Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Security Concepts
›
honeypot
Honeypot
Security Concepts
Definition
A honeypot is a deliberately deployed decoy system, service, or dataset designed to mimic legitimate assets (e.g., servers, databases, credentials) in order to attract and monitor malicious activity in a controlled environment. The key principle: **any interaction with a honeypot is inherently suspicious.** Legitimate users should never access it, making it a high-signal detection mechanism. Honeypots are isolated from production systems and heavily monitored. They log attacker behavior such as commands, payloads, lateral movement attempts, and data access patterns. This provides direct visibility into attacker tactics, techniques, and procedures (TTPs). Honeypots complement traditional defensive controls: - **IDS/IPS** — detect/block known threats, but may generate noise - **SIEM** — aggregates logs, requires correlation - **Honeypots** — high-fidelity alerts with minimal false positives ### Types of Honeypots - **Low-interaction** — simulate limited services (e.g., fake SSH); easy to deploy, limited insight - **Medium-interaction** — partial system simulation; captures attacker behavior in more detail - **High-interaction** — real systems; allows full attacker engagement for deep analysis Honeypots provide direct visibility into attacker behavior, which is often difficult to obtain from standard logging alone. They enable high-confidence detection since any interaction with them is inherently suspicious, and they serve as a powerful source of threat intelligence by capturing real attacker tactics, techniques, and procedures in controlled conditions. Honeypots also support early attack detection by identifying scanning, brute force attempts, and probing activity before more serious compromises occur.
Related Terms
Siem
Examples & Use Cases
**Brute-force detection** — A honeypot SSH service receives repeated login attempts. Since no legitimate user should access it, this immediately flags credential-stuffing activity. **Malware capture and analysis** — A deliberately vulnerable system attracts automated malware, allowing analysts to collect payloads and study behavior safely. **Insider threat detection** — A honeytoken (fake credential or file) is accessed internally. This indicates unauthorized access or misuse of privileges. **Lateral movement detection** — An attacker scanning internal systems interacts with a honeypot host, revealing movement within the network post-compromise. ### **Further Reading** - [Sophos — What is a Honeypot in Cybersecurity](https://www.sophos.com/en-us/cybersecurity-explained/honeypots) - [Splunk — Cybersecurity Honeypots Explained](https://www.splunk.com/en_us/blog/learn/cybersecurity-honeypots.html) - [CrowdStrike — Honeypots in Cybersecurity](https://www.crowdstrike.com/en-us/cybersecurity-101/exposure-management/honeypots/)
.png)
