Honeypot

Security Operations 🛡️ • Threats ⚠️ • Security Testing 🔍 • Sec+ Glossary 📖 • Difficulty: premium

What is Honeypot?

A honeypot is a decoy system, service, or resource that is intentionally designed to attract attackers so defenders can detect, observe, and study malicious activity.

Examples

A security team deploys a fake internal server with no real business purpose so any connection to it is treated as suspicious and investigated quickly.
An organization places a decoy SSH service on the network to capture login attempts and learn which usernames and passwords attackers are trying.

Discover 🔎

Most security controls are designed to keep attackers out, but a honeypot takes a different approach. Instead of only building walls, it sets a trap. The idea is simple but clever: create something that looks interesting to an attacker but has no real business value, then watch what happens when someone touches it.

That makes honeypots useful because legitimate users should have little or no reason to interact with them. If a connection appears, a login is attempted, or a scan starts probing the decoy, defenders gain an early sign that something suspicious may be happening. In a noisy environment full of logs and alerts, that kind of signal can be very valuable.

Remember: A honeypot is not a production system that happens to be monitored closely. It is a decoy built to attract and reveal malicious activity.

Summary 📝

A honeypot is a decoy system or service designed to attract attackers and reveal malicious behavior. Its main value comes from creating high-signal alerts and giving defenders a controlled way to observe attacker activity. When deployed carefully, a honeypot can improve detection, support investigation, and provide useful insight into how threats behave.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.