ESET Online Help

Search English
Select the topic

Honeypot

A honeypot is a cybersecurity mechanism used to detect (especially early detection of malware) and analyze attempts at unauthorized access to information systems. It can be a computer system, server, network service, or any other digital asset that acts as a decoy to attract potential attackers, so it is designed to look like a legitimate target for cyber attacks.

How does a honeypot work?

A honeypot is intentionally visible and accessible to attract cybercriminals. It is set up to look like a vulnerable system, which motivates attackers to try to penetrate. When an attacker tries to penetrate the honeypot, all their actions are carefully monitored and recorded. This provides valuable information about attack methods and techniques that help security experts better understand attacker behavior, identify new vulnerabilities, and develop better defense strategies. Honeypots can also work to distract attackers from real systems and data. In doing so, they provide additional protection for critical systems.

What types of honeypots are there?

Server honeypots—These honeypots are deployed alongside real servers to act as bait, drawing attackers away from valuable systems and allowing security teams to monitor and analyze their tactics.

Client honeypots—Simulate an ordinary system user and browse the internet. They detect changes in integrity and allow you to get information about malware that cannot be caught in any other way.

Honeynet—Aggregates multiple honeypots into a network and shares malware data and trends. It can be a network that mimics the company's entire production environment.

Production honeypots—Used in real networks as an additional layer of defense. They could be more interactive, and their primary goal is to identify and mitigate real attacks.

Research honeypots—These are deployed for research purposes. They are highly interactive and designed to gather information about attackers' methods and motives.

Honeypots with a low level of interaction—They imitate only certain services, applications or parts of the real company system. Therefore, attackers can detect them more easily.

Honeypots with a high degree of interaction—They imitate very precisely the company's production systems, including their applications and services, or real systems and services are deployed in a virtual environment through precise monitoring.