What Is a Honeypot? Deception Technology Explained

Quick Reference

A honeypot is a decoy system designed to attract attackers, detect intrusions, and study attack techniques. Any interaction with a honeypot is suspicious by definition — legitimate users have no reason to access it. Honeynet = network of honeypots. Honeyfile/canary token = a fake file that alerts when accessed. Low-interaction honeypot = emulates services, lower risk. High-interaction honeypot = real OS and services, more intelligence but higher risk. On the exam: honeypots are deception technology used for detection and threat intelligence.

What Honeypots Do and Why They Work

A honeypot is a deliberately vulnerable or attractive-looking system placed in a network to lure attackers. It appears to be a legitimate target — a database server, a file share, a domain controller — but contains no real data and serves no production function. Because legitimate users have no reason to interact with a honeypot, any connection attempt, login, or access is almost certainly malicious activity. This makes honeypots remarkably low-noise detection systems — unlike SIEM alerts that generate thousands of events daily, a honeypot alert is nearly always genuine.

Honeypots serve three purposes: early detection — attackers probing the network will discover and interact with honeypots, generating alerts before they reach real systems; threat intelligence — high-interaction honeypots let researchers observe attacker tools, techniques, and procedures (TTPs) in a controlled environment without risking real data; and attacker deception — honeypots waste attacker time and resources on false targets, slowing their progress toward real assets.

Low-Interaction vs High-Interaction Honeypots

🪤

Low-Interaction

Simulated services

Emulates services (SSH, HTTP, SMB) without running a real OS. Attacker can connect and interact with the simulation but cannot gain a real shell. Low risk — no real OS to exploit. Good for detection and network scanning alerts. Examples: Honeyd, OpenCanary.

🕷️

High-Interaction

Real systems

Runs a real OS and real services. Attackers can fully compromise the system and reveal their true TTPs. Higher risk — a compromised honeypot could be used to attack other systems. Requires careful network isolation. Provides much richer intelligence.

Honeynet — A Network of Honeypots

A honeynet is a network of interconnected honeypots that creates a realistic-looking environment — multiple servers with different roles (web server, database, file server, domain controller) that an attacker can move between laterally. Honeynets are used primarily for threat intelligence research. By observing how attackers move through the honeynet, what tools they use, and what they're ultimately after, security researchers gain detailed insight into current attack campaigns and techniques. The Honeynet Project is the leading open-source honeypot research organisation and publishes threat intelligence derived from global honeynet deployments.

Canary Tokens and Honeyfiles

A honeyfile (or canary file) is a file placed in a file share or database that looks valuable — a file named passwords.xlsx or customer_data.csv — but contains no real data. When anyone opens or downloads the file, an alert is triggered. Any access to a honeyfile is almost certainly unauthorised — a legitimate user doesn't need to open a file called passwords.xlsx that isn't in any documented workflow. Honeyfiles are highly effective for detecting insider threats and attackers who have already established a foothold and are searching for data to exfiltrate.

Canary tokens extend this concept beyond files. A canary token can be embedded in a document (a unique URL that phones home when the document is opened), a web page, an email, a database record, or even source code. Each token is unique — when triggered, the alert identifies exactly which token was accessed, from what IP address, at what time. Tools like canarytokens.org make it trivial to deploy canary tokens across an environment. Detecting the activation of a canary token in a shared drive is a reliable indicator that an insider is searching for sensitive data or an attacker has already compromised a user account.

Honeypot Types by Purpose

Beyond the low/high interaction distinction, honeypots are categorised by what they're designed to detect. Research honeypots are deployed by security researchers and threat intelligence teams to study attacker behaviour, capture malware samples, and understand current attack campaigns. They're typically high-interaction, heavily monitored, and isolated from production networks. The data they collect — attack tools, techniques, command-and-control infrastructure — feeds threat intelligence reports that help the broader security community. Production honeypots are deployed within or alongside production networks to detect attacks against the organisation specifically. They're lower interaction, focused on early detection rather than intelligence gathering, and trigger immediate alerts when accessed.

Database honeypots are fake database servers containing fabricated but realistic-looking data — customer records, financial data, user credentials — placed on the internal network. An attacker who compromises the network and searches for databases will find the honeypot first. Any connection to the honeypot database is an immediate high-fidelity alert. Credential honeypots are fake user accounts (often named something like "admin-backup" or "svc-backup") with realistic-looking credentials. If anyone uses these credentials — they appear in legitimate places like fake IT documentation — it means someone has accessed those documents and extracted the credentials, indicating a breach.

Deception Technology at Scale

Modern deception technology platforms (Attivo Networks, Illusive Networks, Cymulate) automate honeypot deployment at scale across the entire network. Rather than a few manually configured honeypots, these platforms deploy decoy systems, accounts, credentials, and files across every subnet — making deception pervasive. An attacker performing lateral movement in such an environment has a high probability of interacting with a decoy before reaching real assets. The decoy interaction triggers an immediate, high-confidence alert — far more actionable than SIEM correlations that might have dozens of legitimate-looking events mixed in. Deception technology represents an evolution of the honeypot concept from individual systems to an organisation-wide detection layer.

Honeypot Legal and Ethical Considerations

Honeypots operate in a legal grey area that the Security+ exam occasionally touches. Deploying a honeypot on your own network to detect intruders is legal and unambiguous. The concern arises with entrapment — can an organisation be held liable for luring attackers into committing crimes against the honeypot? In practice, honeypots are considered legal as long as they don't actively solicit attacks (they're passive — attackers discover them through their own scanning) and the organisation doesn't manufacture the criminal intent. The attacker chose to probe and attack the honeypot; the organisation merely made a target available. Always consult legal counsel before deploying high-interaction honeypots that might be used as evidence in prosecution.

Honeypot Placement Strategy

Honeypot placement determines what activity they detect. A honeypot on the DMZ detects inbound attacks from the internet. A honeypot on the internal network detects lateral movement from an already-compromised internal host or a malicious insider — any internal system that connects to an internal honeypot is exhibiting suspicious behaviour. Placing honeypots in each VLAN segment provides early detection of lateral movement as attackers hop between segments. The key principle: legitimate traffic never touches a honeypot, so any interaction is an alert worth investigating immediately.

Exam Scenarios

A security team wants to detect attackers who have already established an internal foothold and are performing reconnaissance. What technology should they deploy on internal network segments?

Answer: Internal honeypots. An attacker performing internal reconnaissance will scan IP ranges and attempt to identify interesting systems. Honeypots on the internal network generate alerts the moment a compromised host or attacker scans them. Because no legitimate traffic touches internal honeypots, any connection attempt is a high-fidelity indicator of internal reconnaissance.

A security engineer places a file named "employee_salaries_2026.xlsx" in a shared drive, containing fake data with a tracking URL embedded. What type of control is this?

Answer: A honeyfile (canary token). This is a deception technology used to detect unauthorised access to sensitive-looking files. When anyone opens the file, the embedded URL makes a network request that triggers an alert identifying who accessed it. Any access to this file is suspicious — legitimate users have no documented need for this file.

A researcher wants to observe attacker behaviour after full system compromise to understand their tools and techniques. Which type of honeypot is most appropriate?

Answer: A high-interaction honeypot running a real OS. Low-interaction honeypots only emulate services — they limit what an attacker can do and therefore limit what can be observed. A high-interaction honeypot allows full compromise, revealing the attacker's actual post-exploitation tools, privilege escalation techniques, and objectives. The trade-off is higher risk — the honeypot must be carefully isolated to prevent the attacker from pivoting to real systems.

Honeypots and Deception Technology — Detection Without Signatures