{# Use overflow-x: clip instead of hidden so html/body don't become scroll containers, which would break `position: sticky` (e.g. the blog TOC sidebar). #} Honeypot : definition and how it works | Trapster
Definition

Honeypot

A honeypot is a computer system deliberately exposed to attract, observe and record the actions of an attacker. Built to look like a legitimate resource such as a server, database, workstation or application service, it actually serves no productive function and is unknown to any authorized user. That founding principle is its strength: since no one has a valid reason to touch it, every interaction is by definition abnormal and worth investigating. A honeypot therefore turns the silence of a fake asset into a very high-fidelity detection signal, with a false-positive rate close to zero.

How it works

A honeypot is instrumented end to end: every connection, request, authentication attempt and executed command is logged and raises an alert. Unlike an IDS or antivirus, which must separate malicious activity from a large volume of legitimate traffic, a honeypot carries no normal traffic at all. The detection logic is consequently binary and robust: interaction means the presence of an actor who should not be there, whether an external attacker, internal lateral movement or automated reconnaissance.

To be reached, a honeypot must be discovered by the adversary. It is therefore exposed in the areas attackers naturally explore, and clues are sometimes planted to lead them in:

  • Breadcrumbs: stored credentials, configuration entries, network shares or command-history artifacts that quietly point toward the decoy.
  • Honeytokens scattered across real assets, acting as portable bait that fires an alert the moment they are used.
  • Realistic exposed services (SSH, RDP, SMB, databases, APIs) with credible banners and behavior to sustain the illusion.
  • Placement aligned with likely attack paths, from the DMZ through the internal network to sensitive segments.

Types and network placement

Honeypots are traditionally classified by their level of interaction. A low-interaction honeypot emulates only the surface of a service: it answers a handful of requests, captures the first actions and carries little risk, but offers limited observational depth. A high-interaction honeypot exposes a real operating system or application, capturing the attacker's full behavior and tooling at the cost of a far greater compromise risk to be managed. The choice is a trade-off between intelligence richness and exposure.

Placement determines the value of the signal. At the perimeter or in the DMZ, a honeypot records scans and opportunistic probing from the internet. Inside the network, among production assets, it becomes a lateral-movement detector: an attacker already inside who maps the domain will eventually probe the decoy. The honeypot belongs to a broader family of deception lures alongside the decoy, the canary token and the honeytoken, which together cover files, credentials, services and entire hosts.

Detection value, intelligence and risks

The primary value of a honeypot is early, reliable detection: it often alerts before real damage occurs, in places where perimeter tools are blind. It also yields first-hand intelligence: source addresses, tested credentials, deployed tooling, and observed tactics and techniques, all feeding incident response and threat hunting. The concept dates back to foundational work in the 1990s, popularized by Lance Spitzner and the Honeynet Project, and remains a pillar of modern cyber-deception strategies.

The main risk lies in isolation. A poorly contained high-interaction honeypot can be hijacked by the attacker to pivot toward real systems. Strict network segmentation, continuous monitoring and outbound containment rules are therefore essential. A decoy that is too generic or badly maintained also risks being fingerprinted as fake, losing its credibility against a sophisticated adversary.

With Trapster

Trapster, an open-source-rooted deception platform, deploys honeypots and decoys across the whole network, from the perimeter to internal segments, and ties them to breadcrumbs and honeytokens on real assets to steer attackers toward the traps. Every interaction with a fake asset is converted into a qualified, low-noise alert, letting SOC teams catch scans, unauthorized access and lateral movement without drowning analysts in false positives.

Related terms

Honeytoken A honeytoken is fake data (credentials, an API key, a document) that is never legitimately used, so any access to it signals a compromise. Decoy A fake asset (server, workstation, service, share, database) that mimics a real production resource to lure, slow down and detect attackers. Canary token A canary token is a unique, inert marker that fires an alert the moment it is accessed or used, acting as a lightweight digital tripwire. High-interaction vs low-interaction honeypot A comparison of low- and high-interaction honeypots across the trade-offs between realism, intelligence quality, operational risk and cost.

From theory to detection

See how Trapster deploys honeypots, decoys and honeytokens across your network to turn every suspicious interaction into a reliable alert.

Book a demo Browse the glossary

30-min demo, no commitment ยท Hosted in France