Loading...
Honeypots and deception technology plant fake assets across your environment, things like decoy servers, dummy credentials, bait files, and canary tokens, that no legitimate user or process should ever touch. The moment something interacts with one, you get a high-fidelity alert with almost no false positives, because there is no benign reason to be there. For security operations teams drowning in noise from EDR and SIEM, deception flips the economics: instead of chasing probabilistic anomalies, you catch attackers who have already bypassed your perimeter and are mapping your network, hunting credentials, or moving laterally. It is a detection layer built on the assumption that prevention sometimes fails.
We cover 216 Honeypots & Deception tools, 193 free and 23 commercial.
Accuracy and depth improve over time. Last reviewed Jul 2026. Is something off? Reach out.
A Flask-based honeypot that simulates Outlook Web App (OWA) environments to attract and analyze malicious activities targeting OWA systems.
A configurable DNS honeypot with SQLite logging and Docker support.
An easy to set up SSH honeypot for logging SSH connections and activity.
A network responder supporting various protocols with minimal assumptions on client intentions.
A honeypot system designed to detect and analyze potential security threats
A low-interaction honeypot for detecting and analyzing potential attacks on Android devices via ADB over TCP/IP
An extensible and open-source system for running, monitoring, and managing honeypots with advanced features.
PhoneyC is a client-side honeypot that emulates vulnerable web browsers to detect and analyze malicious web content and browser-based exploits.
Ghost USB Honeypot emulates USB storage devices to detect and analyze malware that spreads via USB without requiring prior threat intelligence.
A Splunk application that processes honeypot data from hpfeeds channels to generate clustered meta-events and visualizations for security analysis.
A honeypot mimicking Tomcat manager endpoints to log requests and save attacker's WAR files for analysis.
BW-Pot is an interactive web application honeypot that deploys vulnerable applications to attract and monitor HTTP/HTTPS attacks, with automated logging to Google BigQuery for analysis.
A printer honeypot PoC that simulates a printer on a network to detect and analyze potential attackers.
A web honeypot tool for detecting and monitoring potential attacks on phpMyAdmin installations.
Honeyntp is an NTP honeypot and logging tool that captures NTP packets into a Redis database to detect DDoS attacks and monitor network time protocol traffic.
Web application for visualizing live GPS locations on an SVG world map using honeypot captures.
Script for turning a Raspberry Pi into a Honey Pot Pi with various monitoring and logging capabilities.
WordPress plugin to reduce comment spam with a smarter honeypot.
PHP Script demonstrating a smart honey pot for email form protection.
A low to medium interaction honeypot with a variety of plugins for cybersecurity monitoring.
A honeypot trap for Symfony2 forms to reduce spam submissions.
Troje is a honeypot that creates dynamic LXC container environments to attract and monitor attackers while recording their activities and system changes.
Common questions about Honeypots & Deception tools, selection guides, pricing, and comparisons.
It is a class of security tools that deploy fake assets, decoy servers, fabricated credentials, bait files, and canary tokens, designed so that any interaction with them signals malicious or unauthorized activity. Because real users never touch these decoys, alerts carry very low false-positive rates. Deception catches attackers during reconnaissance and lateral movement, after they have slipped past preventive controls but before they reach real data.
A classic honeypot is usually a single, isolated decoy system you stand up to study attacker behavior, often deployed and monitored by hand. Modern deception technology scales that idea across the whole environment: it distributes lures and decoys automatically through endpoints, networks, cloud, and Active Directory, then centralizes alerting and forensics. Honeypots are the research primitive; deception platforms operationalize the concept for production detection at enterprise scale.
Begin with what you are protecting and where attackers move: endpoints, AD, cloud, OT, or all of them. Weigh deployment effort and decoy realism, since unconvincing lures get ignored by skilled adversaries. Check how alerts integrate with your SIEM, SOAR, and EDR, what forensic depth you get on engagement, and how the tool handles decoy maintenance so stale bait does not erode believability over time.
Open-source honeypots like canary token generators and low-interaction decoys are excellent for targeted use: monitoring a specific segment, seeding a few high-value lures, or learning the technique cheaply. Commercial deception platforms add automated distribution at scale, decoy lifecycle management, deep forensic capture, and SOC integrations. The split tends to be open-source for surgical coverage, a platform when deception becomes a core, environment-wide detection layer.
It complements them rather than replacing anything. EDR watches real endpoints and SIEM correlates logs, both of which generate volume and require tuning. Deception adds a parallel, low-noise signal: an alert fires only when someone touches something fake, which usually means an intruder is already inside. It is especially strong at catching lateral movement and credential theft that behavioral detection can miss or bury in noise.