Honeypot — Technology Wiki

Overview

Direct Answer

A honeypot is a deliberately vulnerable or attractive decoy system deployed within a network to detect, monitor, and analyse attacker behaviour. It serves no legitimate business function but instead captures detailed intelligence on intrusion techniques, malware signatures, and adversary tactics.

How It Works

Honeypots are configured with apparent security weaknesses, exposed services, or valuable-looking data to entice unauthorised access. Once compromised, they log all attacker interactions—commands executed, files accessed, lateral movement attempts—while isolating the decoy from critical infrastructure to prevent real damage.

Why It Matters

Organisations deploy honeypots to generate high-fidelity threat intelligence without risking production systems, reduce false positives from security monitoring, and gather forensic evidence for incident response and threat analysis. They also serve as an early warning system for novel attack patterns and zero-day exploitation.

Common Applications

Enterprise security operations centres use honeypots to study advanced persistent threat (APT) campaigns. Network administrators deploy them on perimeter segments, file servers, and database systems to detect lateral movement. Industrial control environments employ specialised honeypots to monitor attacks targeting operational technology.

Key Considerations

Honeypots generate substantial log data requiring skilled analysis and risk exposure if misconfigured—a compromised decoy can become a stepping stone to real systems. Their effectiveness depends on convincing realism; inadequately maintained decoys may fail to engage sophisticated attackers or consume resources without yielding actionable intelligence.

Related in Defensive Security

Security Operations Centre

A centralised facility where security professionals monitor, detect, analyse, and respond to cybersecurity incidents.

Intrusion Detection System

A system that monitors network traffic or system activities for malicious activity or policy violations.

Next-Generation Firewall

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Endpoint Detection and Response

Security technology that monitors endpoint devices to detect, investigate, and respond to cyber threats.

Security Orchestration Automation and Response

Technology that automates security operations by orchestrating tools and processes for incident response.

Incident Response Plan

A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents.

Digital Forensics

The process of collecting, preserving, and analysing electronic evidence for investigating security incidents.

Extended Detection and Response

A unified security platform that integrates data from endpoints, networks, cloud workloads, and email to provide holistic threat detection, investigation, and automated response.

Security Orchestration, Automation and Response

A technology stack that integrates security tools and automates incident response workflows, enabling faster triage, investigation, and remediation of security alerts.

Threat Hunting

The proactive search for cyber threats within an organisation's environment that have evaded automated detection, using hypotheses, threat intelligence, and advanced analytics.

More in Cybersecurity

Cyber Threat Intelligence

Offensive Security

Evidence-based knowledge about adversary capabilities, infrastructure, motives, and tactics that informs security decisions and enables proactive defence against cyber attacks.

Software Bill of Materials

Offensive Security

A comprehensive inventory of all software components, libraries, and dependencies used in an application, enabling vulnerability tracking and supply chain risk management.

Cyber Insurance

Security Governance

Insurance coverage protecting organisations against financial losses from cyberattacks, data breaches, and related incidents.

Cybersecurity

Offensive Security

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Zero-Day Vulnerability

Offensive Security

A software security flaw unknown to the vendor that can be exploited before a patch is available.

Multi-Factor Authentication

Identity & Access

An authentication method requiring two or more verification factors to gain access to a resource.

SQL Injection

Offensive Security

A code injection technique that exploits vulnerabilities in database-driven applications through malicious SQL statements.

Buffer Overflow

Offensive Security

A programming error where data written to a buffer exceeds its capacity, potentially allowing code execution.