Open-Source Cybersecurity Tools: Deception & Honeypots

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 251 documented tools. It focuses on capabilities used for early attacker interaction detection and high-confidence alerting. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

A | B | C | D | E | F | G | H | I | K | L | M | N | O | P | Q | R | S | T | U | V | W | Y

Letter A

This letter section contains 10 tools.

Acapulco

• Website: https://github.com/hgascon/acapulco
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Acapulco is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Automated Attack Community Graph Construction.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

ADBHoney

• Website: https://github.com/huuck/ADBHoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ADBHoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Afterglow

• Website: http://afterglow.sourceforge.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Afterglow is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

AMTHoneypot

• Website: https://github.com/packetflare/amthoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: AMTHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Amun

• Website: http://amunhoney.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Amun is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Vulnerability emulation honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Antivmdetect

• Website: https://github.com/nsmfoo/antivmdetection
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Antivmdetect is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Script to create templates to use with VirtualBox to make VM detection harder.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

arctic-swallow

• Website: https://github.com/ajackal/arctic-swallow
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: arctic-swallow is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Artemnesia VoIP

• Website: http://artemisa.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Artemnesia VoIP is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Artillery

• Website: https://github.com/BinaryDefense/artillery
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Artillery is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Name Jump

Artillery

• Website: https://github.com/trustedsec/artillery/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Artillery is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter B

This letter section contains 7 tools.

Bait and Switch

• Website: http://baitnswitch.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Bait and Switch is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Redirects all hostile traffic to a honeypot that is partially mirroring your production system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

basic-auth-pot (bap)

• Website: https://github.com/bjeborn/basic-auth-pot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: basic-auth-pot (bap) is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: HTTP Basic Authentication honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

beelzebub

• Website: https://github.com/mariocandela/beelzebub
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: beelzebub is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A secure honeypot framework, extremely easy to configure by yaml 🚀.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Bifrozt

• Website: https://github.com/Ziemeck/bifrozt-ansible
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Bifrozt is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Automatic deploy bifrozt with ansible.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Blacknet

• Website: https://github.com/morian/blacknet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Blacknet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Multi-head SSH honeypot system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Bluepot

• Website: https://github.com/andrewmichaelsmith/bluepot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Bluepot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

bwpot

• Website: https://github.com/graneed/bwpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: bwpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Breakable Web applications honeyPot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter C

This letter section contains 11 tools.

canarytokendetector

• Website: https://github.com/referefref/canarytokendetector
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: canarytokendetector is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Tool for detection and nullification of Thinkst CanaryTokens.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Capture BAT

• Website: https://www.honeynet.org/node/315
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture BAT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Capture-HPC

• Website: https://projects.honeynet.org/capture-hpc
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture-HPC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High interaction client honeypot (also called honeyclient).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Capture-HPC-Linux

• Website: https://redmine.honeynet.org/projects/linux-capture-hpc/wiki
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture-HPC-Linux is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Capture-HPC-NG

• Website: https://github.com/CERT-Polska/HSN-Capture-HPC-NG
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture-HPC-NG is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

CC2ASN

• Website: http://www.cc2asn.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: CC2ASN is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ciscoasa_honeypot

• Website: https://github.com/cymmetria/ciscoasa_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ciscoasa_honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Conpot

• Website: https://github.com/mushorg/conpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Conpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: ICS/SCADA honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Cowrie

• Website: https://github.com/micheloosterhof/cowrie
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis

What it does: Cowrie is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH honeypot, based.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Cowrie

• Website: https://github.com/cowrie/cowrie
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Cowrie is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Cowrie SSH Honeypot (based on kippo).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

cowrie2neo

• Website: https://github.com/xlfe/cowrie2neo
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: cowrie2neo is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Parse cowrie honeypot logs into a neo4j database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter D

This letter section contains 21 tools.

Damn Simple Honeypot (DSHP)

• Website: https://github.com/naorlivne/dshp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Damn Simple Honeypot (DSHP) is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot framework with pluggable handlers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

DAVIX

• Website: https://www.secviz.org/node/89
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DAVIX is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The DAVIX Live CD.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

dcept

• Website: https://github.com/secureworks/dcept
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dcept is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Tool for deploying and detecting use of Active Directory honeytokens.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ddospot

• Website: https://github.com/aelth/ddospot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ddospot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: NTP, DNS, SSDP, Chargen and generic UDP-based amplification DDoS honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Deception Toolkit

• Website: http://www.all.net/dtk/dtk.html
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Deception Toolkit is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Deception-as-Detection

• Website: https://github.com/0x4D31/deception-as-detection
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Threat Detection

What it does: Deception-as-Detection is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Deception based detection techniques mapped to the MITRE’s ATT&CK framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Delilah

• Website: https://github.com/SecurityTW/delilah
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Delilah is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Elasticsearch Honeypot written in Python (originally from Novetta).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

dhp

• Website: https://github.com/ciscocsirt/dhp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dhp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple Docker Honeypot server emulating small snippets of the Docker HTTP API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

dicompot

• Website: https://github.com/nsmfoo/dicompot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dicompot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: DICOM Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Dionaea

• Website: https://github.com/DinoTools/dionaea
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Dionaea is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot designed to trap malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

DionaeaFR

• Website: https://github.com/rubenespadas/DionaeaFR
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DionaeaFR is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Front Web to Dionaea low-interaction honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

django-admin-honeypot

• Website: https://github.com/dmpayton/django-admin-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: django-admin-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Fake Django admin login screen to notify admins of attempted unauthorized access.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Django-kippo

• Website: https://github.com/jedie/django-kippo
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Django-kippo is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Django App for kippo SSH Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

dnsMole

• Website: https://code.google.com/archive/p/dns-mole/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dnsMole is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Docker honeynet

• Website: https://github.com/sreinhardt/Docker-Honeynet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Docker honeynet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Several Honeynet tools set up for Docker containers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Dockerized Thug

• Website: https://hub.docker.com/r/honeynet/thug/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Dockerized Thug is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Dockerized to analyze malicious web content.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Dockerpot

• Website: https://github.com/mrschyte/dockerpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Dockerpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Docker based honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

DolosHoneypot

• Website: https://github.com/Marist-Innovation-Lab/DolosHoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DolosHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SDN (software defined networking) honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Droidbox

• Website: https://code.google.com/archive/p/droidbox/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Droidbox is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

drupo

• Website: https://github.com/d1str0/drupot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: drupo is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Drupal Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

DShield Web Honeypot Project

• Website: https://sites.google.com/site/webhoneypotsite/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DShield Web Honeypot Project is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter E

This letter section contains 6 tools.

Elastic honey

• Website: https://github.com/jordan-wright/elastichoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Elastic honey is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple Elasticsearch Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ElasticPot

• Website: https://gitlab.com/bontchev/elasticpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ElasticPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: An Elasticsearch Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Ensnare

• Website: https://github.com/ahoernecke/ensnare
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Ensnare is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Easy to deploy Ruby honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

EoHoneypotBundle

• Website: https://github.com/eymengunay/EoHoneypotBundle
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: EoHoneypotBundle is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot type for Symfony2 forms.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ESPot

• Website: https://github.com/mycert/ESPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ESPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Express honeypot

• Website: https://github.com/christophe77/express-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Express honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RFI & LFI honeypot using nodeJS and express.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter F

This letter section contains 1 tools.

fapro

• Website: https://github.com/fofapro/fapro
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: fapro is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Fake Protocol Server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter G

This letter section contains 14 tools.

galah

• Website: https://github.com/0x4D31/galah
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: galah is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: an LLM-powered web honeypot using the OpenAI API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

GasPot

• Website: https://github.com/sjhilt/GasPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: GasPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Veeder Root Gaurdian AST, common in the oil and gas industry.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

GenAIPot

• Website: https://github.com/ls1911/GenAIPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: GenAIPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The first A.I based open source honeypot. supports POP3 and SMTP protocols and generates content using A.I based on user description.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Ghost-usb

• Website: https://github.com/honeynet/ghost-usb-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Ghost-usb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot for malware that propagates via USB storage devices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Glastopf

• Website: https://github.com/mushorg/glastopf
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Glastopf is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Web application honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Glastopf Analytics

• Website: https://github.com/katkad/Glastopf-Analytics
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Glastopf Analytics is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Easy honeypot statistics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

glutton

• Website: https://github.com/mushorg/glutton
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: glutton is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: All eating honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

go-emulators

• Website: https://github.com/kingtuna/go-emulators
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go-emulators is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot Golang emulators.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

go-HoneyPot

• Website: https://github.com/Mojachieee/go-HoneyPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go-HoneyPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot server written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

go-sshoney

• Website: https://github.com/ashmckenzie/go-sshoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go-sshoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

go0r

• Website: https://github.com/fzerorubigd/go0r
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go0r is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple ssh honeypot in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

gohoney

• Website: https://github.com/PaulMaddox/gohoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: gohoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH honeypot written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Google Hack Honeypot

• Website: http://ghh.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Google Hack Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

gridpot

• Website: https://github.com/sk4ld/gridpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: gridpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open source tools for realistic-behaving electric grid honeynets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter H

This letter section contains 62 tools.

Helix

• Website: https://github.com/Zeerg/helix-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Helix is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: K8s API Honeypot with Active Defense Capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HellPot

• Website: https://github.com/yunginnanet/HellPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HellPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot that tries to crash the bots and clients that visit it's location.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Heralding

• Website: https://github.com/johnnykv/heralding
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Heralding is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Credentials catching honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Hexgolems - Pint Debugger Backend

• Website: https://github.com/hexgolems/pint
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Hexgolems - Pint Debugger Backend is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Debugger backend and LUA wrapper for PIN.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Hexgolems - Schem Debugger Frontend

• Website: https://github.com/hexgolems/schem
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Hexgolems - Schem Debugger Frontend is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Debugger frontend.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HIHAT

• Website: http://hihat.sourceforge.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HIHAT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Transform arbitrary PHP applications into web-based high-interaction Honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

hived

• Website: https://github.com/sahilm/hived
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: hived is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Golang-based honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeeepi

• Website: https://redmine.honeynet.org/projects/honeeepi/wiki
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeeepi is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honey_ports

• Website: https://github.com/run41/honey_ports
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honey_ports is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Very simple but effective docker deployed honeypot to detect port scanning in your environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeyalarmg2

• Website: https://github.com/schmalle/honeyalarmg2
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyalarmg2 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simplified UI for showing honeypot alarms.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Honeybits

• Website: https://github.com/0x4D31/honeybits
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeybits is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyBOT

• Website: http://www.atomicsoftwaresolutions.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyBOT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyBrid

• Website: http://honeybrid.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyBrid is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyC

• Website: https://projects.honeynet.org/honeyc
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeycomb

• Website: http://www.icir.org/christian/honeycomb/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeycomb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Automated signature creation using honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeycomb

• Website: http://www.honeyd.org/tools.php
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeycomb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Name Jump

honeycomb_plugins

• Website: https://github.com/Cymmetria/honeycomb_plugins
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeycomb_plugins is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Plugin repository for Honeycomb, the honeypot framework by Cymmetria.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeyd

• Website: http://www.honeyd.org/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis

What it does: Honeyd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Create a virtual honeynet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Honeyd

• Website: https://github.com/provos/honeyd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: See .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeyd-Viz

• Website: https://bruteforcelab.com/honeyd-viz
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyd-Viz is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Name Jump

Honeyd2MySQL

• Website: https://bruteforcelab.com/honeyd2mysql
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyd2MySQL is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Name Jump

honeydet

• Website: https://github.com/referefref/honeydet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeydet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Signature based honeypot detector tool written in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyDrive

• Website: https://bruteforce.gr/honeydrive/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis

What it does: HoneyDrive is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot bundle Linux distro.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

HoneyDrive

• Website: https://bruteforcelab.com/honeydrive
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyDrive is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeydsum.pl

• Website: https://github.com/DataSoft/Honeyd/blob/master/scripts/misc/honeydsum-v0.3/honeydsum.pl
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeydsum.pl is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Name Jump

honeyfs

• Website: https://github.com/referefref/honeyfs
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyfs is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Tool to create artificial file systems for medium/high interaction honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeygrove

• Website: https://github.com/UHH-ISS/honeygrove
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeygrove is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Multi-purpose modular honeypot based on Twisted.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeyhttpd

• Website: https://github.com/bocajspear1/honeyhttpd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyhttpd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python-based web server honeypot builder.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeyku

• Website: https://github.com/0x4D31/honeyku
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyku is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeymail

• Website: https://github.com/sec51/honeymail
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeymail is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SMTP honeypot written in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyMalt

• Website: https://github.com/SneakersInc/HoneyMalt
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyMalt is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Maltego tranforms for mapping Honeypot systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

HoneyMap

• Website: https://github.com/fw42/honeymap
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyMap is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Real-time websocket stream of GPS events on a fancy SVG world map.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Honeymole

• Website: https://web.archive.org/web/20100326040550/http://www.honeynet.org.pt:80/index.php/HoneyMole
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeymole is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeyntp

• Website: https://github.com/fygrave/honeyntp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyntp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: NTP logger/honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeyperl

• Website: https://sourceforge.net/projects/honeyperl/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyperl is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeyport

• Website: https://github.com/securitygeneration/Honeyport
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyport is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple honeyport written in Bash and Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeypot

• Website: https://github.com/jadb/honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The Project Honey Pot un-official PHP SDK.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeypot (Dionaea and kippo) setup script

• Website: https://github.com/andrewmichaelsmith/honeypot-setup-script/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeypot (Dionaea and kippo) setup script is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Name Jump

Honeypot-32764

• Website: https://github.com/knalli/honeypot-for-tcp-32764
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeypot-32764 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot for router backdoor (TCP 32764).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeypot-camera

• Website: https://github.com/alexbredo/honeypot-camera
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot-camera is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Observation camera honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeypot-ftp

• Website: https://github.com/alexbredo/honeypot-ftp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot-ftp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: FTP Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeypot.go

• Website: https://github.com/mdp/honeypot.go
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot.go is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH Honeypot written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeypotDisplay

• Website: https://github.com/Joss-Steward/honeypotDisplay
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypotDisplay is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Flask website which displays data gathered from an SSH Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

honeypotpi

• Website: https://github.com/free5ty1e/honeypotpi
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypotpi is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Script for turning a Raspberry Pi into a HoneyPot Pi.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Name Jump

honeypots

• Website: https://github.com/qeeqbox/honeypots
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypots is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: 25 different honeypots in a single pypi package! (dns, ftp, httpproxy, http, https, imap, mysql, pop3, postgres, redis, smb, smtp, socks5, ssh, telnet, vnc, mssql, elastic, ldap, ntp, memcache, snmp, oracle, sip and irc).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyPress

• Website: https://github.com/kungfuguapo/HoneyPress
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyPress is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python based WordPress honeypot in a Docker container.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeyprint

• Website: https://github.com/glaslos/honeyprint
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyprint is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Printer honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeysnap

• Website: https://projects.honeynet.org/honeysnap/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeysnap is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeyssh

• Website: https://github.com/ppacher/honeyssh
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyssh is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Credential dumping SSH honeypot with statistics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyStats

• Website: https://sourceforge.net/projects/honeystats/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyStats is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Statistical view of the recorded activity on a Honeynet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

HoneyThing

• Website: https://github.com/omererdem/honeything
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyThing is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: TR-069 Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeyup

• Website: https://github.com/LogoiLab/honeyup
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyup is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: An uploader honeypot designed to look like poor website security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Honeyview

• Website: http://honeyview.sourceforge.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyview is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Name Jump

Honeywall

• Website: https://projects.honeynet.org/honeywall/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeywall is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyWeb

• Website: https://code.google.com/archive/p/gsoc-honeyweb/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyWeb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Web interface created to manage and remotely share Honeyclients resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneyWRT

• Website: https://github.com/CanadianJeff/honeywrt
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyWRT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HonnyPotter

• Website: https://github.com/MartinIngesen/HonnyPotter
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HonnyPotter is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: WordPress login honeypot for collection and analysis of failed login attempts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Hontel

• Website: https://github.com/stamparm/hontel
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Hontel is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Telnet Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

hornet

• Website: https://github.com/czardoz/hornet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: hornet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Medium interaction SSH honeypot that supports multiple virtual hosts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HpfeedsHoneyGraph

• Website: https://github.com/yuchincheng/HpfeedsHoneyGraph
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HpfeedsHoneyGraph is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Visualization app to visualize hpfeeds logs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

HPfriends

• Website: http://hpfriends.honeycloud.net/#/home
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HPfriends is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot data-sharing platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

hpfriends - real-time social data-sharing

• Website: https://heipei.io/sigint-hpfriends/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: hpfriends - real-time social data-sharing is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Presentation about HPFriends feed system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter I

This letter section contains 4 tools.

imap-honey

• Website: https://github.com/yvesago/imap-honey
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: imap-honey is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: IMAP honeypot written in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

IMHoneypot

• Website: https://github.com/mushorg/imhoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: IMHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

IPP Honey

• Website: https://gitlab.com/bontchev/ipphoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: IPP Honey is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A honeypot for the Internet Printing Protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ipv6-attack-detector

• Website: https://github.com/mzweilin/ipv6-attack-detector/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ipv6-attack-detector is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Google Summer of Code 2012 project, supported by The Honeynet Project organization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter K

This letter section contains 9 tools.

Kako

• Website: https://github.com/darkarnium/kako
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kako is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypots for a number of well known and deployed embedded device vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Kippo stats

• Website: https://github.com/mfontani/kippo-stats
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo stats is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Mojolicious app to display statistics for your kippo SSH honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Kippo-Graph

• Website: https://bruteforcelab.com/kippo-graph
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo-Graph is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Full featured script to visualize statistics from a Kippo SSH honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Kippo-Malware

• Website: https://bruteforcelab.com/kippo-malware
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo-Malware is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Kippo2ElasticSearch

• Website: https://bruteforcelab.com/kippo2elasticsearch
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo2ElasticSearch is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

kippo_detect

• Website: https://github.com/andrew-morris/kippo_detect
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: kippo_detect is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Offensive component that detects the presence of the kippo honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Kippo_JunOS

• Website: https://github.com/gregcmartin/Kippo_JunOS
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo_JunOS is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Kippo configured to be a backdoored netscreen.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Kojoney2

• Website: https://github.com/madirish/kojoney2
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kojoney2 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Kushtaka

• Website: https://kushtaka.org
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Kushtaka is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots.

Back to Name Jump

Letter L

This letter section contains 5 tools.

Laravel Application Honeypot

• Website: https://github.com/msurguy/Honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Laravel Application Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple spam prevention package for Laravel applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Log4Pot

• Website: https://github.com/thomaspatzke/Log4Pot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Log4Pot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Longitudinal Analysis of SSH Cowrie Honeypot Logs

• Website: https://github.com/deroux/longitudinal-analysis-cowrie
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Longitudinal Analysis of SSH Cowrie Honeypot Logs is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python based command line tool to analyze cowrie logs over time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Lophiid

• Website: https://github.com/mrheinen/lophiid/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Lophiid is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Distributed web application honeypot to interact with large scale exploitation attempts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Lyrebird

• Website: https://hub.docker.com/r/lyrebird/honeypot-base/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Lyrebird is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modern high-interaction honeypot framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter M

This letter section contains 15 tools.

Mail::SMTP::Honeypot

• Website: https://metacpan.org/pod/release/MIKER/Mail-SMTP-Honeypot-0.11/Honeypot.pm
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Mail::SMTP::Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Perl module that appears to provide the functionality of a standard SMTP server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Mailoney

• Website: https://github.com/phin3has/mailoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Mailoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SMTP honeypot written in python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Malbait

• Website: https://github.com/batchmcnulty/Malbait
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Malbait is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple TCP/UDP honeypot implemented in Perl.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Manuka

• Website: https://github.com/spaceraccoon/manuka
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Manuka is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open-sources intelligence (OSINT) honeypot that monitors reconnaissance attempts by threat actors and generates actionable intelligence for Blue Teamers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots.

Back to Name Jump

Manuka

• Website: https://github.com/andrewmichaelsmith/manuka
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Manuka is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Docker based honeypot (Dionaea and Kippo).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

medpot

• Website: https://github.com/schmalle/medpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: medpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: HL7 / FHIR honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MICROS honeypot

• Website: https://github.com/Cymmetria/micros_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MICROS honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

miniprint

• Website: https://github.com/sa7mon/miniprint
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: miniprint is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A medium interaction printer honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MockSSH

• Website: https://github.com/ncouture/MockSSH
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MockSSH is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Mock an SSH server and define all commands it supports (Python, Twisted).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

modpot

• Website: https://github.com/referefref/modpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: modpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modpot is a modular web application honeypot framework and management application written in Golang and making use of gin framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MongoDB-HoneyProxy

• Website: https://github.com/Plazmaz/MongoDB-HoneyProxy
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MongoDB-HoneyProxy is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: MongoDB honeypot proxy.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MonkeySpider

• Website: http://monkeyspider.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MonkeySpider is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MTPot

• Website: https://github.com/Cymmetria/MTPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MTPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open Source Telnet Honeypot, focused on Mirai malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

mysql-honeypotd

• Website: https://github.com/sjinks/mysql-honeypotd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: mysql-honeypotd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction MySQL honeypot written in C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MysqlPot

• Website: https://github.com/schmalle/MysqlPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MysqlPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: MySQL honeypot, still very early stage.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter N

This letter section contains 4 tools.

node-ftp-honeypot

• Website: https://github.com/christophe77/node-ftp-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: node-ftp-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: FTP server honeypot in JS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Nodepot

• Website: https://github.com/schmalle/Nodepot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Nodepot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: NodeJS web application honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

NoSQLpot

• Website: https://github.com/torque59/nosqlpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: NoSQLpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot framework built on a NoSQL-style database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

NOVA

• Website: https://github.com/DataSoft/Nova
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: NOVA is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Uses honeypots as detectors, looks like a complete system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter O

This letter section contains 2 tools.

OpenCanary

• Website: https://github.com/thinkst/opencanary
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: OpenCanary is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

owa-honeypot

• Website: https://github.com/joda32/owa-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: owa-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A basic flask based Outlook Web Honey pot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter P

This letter section contains 12 tools.

PasitheaHoneypot

• Website: https://github.com/Marist-Innovation-Lab/PasitheaHoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: PasitheaHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RestAPI honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

PayloadsAllTheThings - Web Cache Deception

• Website: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Web%20Cache%20Deception
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Web Security

What it does: PayloadsAllTheThings - Web Cache Deception is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Written by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Introduction > Web Cache Poisoning.

Back to Name Jump

peepdf

• Website: https://github.com/jesparza/peepdf
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots, Awesome Cyber Security Tools

What it does: peepdf is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Powerful Python tool to analyze PDF documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > PDF.

Back to Name Jump

pghoney

• Website: https://github.com/betheroot/pghoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: pghoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low-interaction Postgres Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

PHARM

• Website: http://www.nepenthespharm.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: PHARM is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Manage, report, and analyze your distributed Nepenthes instances.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

PhoneyC

• Website: https://github.com/honeynet/phoneyc
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: PhoneyC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python honeyclient (later replaced by Thug).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

phpmyadmin_honeypot

• Website: https://github.com/gfoss/phpmyadmin_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: phpmyadmin_honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple and effective phpMyAdmin honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

portlurker

• Website: https://github.com/bartnv/portlurker
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: portlurker is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Port listener in Rust with protocol guessing and safe string display.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

potd

• Website: https://github.com/lnslbrty/potd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: potd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Pwnypot

• Website: https://github.com/shjalayeri/pwnypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Pwnypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High Interaction Client Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

pyrdp

• Website: https://github.com/gosecure/pyrdp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: pyrdp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Python-Honeypot

• Website: https://github.com/OWASP/Python-Honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Python-Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: OWASP Honeypot, Automated Deception Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter Q

This letter section contains 1 tools.

Quechua

• Website: https://bitbucket.org/zaccone/quechua
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Quechua is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter R

This letter section contains 4 tools.

rdppot

• Website: https://github.com/kryptoslogic/rdppot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: rdppot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RDP honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

RDPy

• Website: https://github.com/citronneur/rdpy
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: RDPy is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

RedisHoneyPot

• Website: https://github.com/cypwnpwnsocute/RedisHoneyPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: RedisHoneyPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High Interaction Honeypot Solution for Redis protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Rumal

• Website: https://github.com/thugs-rumal/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Rumal is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Thug's Rumāl: a Thug's dress and weapon.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter S

This letter section contains 31 tools.

SCADA honeynet

• Website: http://scadahoneynet.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SCADA honeynet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Building Honeypots for Industrial Networks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

scada-honeynet

• Website: http://www.digitalbond.com/blog/2007/07/24/scada-honeynet-article-in-infragard-publication/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: scada-honeynet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

SentryPeer

• Website: https://github.com/SentryPeer/SentryPeer
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SentryPeer is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Protect your SIP Servers from bad actors.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Servletpot

• Website: https://github.com/schmalle/servletpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Servletpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Web application Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Shadow Daemon

• Website: https://shadowd.zecure.org/overview/introduction/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shadow Daemon is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Shelia

• Website: https://www.cs.vu.nl/~herbertb/misc/shelia/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shelia is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Client-side honeypot for attack detection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Shiva

• Website: https://github.com/shiva-spampot/shiva
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shiva is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Spam Honeypot with Intelligent Virtual Analyzer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running

• Website: https://www.pentestpartners.com/security-blog/shiva-the-spam-honeypot-tips-and-tricks-for-getting-it-up-and-running/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

shockpot

• Website: https://github.com/threatstream/shockpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: shockpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: WebApp Honeypot for detecting Shell Shock exploit attempts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Shockpot-Frontend

• Website: https://github.com/GovCERT-CZ/Shockpot-Frontend
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shockpot-Frontend is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Full featured script to visualize statistics from a Shockpot honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

slipm-honeypot

• Website: https://github.com/rshipp/slipm-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: slipm-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple low-interaction port monitoring honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

smart-honeypot

• Website: https://github.com/freak3dot/smart-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: smart-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: PHP Script demonstrating a smart honey pot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

SMB Honeypot

• Website: https://github.com/r0hi7/HoneySMB
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SMB Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High interaction SMB service honeypot capable of capturing wannacry-like Malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

SMTPLLMPot

• Website: https://github.com/referefref/SMTPLLMPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SMTPLLMPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A super simple SMTP Honeypot built using GPT3.5.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Snare

• Website: https://github.com/mushorg/snare
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Snare is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Super Next generation Advanced Reactive honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

spamd

• Website: http://man.openbsd.org/cgi-bin/man.cgi?query=spamd%26apropos=0%26sektion=0%26manpath=OpenBSD+Current%26arch=i386%26format=html
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: spamd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

SpamHAT

• Website: https://github.com/miguelraulb/spamhat
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SpamHAT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Spam Honeypot Tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Spamhole

• Website: http://www.spamhole.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Spamhole is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ssh-auth-logger

• Website: https://github.com/JustinAzoff/ssh-auth-logger
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ssh-auth-logger is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low/zero interaction SSH authentication logging honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ssh-honeypot

• Website: https://github.com/droberson/ssh-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ssh-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Fake sshd that logs IP addresses, usernames, and passwords.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ssh-honeypot

• Website: https://github.com/amv42/sshd-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ssh-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

ssh-honeypotd

• Website: https://github.com/sjinks/ssh-honeypotd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ssh-honeypotd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low-interaction SSH honeypot written in C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

sshesame

• Website: https://github.com/jaksi/sshesame
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: sshesame is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Fake SSH server that lets everyone in and logs their activity.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

sshForShits

• Website: https://github.com/traetox/sshForShits
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: sshForShits is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Framework for a high interaction SSH honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

sshhipot

• Website: https://github.com/magisterquis/sshhipot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: sshhipot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High-interaction MitM SSH honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

sshlowpot

• Website: https://github.com/magisterquis/sshlowpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: sshlowpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Yet another no-frills low-interaction SSH honeypot in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

sshsyrup

• Website: https://github.com/mkishere/sshsyrup
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: sshsyrup is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

stack-honeypot

• Website: https://github.com/CHH/stack-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: stack-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Inserts a trap for spam bots into responses.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

sticky_elephant

• Website: https://github.com/betheroot/sticky_elephant
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: sticky_elephant is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Medium interaction postgresql honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

StrutsHoneypot

• Website: https://github.com/Cymmetria/StrutsHoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: StrutsHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Sysdig

• Website: https://sysdig.com/opensource/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Sysdig is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter T

This letter section contains 18 tools.

T-Pot

• Website: https://github.com/dtag-dev-sec/tpotce
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: T-Pot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: All in one honeypot appliance from telecom provider T-Mobile.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

T-Pot: A Multi-Honeypot Platform

• Website: https://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: T-Pot: A Multi-Honeypot Platform is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Name Jump

Tango

• Website: https://github.com/aplura/Tango
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Tango is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot Intelligence with Splunk.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Tanner

• Website: https://github.com/mushorg/tanner
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Tanner is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Evaluating SNARE events.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

telnet-iot-honeypot

• Website: https://github.com/Phype/telnet-iot-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: telnet-iot-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python telnet honeypot for catching botnet binaries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

TelnetHoney

• Website: https://github.com/balte/TelnetHoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: TelnetHoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple telnet honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

telnetlogger

• Website: https://github.com/robertdavidgraham/telnetlogger
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: telnetlogger is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Telnet honeypot designed to track the Mirai botnet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

TestDisk & PhotoRec

• Website: https://www.cgsecurity.org/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: TestDisk & PhotoRec is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002

• Website: http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Penetration Testing

What it does: The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Social Engineering > Social Engineering Books.

Back to Name Jump

The Intelligent HoneyNet

• Website: https://github.com/jpyorre/IntelligentHoneyNet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: The Intelligent HoneyNet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Create actionable information from honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Thug

• Website: https://buffer.github.io/thug/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Thug is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python-based low-interaction honeyclient.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Thug Distributed Task Queuing

• Website: https://thug-distributed.readthedocs.io/en/latest/index.html
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Thug Distributed Task Queuing is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Tom's Honeypot

• Website: https://github.com/inguardians/toms_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Tom's Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction Python honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

tomcat-manager-honeypot

• Website: https://github.com/helospark/tomcat-manager-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: tomcat-manager-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Trapster Commmunity

• Website: https://github.com/0xBallpoint/trapster-community
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Trapster Commmunity is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modural and easy to install Python Honeypot, with comprehensive alerting.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Trigona

• Website: https://www.honeynet.org/project/Trigona
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Trigona is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

troje

• Website: https://github.com/dutchcoders/troje/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: troje is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot that runs each connection with the service within a separate LXC container.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

twisted-honeypots

• Website: https://github.com/lanjelot/twisted-honeypots
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: twisted-honeypots is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH, FTP and Telnet honeypots based on Twisted.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter U

This letter section contains 3 tools.

UDPot Honeypot

• Website: https://github.com/jekil/UDPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: UDPot Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple UDP/DNS honeypot scripts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

URLQuery

• Website: https://urlquery.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: URLQuery is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Using a Raspberry Pi honeypot to contribute data to DShield/ISC

• Website: https://isc.sans.edu/diary/22680
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Using a Raspberry Pi honeypot to contribute data to DShield/ISC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Name Jump

Letter V

This letter section contains 3 tools.

vEYE

• Website: https://link.springer.com/article/10.1007%2Fs10115-008-0137-3
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: vEYE is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Behavioral footprinting for self-propagating worm detection and profiling.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Name Jump

vmitools

• Website: http://libvmi.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: vmitools is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

vnclowpot

• Website: https://github.com/magisterquis/vnclowpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: vnclowpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction VNC honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter W

This letter section contains 6 tools.

WAPot

• Website: https://github.com/lcashdol/WAPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: WAPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot that can be used to observe traffic directed at home routers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

WebTrap

• Website: https://github.com/IllusiveNetworks-Labs/WebTrap
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: WebTrap is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Designed to create deceptive webpages to deceive and redirect attackers away from real websites.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

WhiteFace Honeypot

• Website: https://github.com/csirtgadgets/csirtg-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: WhiteFace Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Twisted based honeypot for WhiteFace.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

wordpot

• Website: https://github.com/gbrindisi/wordpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: wordpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: WordPress Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Wordpot-Frontend

• Website: https://github.com/GovCERT-CZ/Wordpot-Frontend
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Wordpot-Frontend is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Full featured script to visualize statistics from a Wordpot honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

wp-smart-honeypot

• Website: https://github.com/freak3dot/wp-smart-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: wp-smart-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: WordPress plugin to reduce comment spam with a smarter honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter Y

This letter section contains 2 tools.

YALIH (Yet Another Low Interaction Honeyclient)

• Website: https://github.com/Masood-M/yalih
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: YALIH (Yet Another Low Interaction Honeyclient) is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low-interaction client honeypot designed to detect malicious websites through signature, anomaly, and pattern matching techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Yet Another Fake Honeypot (YAFH)

• Website: https://github.com/fnzv/YAFH
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Yet Another Fake Honeypot (YAFH) is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple honeypot written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump