Honeypot
A deliberately exposed decoy system mimicking real assets to attract attackers, detect intrusion attempts and gather data about attack techniques.
What is a Honeypot?
A honeypot is a system or service deliberately deployed on a network as a decoy for attackers. The honeypot mimics a real system - a web server, database, PLC controller, IoT device - but serves no production function. Any interaction with a honeypot is by definition suspicious and signals an attempted attack.
Honeypots are divided into two categories based on interaction level. Low-interaction honeypots emulate only selected services (e.g. an open SSH port with a fake banner) and serve primarily to detect scanning and brute-force attempts. High-interaction honeypots are full operating systems with real services, allowing the attacker much deeper interaction - which yields richer telemetry about attack techniques.
In OT environments, specialist industrial honeypots (e.g. Conpot, GRFICSv2) are used to emulate PLC controllers, Modbus/S7 protocols and HMI interfaces. They enable detection of reconnaissance and attacks targeting industrial infrastructure.
Why does it matter?
Honeypots provide early warning of attacker activity in the network - often detecting threats before they reach real systems. Additionally, they provide valuable threat intelligence data: what tools attackers use, what vulnerabilities they attempt to exploit and from which IP addresses they operate. In OT environments, honeypots can detect industrial protocol reconnaissance that might be missed by traditional detection systems.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.