My IP Help

Honeypot

A deliberately vulnerable or decoy system deployed on a network to attract attackers so their tools, techniques, and source IPs can be observed.

Last updated:

What is a honeypot?

A honeypot is a system deployed specifically to be attacked. It has no legitimate users, runs no production workloads, and exposes deliberately vulnerable services so that any interaction with it is — by definition — hostile. The operator watches what the attacker does, collects the tools they drop, and records their source IP for sharing with the defensive community.

Types of honeypots

  • Low-interaction — scripts that emulate a service (fake SSH, fake Telnet, fake SMB) just well enough to capture the attacker's first few commands. Cowrie, Dionaea, and Kippo are long-running examples used to harvest SSH-scanning credentials and brute-force patterns.
  • High-interaction — a real OS running real services, carefully contained. Captures more attacker behavior but needs much more care to run safely.
  • Client honeypot — a browser-like agent that visits attacker-controlled sites to capture drive-by exploit kits.
  • Canary tokens — credentials, documents, or API keys placed where only an intruder would find them; any use of the token fires an alert. Widely used inside enterprise networks today.

Honeypots in IP reputation

Large networks of honeypots — the Shadowserver sensors, GreyNoise, Team Cymru, SANS ISC dshield — form the backbone of modern IP-reputation feeds. When an IP connects to dozens of honeypots in a short window, it gets flagged as an active scanner and lands on public blocklists within hours. Almost every "seen scanning the internet" signal on IP reputation pages ultimately comes from honeypot telemetry. Botnet recruitment traffic is one of the largest sources of that noise.

Check whether an IP has been seen scanning or attacking honeypots with our IP abuse report checker.

Frequently Asked Questions

In nearly every jurisdiction, yes — running a system that an attacker chooses to attack is legal. The legal complications come from what you do next: if a honeypot processes EU residents' personal data, you trip GDPR; if you actively respond by compromising the attacker's machine ("hack-back"), that's almost always illegal. Defensive observation is fine; offensive retaliation is not. Many honeypot operators add a Terms of Service banner stating that interactions are logged.
A honeypot is a single decoy system. A honeynet is an entire decoy network of honeypots that simulates a realistic environment — multiple hosts, services, and even fake user activity — to attract attackers who recognize when a single isolated machine looks too obvious to be real. Honeynets are run mostly by research groups (the Honeynet Project) and threat-intel companies that need rich attacker behavior data.
Yes — and good attackers actively try. Telltale signs include services that respond too perfectly, unusual host fingerprints (the kernel, MAC OUI, or banner mismatching the claimed OS), isolated network position, and known honeypot software signatures (default Cowrie banner, default Dionaea responses). High-quality honeypots therefore avoid defaults, run on real hardware or well-customized VMs, and live inside more realistic network contexts.
A honeytoken is a piece of data — a fake credential, a planted document, an unused API key, a watermarked file — placed somewhere only an intruder would look. Any access to it triggers an alert. Common examples: an AWS access key that emails the security team if used, a Word document that beacons home when opened, a fake admin user in the database. Canarytokens.org offers free, ready-made variants that drop into any environment in minutes.
A honeypot waits to be attacked — it is a decoy in a real (or realistic) network, observing whoever finds it. A sandbox executes a sample you have already collected (a suspicious file, URL, or email) inside an isolated environment to see what it does. Both observe attacker behavior, but the honeypot does so passively and the sandbox actively. Sandbox tools include Cuckoo, Joe Sandbox, and the dynamic-analysis side of VirusTotal.
Back to glossary