Honeypot Decoys and Protocol Coverage
30 protocol surfaces with high-interaction deception coverage.
Deploy believable service-level decoys across exposed attack surfaces. With 30 protocol profiles, teams can detect reconnaissance, credential abuse, and lateral movement attempts earlier with interaction-rich telemetry.
Honeypot Protocol Coverage
Comprehensive honeypot protocols organized by interaction level
High Interaction Protocols
21 protocols
CWMP
7547/TCP
Detect unauthorized CWMP/TR-069 requests, authentication attempts, and suspicious CPE management actions
Docker API
2375-2376/TCP
Detect unauthorized Docker daemon API access and suspicious container/image operation requests
Elasticsearch
9200/TCP
Detect unauthorized API queries, index enumeration, and exposed search-cluster access attempts
FTP
21/TCP
Detect FTP credential attacks and suspicious upload/download activity on decoy file services
Git
9418/TCP
Detect repository enumeration and unauthorized clone/fetch activity against decoy Git services
IMAP
143/TCP
Detect IMAP authentication attempts and suspicious mailbox-command activity
Kubernetes API
6443/TCP
Detect unauthorized token use, API discovery, and suspicious Kubernetes resource operations
LDAP
389/TCP
Detect LDAP bind attempts, directory enumeration, and suspicious search activity
Memcached
11211/TCP
Detect unauthorized cache commands, key enumeration, and amplification-abuse probing
MongoDB
27017/TCP
Detect MongoDB authentication attempts, command/query activity, and unauthorized access behavior
MQTT
1883/TCP
Detect MQTT broker authentication attempts, topic abuse, and suspicious publish/subscribe activity
POP3
110/TCP
Detect POP3 authentication attempts and suspicious message-retrieval commands
PostgreSQL
5432/TCP
Detect PostgreSQL authentication attempts, SQL execution, and suspicious database operations
Redis
6379/TCP
Detect Redis authentication attempts and suspicious command execution on decoy instances
S3 Bucket
443/TCP
Detect unauthorized S3 bucket/object enumeration and access attempts with credential artifacts
SMB
445/TCP
Detect SMB authentication attempts, share enumeration, and suspicious file operation behavior
SMPP
2775/TCP
Detect SMPP bind/login attempts and suspicious message-gateway command traffic
SNMP
161/UDP
Detect SNMP community-string probing, OID enumeration, and network device reconnaissance
SSH
22/TCP
Detect SSH brute-force/login attempts and interactive command activity on decoy hosts
Telnet
23/TCP
Detect Telnet weak-credential attacks and interactive command activity common in IoT scanning
VNC
5900/TCP
Detect VNC authentication attempts and capture interactive session behavior on decoy desktops
Medium Interaction Protocols
2 protocols
HTTP
80/TCP
Detect web scanning, credential submission, and suspicious file-access behavior on decoy web endpoints
HTTPS
443/TCP
Detect suspicious HTTPS requests, credential attempts, and probing against encrypted decoy web services
Low Interaction Protocols
7 protocols
DNS
53/TCP+UDP
Detect suspicious DNS queries, tunneling patterns, and resolver reconnaissance activity
MSSQL
1433/TCP
Detect MSSQL login attempts and suspicious TDS client interactions
MySQL
3306/TCP
Detect MySQL login attempts and unauthorized client session activity
NTP
123/UDP
Detect NTP query abuse, amplification patterns, and time-service reconnaissance
RDP
3389/TCP
Detect RDP credential attacks and remote-desktop reconnaissance activity
SIP
5060/UDP
Detect SIP registration/invite probing, authentication attempts, and VoIP service reconnaissance
TFTP
69/UDP
Detect TFTP read/write attempts for firmware and configuration files
Who Uses Honeypot Decoys Most
SOC analysts triaging suspicious access paths
Threat hunters mapping adversary behavior
Blue teams validating exposed protocol risk
Security engineering teams improving detection quality
What This Solves
Reconnaissance goes unnoticed
Service-level decoys expose probing behavior before attackers reach high-value production systems.
Credential and protocol abuse detection lags
Interactive decoy sessions provide stronger indicators when adversaries attempt authentication, enumeration, or command execution.
Limited visibility into attacker tradecraft
Session-level interactions reveal behavior patterns that improve detection tuning and response readiness.
What You Gain
Earlier warning on active adversaries
Detect adversary activity at the deception layer before compromise paths expand.
Higher confidence investigation inputs
Use captured interaction context to prioritize incidents and guide containment.
Actionable protocol exposure insights
Identify where adversaries are testing, probing, and attempting access in your environment.
Honeypot Capabilities
30 supported protocol profiles
Cover common enterprise service surfaces across network, web, data, and infrastructure pathways.
High-interaction service decoys
Present believable interactions that capture adversary behavior, not only connection metadata.
Protocol-aware telemetry capture
Collect session and interaction context useful for triage, detection engineering, and response.
Adaptive controls per honeypot and service
Tune behavior at the service level to match your policy and operational goals for each deployed decoy.
Campaign clusters from honeypot telemetry
Correlate recurring attacker behavior across events to reveal coordinated activity over time.
Stage-aware interaction intelligence
Understand how adversaries progress from probing to deeper interaction so teams can prioritize response.
How It Works (High-Level)
1. Choose protocol surfaces to emulate
Select service areas where attacker interest is most likely or most damaging.
2. Deploy believable decoys
Position decoys where probing and unauthorized access attempts are likely to occur.
3. Observe interaction behavior
Capture telemetry from sessions, commands, and protocol-specific actions in real time.
4. Route, triage, and iterate
Use high-signal events to investigate quickly and refine deception placement over time.
Deployment Options (High-Level)
Edge-facing exposure points
Place decoys where external reconnaissance and opportunistic scanning typically begin.
Internal segmentation boundaries
Detect lateral movement and credential misuse inside trusted zones.
Hybrid enterprise estates
Coordinate coverage across mixed infrastructure while keeping one operational view.
How Teams Use This
Edge reconnaissance trap
Place decoys on exposed protocol surfaces and route first-touch events into SOC triage to accelerate investigation start time.
Lateral movement watch
Deploy internal decoys at segmentation boundaries to reveal credential misuse and east-west probing before production impact.
Detection engineering feedback loop
Use stage-aware interaction intelligence from decoys to tune detections, then validate improvements with new attacker interactions.
Campaign-level visibility
Group repeated honeypot behavior into campaign clusters to prioritize recurring activity and reduce analyst noise.
- Decoy placement should be aligned to your approved security architecture and monitoring policy.
- Telemetry should be interpreted alongside broader security context for complete incident understanding.
- High-interaction deception improves detection confidence but does not replace foundational controls.
Plan Protocol-Focused Deception Coverage
Map your highest-risk protocol surfaces, deploy decoys strategically, and convert attacker activity into high-confidence SOC signal.