Awareness

Honeypots & Deception for Early Detection

Published  ·  4 min read

One of the best ways to identify early-stage intruders (i.e., stalking while still being able to gain access to valuable information) is through the use of both honeypots and deception technologies.

The concept is simple, create a number of false assets (that are visually appealing) and monitor the intruder's behavior on them. Just prior to an attack, produce real-time alerts for the first time, when they access an asset that is not supposed to be there.

In 2025–2026 this approach is more powerful than ever because attackers have become very good at evading traditional EDR/SIEM rules, but they still fall for deception almost every time.

Main Types of Honeypots / Deception Assets Used Today
1. High-interaction honeypots consist of vulnerable (or very realistic) machines or containers that allow for a full compromise and provide the maximum intel (i.e. malware samples, TTPs, C2 IP addresses). The most common configurations for high-interaction honeypots are as follows: 
a) Windows 10/11 VMs with RDP/SMB/WinRM exposed 
b) Older Ubuntu/CentOS with SSH and weak passwords 
c) Docker containers hosting vulnerable web applications such as WordPress 4.x and phpMyAdmin

2. Low-interaction honeypots are emulations of services that don't have a real OS behind them, making them much less risky but also very quick to deploy; these were the most popular in 2026:
a) Cowrie for SSH and Telnet connections
b) Dionaea for SMB, HTTP, FTP, MSSQL and MySQL
c) Honeytrap allowing multi-protocol connections
d) Conpot for industrial control systems such as ICS/SCADA - Modbus, S7 and BACnet

3. Deception tokens / canaries Small, passive breadcrumbs that alert the moment they are touched Examples:
a) Canarytokens.org files/tokens (DNS, HTTP, SMB, etc.)
b) A self-hosted version of Canary Tokens may be used.
c) Look for files (e.g., Password.txt, Api_keys.json, AWS keys) that obviously contain passwords or other sensitive data.
d) Monitor for weak/default passwords. Create phony admin accounts; send email notification whenever there's a login attempt.

4. Use code/config-based honey tokens to create fake AWS Access Keys, GitHub Tokens, Stripe Test Keys, and Database Credentials. Place inside repositories, config files. These honey tokens will immediately generate alerts if they are accessed/used in any way.

Deployment Patterns
1. The T-Pot is a great example of how you can have all your honeypots working together in one single Docker container for easy management. It enables all of the above-mentioned honeypot types (Cowrie, Dionaea, Honeytrap, Wordpot, Conpot, ElasticPot, ..., etc.) to be contained, run, and managed from one place.
2. Modern Honey Network (MHN) Central dashboard + multiple low/high-interaction sensors Good for distributed environments (cloud + on-prem)
3. Canarytokens + Thinkst Canary Deploy dozens of small tokens in minutes High-fidelity alerts (someone touched a file that shouldn’t be touched)
4. Custom hybrid server honeypot Windows 10 / 11 configuration with exposed RDP (easy to guess password or no NLA) and open SMB shares (guest access and everyone can write) plus Sysmon and PowerShell log enabled for visibility into all attacker's TTPs.

Actual Attacker Detection Example (What You Are Able to Witness Here)
1. Attacker attempts to crack SSH → Cowrie captures all command executed and you see credential stuffing + lateral movement
2. Attacker connects to fake SMB share → Dionaea captures the first malware dropper or the attempt to exploit EternalBlue
3. Attacker accesses a canary file named 'passwords.xlsx' in a shared folder → instant high-confidence alert generated by the system
4. Attacker searches a fake AWS key in a public Git repository → Canarytokens generate callback to the DNS/HTTP protocol.
5. Attacker pivots through a fake RDP → full session recorded of the high-interaction VM (all commands executed, all files exfiltrated, persistent connections) 

Quick Recommendations 
1. Start with T-Pot if you want one box that gives maximum coverage
2. Deploy Canarytokens everywhere (free version is enough for most SMBs)
3. Put at least one high-interaction Windows honeypot in every critical VLAN/subnet
4. Forward all honeypot logs to SIEM → alert on any interaction (even failed logins)
5. Use deception in Active Directory: fake privileged accounts with weak passwords + login alerts
6. Rotate honeypot images every 30–60 days (attackers fingerprint them)

The beauty of deception is the signal-to-noise ratio: One touch = very high-confidence alert. No touch = silence.
In a world where EDR noise is overwhelming, honeypots and canaries cut through the clutter like almost nothing else.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067