Network Security
Honeypot
Also known as: Decoy system, Deception host
Definition
A decoy system or service deliberately exposed to attract attackers, observe their techniques, and divert them from production assets.
A honeypot is a deception asset that mimics a real server, application, or piece of data so that any interaction with it is, by definition, suspicious. Low-interaction honeypots emulate a limited set of services to detect scanning and commodity malware, while high-interaction honeypots run full operating systems to capture advanced tradecraft. Defenders use the captured telemetry to derive indicators of compromise, study TTPs, and feed detection engineering. Honeypots must be isolated from production networks to prevent them from becoming pivot points, and their findings are typically forwarded to a SIEM or threat-intelligence platform.
Examples
- A vulnerable-looking SSH server on the internet that logs every credential an attacker tries.
- A fake database in the DMZ that triggers an alert on any query.
Related terms
Honeynet
A controlled network of interconnected honeypots designed to study attacker behavior across a realistic, multi-host environment.
Honeytoken
Honeytoken — definition coming soon.
Canary Token
Canary Token — definition coming soon.
Intrusion Detection System (IDS)
A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ) — definition coming soon.