Why Honeypots Work: The Case for Letting Attackers In

While everything else in cybersecurity is meant to keep hackers out, honeypots are meant to lure them in.

What are honeypots and how do they work?

Honeypots decoy systems or data sets that appear to be real assets (servers, databases, credentials, file shares, etc.) but are isolated from real systems and closely monitored. Legitimate users never use them, so any interaction with them is almost certainly malicious.

Honeypots sit within a controlled place in a network with containment controls in place so black hat hackers cannot reach the real systems. The decoy system logs everything — source IPs, network traffic, login attempts, commands, uploaded tools, and any changes made within the system. Security teams analyze the data to understand how attackers operate, learning what tools they use, how they move, and what they're ultimately after.

Those insights then feed directly back into security defenses: patching production systems, tightening firewall and Intrusion Detection System (IDS) rules, improving detection signatures, and blocking known malicious sources.

Brief history of honeypots

This isn't a new idea. The term honeypot didn't start in cybersecurity but came from the world of espionage, where it described a deceptive operation designed to lure a target in, let them believe they had access to something valuable, and extract intelligence from every move they made. Cybersecurity borrowed that idea and never looked back.

In 1990, AT&T Bell Labs deployed one of the first documented honeypots after detecting an attacker probing their network. Rather than cutting the connection, they let the attacker keep going, feeding them a convincing decoy while logging every move. By the time they pulled the plug, the security team had traced the attacker's methods, mapped previously unknown vulnerabilities in their own systems, and walked away with intelligence they wouldn't have had otherwise.

The mechanics haven't changed much since.

Research honeypots vs. production honeypots: What’s the difference?

Before choosing a honeypot, it helps to know what you're trying to accomplish. Two teams can use the same technology and get completely different value out of it because they're solving different problems. That difference in purpose is what separates a research honeypot from a production one, and it shapes everything from how you deploy it to what you do with the data.

Research honeypots

Run primarily by security teams, universities, government/military agencies, large research labs, or security vendors, research honeypots are used to study attack tools, techniques, and motives in-depth. This research helps to build out threat intelligence for the wider community.

Research honeypots are commonly deployed across multiple networks or exposed to the internet at large. While they’re typically more complex to operate, with higher security costs and resource demands, security teams can analyze and monitor a wider range of attacks, not just those tied to the organization’s environment.

Production honeypots

For corporations, private companies, and organizations seeking better internal detection and response, a production honeypot is typically deployed. They’re placed within or alongside real networks, often in a DMZ (demilitarized zone), to detect, slow, or misdirect attacks against the system.

These systems are easy to build and deploy, mirroring the production environment. They help organizations build and enforce security policies for Intrusion Detection Systems, firewalls, and security information and event management (SIEM) tools.

The disadvantage of production honeypots is limited research due to limited visibility into attacker techniques, since they're contained to a single network rather than spread across multiple networks, as with research honeypots.

Honeypot Complexity Levels

Honeypot systems are categorized as low, medium, or high based on the complexity of the interactions between the decoy technology and bad actors. These levels describe how “real” the honeypot feels to an attacker.

Low-interaction honeypot

A low-interaction honeypot simulates only a limited set of services or protocols (fake SSH, FTP, or HTTP services) rather than a full operating system. An attacker sees an open port or a login prompt, but all interactions with the decoy system are tightly contained from the real system.

Low-interaction honeypot data includes:

• Source IPs and the timing of scans/probes
• Attempted usernames and passwords
• Exploit payloads sent during initial connection attempts
• Basic statistics on which services and ports are being targeted

Easy and cheap to deploy, low-interaction honeypots are great for early-stage detection, but keep in mind that they offer limited depth of insights and are less useful against advanced threats.

If you’re looking for alerts and statistics, low-interaction honeypots are the way to go.

Medium-interaction honeypot

A medium-interaction honeypot simulates parts of a real system or application. Attackers can run some commands or try web exploits while the decoy system responds in a more realistic way than a low-interaction honeypot would.

These honeypots are more complex than low-interaction systems, since you need to design believable file trees, responses, and application logins while maintaining them, so they don’t look obviously fake.

Full session transcripts, including every command typed, paths accessed, and navigation steps taken after the system is accessed is recorded. Network logs also include information about uploaded or downloaded payloads, along with the tactics and procedures used. This data is then compiled into attacker playbooks and Indicators of Compromise (IOCs).

If you’re looking to detect lateral movement, profiling common attacker scripts and toolchains, or running internal red-team/blue-team exercises, medium-interaction honeypots will provide the data you need.

High-interaction honeypot

A high-interaction honeypot is a fully functional decoy system that attackers can compromise and interact with.  By far the most complex and resource-intensive type of honeypot, they’re often real operating systems and services that let defenders observe the attacker’s behavior in a controlled environment.

The decoy system allows attackers to gain root access, execute commands, install malware, move laterally within the honeypot, and attempt exfiltration, all while the system logs the activity. The logs capture advanced TTPs (tactics, techniques, procedures) that are ideal for research, malware analysis, and improving detections/signatures.

High-interaction honeypots come with higher risk and demands signification CPU/RAM, skilled maintenance, log storage/processing, and frequent resets. It is not meant for small teams.

Dynamic honeypots

Today, static honeypots are increasingly easy for AI-driven attacker bots to "fingerprint" and avoid. To counter this, organizations are using generative AI to create Dynamic Honeypots.

These systems use LLMs to generate realistic-looking files, emails, and even terminal responses in real-time, making it significantly harder for an attacker to distinguish the decoy from a real production environment.

Types of honeypots

Not all honeypots are built the same. The type you deploy depends on what you're trying to catch and where in your environment you're most exposed.

Network Scanning & Brute Force

Bots scan the internet constantly, probing for open ports and hammering login screens with stolen credential lists. These honeypots are built to catch that activity early, before an attacker finds something real.

• Network & service honeypots: Fake services like SSH, RDP, and FTP that log every login attempt, probe, and payload sent by automated scanners and brute-force tools.
• Network topology decoys: Simulate an entire network of fake systems to detect attackers who are mapping your environment before making a move.

Web & Application Attacks

Attackers run automated tools across websites and APIs, looking for anything that responds in a useful way. These honeypots record exactly what's being tested and which tools are doing the testing.

• Web honeypots: Fake sites or APIs that log common web attacks like SQL injection and cross-site scripting (XSS), along with details about the tools used to launch them.
• Database honeypots: A decoy database filled with realistic-looking data. Attackers who make it past your perimeter will query it, revealing exactly what they're after.

Malware and exploitation

Some attackers aren't hunting a specific target. They deploy malware that spreads on its own, infecting whatever looks vulnerable. These honeypots intercept that activity before it reaches anything real.

• Malware honeypots: Systems that look unpatched and exposed on purpose, attracting ransomware and self-spreading malware for analysis without risk to production.
• Client honeypots: Decoys that behave like real browsers or email clients, actively visiting suspicious content to catch attacks that only trigger when a user clicks the wrong link.

Spam and phishing

Phishing campaigns rely on harvested email addresses and convincing fake login pages. These honeypots get inside those campaigns to expose how they operate and where stolen data is going.

• Email traps: Hidden addresses that only bots will find. Any mail that arrives is automatically suspicious and used to build blocklists and analyze sending infrastructure.
• Phishing honeypots: Fake login pages that capture phishing kits and attacker behavior from live campaigns, which is useful for understanding how attacks against your brand or users are being built.

Data access and insider threats

Not every security threat comes from outside. Employees, contractors, and anyone else with legitimate access to your systems can pose just as serious a risk as an external attacker. Honeytokens are designed to catch exactly that.

Honeytokens: Fake credentials, API keys, or files planted in your environment. There's no legitimate reason to ever touch them, so when someone does, you know immediately that something is wrong. Access is logged, the user is flagged, and your security team has a clear starting point for investigation.

Specialized infrastructure

Industrial and critical infrastructure environments face threats that most security tools aren't built to detect. Attacks here are meant to disrupt physical systems rather than steal data.

• ICS/OT honeypots: Decoys that mimic the systems and communication protocols used in environments like power grids, water treatment facilities, and manufacturing plants, designed to catch attackers probing for ways to cause real-world disruption.
• Honeynets: A full simulated network of multiple honeypots. Rather than catching a single probe, honeynets let defenders watch coordinated attacks unfold, including how attackers move between systems and communicate back to whoever is directing them.

The role of honeypots in cybersecurity: where to use honeypots

Honeypots are not a security strategy in and of themselves. They don't block attacks, patch vulnerabilities, or replace the core tools teams depend on. What they do is give you something most security tools can't — direct visibility into attacker behavior inside a controlled environment.

That intelligence is only useful if you have something in place to act on it. A honeypot works best when it's connected to the rest of your security stack, feeding your SIEM, sharpening detection rules, or improving how your team responds to incidents. Without that, you're collecting data with nowhere for it to go.

Honeypots are also essential components of a Zero Trust architecture. In a network where "never trust, always verify" is the rule, a honeypot acts as a definitive tripwire. Since no legitimate user should ever touch a honeypot, any interaction provides a high-fidelity signal that allows a Zero Trust engine to automatically revoke the user's access across the entire identity fabric.

The right question isn't whether honeypots are worth using, but whether your environment is ready to make use of what they uncover.

FAQs about Honeypots