A honeypot is a cybersecurity mechanism which uses a network-attached system to act as a decoy in order to lure cybercriminals and detect, deflect and study their hacking attempts while they attempt to gain unauthorized access to the network.

How do honeypots work?

Generally, a honeypot operation consists of a computer, applications and data that simulate the behavior of a real system that would be attractive to attackers, such as a financial system, internet of things (IoT) devices, serves containing high value assets. It appears as part of a network but it is actually isolated and closely monitored. Legitimate users to have no need to access a honeypot meaning that any attempts to communicate with it are considered hostile and malicious.

Honeypots may also be put outside the external firewall, facing the internet, to detect attempts to enter the internal network. The exact placement of the honeypot varies depending on how elaborate it is, the traffic it aims to attract and how close it is to sensitive resources inside the corporate network.

Viewing and logging activity in the honeypot provides security analysts with insight into the types of threats a network infrastructure faces while leading attackers away from assets of real value.

Cybercriminals can hack and hijack honeypots, turning them against the original organization who deployed them.

Virtual machines are often used to host honeypots. That way, if they are compromised by malware, for example, the honeypot can be quickly restored.

Why use a honeypot?

There are two primary uses for honeypots: research and production.

Research honeypots allow administrators to study the activity of hackers, giving them the knowledge to better protect networks and assets from similar attacks. Honeypots also can help shed light on larger software system vulnerabilities that might not otherwise be detected.

Production honeypots are placed inside networks to  act as a decoy and lessen the risk of real targets being infiltrated. These honeypots are a distraction for cyberattackers to draw them away from the legitimate targets inside the network.

Honeypots can save costs in their efficiency. Instead of spending time and money searching for potential cyber attackers, a honeypot waits for hackers while pretending to be a legitimate target.

Honeypot classification

  1. Pure honeypots are fully built and functional production systems that monitor a honeypot’s link to the network. They are the most complex and difficult to maintain, but they also appear most realistic to attackers, complete with mock confidential files and user information.
  2. High-interaction honeypots imitate the activities of the production systems, hosting a variety of services and capturing extensive information. The goal of a high-interaction honeypot is to entice an attacker to gain root or administrator-level access to the server.
  3. Low-interaction honeypots simulate the most common attack vectors on the network: the ones services attackers frequently request. Therefore, they are less risky and easier to maintain. The downside of this type of honeypot is that it is more likely to look fake to an attacker. Low-interaction honeypots are often used to detect attacks from bots and malware.

Types of honeypot

Email honeypots

These “spam traps” is a fake email address created to attract span internet traffic from automated spammers. As this email address is not used for any other legitimate purposes, all incoming mail is guaranteed to be spam. All “senders” will have their IP addresses automatically blocked and the source of the IP added to a deny list. This stops spammers from sending phishing emails to legitimate email addresses within an organization.

Malware honeypots

These honeypots mimic software vulnerabilities and APIs, inviting malware attacks to them. Security teams can then discover what API weaknesses need to be addressed.

Database honeypots (Decoy databases)

These decoy databases mislead attackers who are truing to exploit software vulnerabilities, using methods that are sometimes missed by firewalls, like SQL injections.

Spider honeypots

These are intended to trap webcrawlers (‘spiders’) by creating web pages and links only accessible to crawlers. Detecting crawlers can help you learn how to block malicious bots, as well as ad-network crawlers.

Advantages and disadvantages of honeypots


  • Honeypots collect data from actual attacks and other unauthorized activities, providing analysts with a factual, rich source of information.
  • Ordinary cybersecurity detection technologies generate alerts that can include a significant volume of false positives, but a honeypot causes fewer false positives because there is no reason for legitimate users to access the honeypot.
  • Honeypots are cost effective.
  • Honeypots capture malicious activity, even if an attacker is using encryption or other potentially devastating tactics.


  • Honeypots only collect information when an attack occurs. If there are no attempts to access the honeypot means there is no data to analyze.
  • Although honeypots are isolated from the real network, they do connect in some way to enable administrators to collect the information they contain.
  • Honeypots are often distinguishable from legitimate production systems, which means experienced hackers can often differentiate a production system from a honeypot system.
  • Malicious traffic that has been captured is only collected when an attack targets the honeypot network; if attackers suspect a network is a honeypot, they will avoid it.

Honeypots can help organizations keep up with the ever-changing threat and cybersecurity landscapes. Using honeypots, you can see exactly what hackers are doing, in real time, and use that information to stop them getting what they want.