What is a Honeypot?

The Honeypot Concept

A honeypot works on the principle of guaranteed anomaly: any interaction with a honeypot is suspicious because legitimate users and systems should have no reason to access a system that appears to provide value but actually provides none. Unlike production systems that generate constant legitimate traffic that must be analyzed for anomalies, honeypots generate a clean signal — every access attempt is a potential threat indicator worth investigating.

Honeypot Types

Low-interaction honeypots simulate specific services — an SSH service, a web server, a database port — and capture connection attempts without providing any functional interaction. They are easy to deploy and maintain but provide limited insight into attacker techniques because there is nothing for attackers to interact with. High-interaction honeypots are real systems configured to appear valuable but isolated from production. They allow attackers to interact fully, capturing the attacker's techniques, tools, and objectives in detail. High-interaction honeypots provide richer intelligence but carry higher deployment risk because they provide a real system the attacker could potentially use as a pivot point.

Honeytokens and Honeycredentials

Honeytokens extend the deception concept beyond network services to data and credentials. A honeytoken is a believable but fake data artifact — an AWS API key that is valid but generates an alert when used, a document named 'Acquisition Targets 2026' that generates an alert when opened, a database record with a distinctive fake social security number that generates an alert if it appears in a breach database. Honeytokens are valuable for detecting data exfiltration and insider threats: an attacker or insider who takes a honeytoken and uses it reveals their presence and, in some cases, their location.

Deploying Honeypots Effectively

Effective honeypot deployment requires thoughtful placement and monitoring. A honeypot in a network segment no legitimate user ever visits generates alerts on any connection. A honeypot in a segment with regular legitimate traffic requires more careful tuning to distinguish attacker access from legitimate mistakes. The monitoring infrastructure that captures and alerts on honeypot interactions must be operational before honeypots are deployed — a honeypot nobody is watching provides no value.

Real-World Example: Honeytoken Detects Data Exfiltration in Progress

A Cloudskope client deployed honeytokens — fake AWS access keys — alongside real credentials in development repositories. Three months after deployment, an alert fired: a honeytoken had been used to attempt AWS API calls from an IP address in Eastern Europe. Investigation revealed that a developer's GitHub account had been compromised through credential stuffing, giving an attacker access to private repositories containing both the honeytoken and real credentials. The honeytoken alert enabled containment before any real credentials were used. The attacker's IP and timing provided forensic evidence that would not have been available without the honeytoken.