DMZ it exposes HTTP. Incoherent services raise suspicion.
Strict isolation. The honeypot must not initiate connections into the real network. Firewall rules allowing inbound but blocking outbound except to a dedicated logging server. In high-interaction, additional containment with sandboxing or controlled NAT.
Centralised monitoring. Every interaction is sent to the SIEM with metadata (port, command, hash). High-priority alerts: by construction there are no systematic false positives.
Credibility maintenance. A honeypot that never changes or gets patched with months of uptime is detectable. Commercial platforms rotate configuration; in homegrown deployments, plan quarterly resets.
Internal documentation. IT and SOC must know it exists so they don't respond to their own alerts as a real incident; the rest of the organisation should not. If everybody knows the honeypots, they stop being honeypots.
Fit with MITRE Engage and MITRE Shield
MITRE ATT&CK describes what attackers do. MITRE Engage and MITRE Shield describe what the defender can do in terms of deception.
MITRE Shield. Original framework published in 2020. It defines defensive tactics (Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize, Test) and techniques such as Decoy Account (DTE0010), Decoy Content (DTE0011), Decoy Credentials (DTE0012), Decoy Network (DTE0014), Decoy System (DTE0017).
MITRE Engage. Formal successor to Shield, published in 2022. It structures the engagement cycle into five objectives: Prepare, Expose, Affect, Elicit, Understand. It defines activity matrices and maps each against ATT&CK techniques it aims to detect or disrupt.
For an organisation deploying deception, mapping each decoy against Engage or Shield techniques helps articulate the defensive case to management. A honeyuser in Active Directory covers Decoy Account and relates to T1078 Valid Accounts and T1110 Brute Force; an AWS honeytoken covers Decoy Credentials and T1078.004 Cloud Accounts.
Risks and legal considerations
Pivoting from a compromised honeypot. The most serious risk in high-interaction setups. If the attacker obtains a real shell and segmentation fails, the honeypot becomes an internal attack platform. Mitigation: strict isolation, continuous monitoring, kill switch against unexpected outbound activity.
Liability towards third parties. A compromised honeypot pivoting onto the internet and participating in a botnet or DDoS exposes the organisation to claims. Documented diligence is essential.
Privacy and monitoring. Internal honeytokens capturing employee activity must be considered against the applicable regulatory framework. In Spain and the EU, GDPR and the AEPD guidelines on workplace monitoring require informing employees and proportionality. An internal policy on technical detection measures is usually sufficient; consult legal counsel before broad rollouts.
Logs as legal evidence. For use in a legal procedure, the logs must have demonstrable integrity: trustworthy timestamps, hashes, documented chain of custody. Integration with the SIEM and a formalised preservation process.
Compliance dataset. In regulated sectors (financial, healthcare, critical infrastructure) the frameworks ISO 27001, NIS2 and DORA recognise deception as a valid detection measure and require documenting it.
Frequently asked questions
Is a honeypot enough without EDR or SIEM
No. The honeypot detects interaction with the decoy, but does not cover activity on real systems before or after. It works as a complementary layer: EDR detects what happens on the endpoint, SIEM correlates events, the honeypot reveals movement between systems.
Canary versus T-Pot for enterprise use
Canary is the typical choice if the organisation wants low maintenance, ready SIEM integration, support and a proven deployment model. T-Pot is the choice when there is in-house capacity to operate the stack, limited licensing budget and a research use case in addition to detection. T-Pot demands real maintenance; it is not "install and forget".
Are honeytokens legal
Yes, provided the decoy does not breach regulation (no embedding of real personal data, no impersonation of real people). They are defensive technical measures comparable to access logs or SIEM alerts. In a workplace setting, the monitoring policy and information obligations apply.
Do they generate false positives
Very few, by construction. The usual sources are scans by the organisation itself (vulnerability scanners, inventory tools, ITSM monitoring) and administrators who stumble upon the honeypot without knowing what it is. The mitigation is to exclude IP ranges of authorised internal tools and document the decoy in the IT and SOC teams.
Integration with SIEM
Standard in commercial platforms: Syslog, JSON, CEF, native connectors for Splunk, QRadar, Sentinel, Elastic. In T-Pot, each honeypot's output goes to Elastic and from there to Logstash or another forwarder towards the corporate SIEM. The operational rule is that the alert reaches the same team that operates the rest of the SOC, with the same runbook.
Is honeypot ROI measurable
Imperfectly. The most used metric is detection time compared with scenarios without deception. Verizon DBIR public reports show mean detection times measured in months for many incidents; a honeypot alert reduces that window to hours in lateral movement scenarios. Rigorous comparison requires red team exercises before and after deployment.
Related resources
- What is threat hunting: methodology and examples
- What is EDR: endpoint detection and response
- What is MITRE ATT&CK: tactics and techniques
- What is SIEM and how it works
- What is a backdoor: types and detection
- EDR vs XDR vs MDR: comparison
Honeypot and deception deployment with Secra
At Secra we help defensive teams design and deploy honeypots and honeytokens: selecting locations, defining decoys coherent with the organisation, integrating with the SIEM, validating through red team exercises and reviewing credibility periodically.
We also assess existing deployments to detect points where the honeypot loses value (aged decoys, alerts without an owner, insufficient segmentation) and propose adjustments.
If your organisation wants to introduce deception as a complementary layer to EDR and SIEM, contact us for an initial assessment.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.