implementing-network-deception-with-honeypots
Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.
Best use case
implementing-network-deception-with-honeypots is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.
Teams using implementing-network-deception-with-honeypots should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-network-deception-with-honeypots/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-network-deception-with-honeypots Compares
| Feature / Agent | implementing-network-deception-with-honeypots | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Implementing Network Deception with Honeypots ## When to Use - When deploying deception technology to detect lateral movement - To create early warning indicators for network intrusion - During security architecture design to add detection depth - When monitoring for unauthorized internal scanning or credential theft - To gather threat intelligence on attacker techniques and tools ## Prerequisites - Linux server or VM for honeypot deployment (Ubuntu 22.04+ recommended) - Python 3.8+ with pip for OpenCanary installation - Docker for T-Pot or containerized deployment - Network segment with appropriate VLAN configuration - SIEM integration for alert forwarding (syslog, webhook, or file-based) - Firewall rules allowing inbound connections to honeypot services ## Workflow 1. **Plan Deployment**: Select honeypot types and network placement strategy. 2. **Install Honeypot**: Deploy OpenCanary, Cowrie, or T-Pot on dedicated host. 3. **Configure Services**: Enable emulated services (SSH, HTTP, SMB, FTP, RDP). 4. **Set Up Alerting**: Configure log forwarding to SIEM and alert channels. 5. **Deploy Canary Tokens**: Place credential files, shares, and DNS entries. 6. **Monitor Interactions**: Analyze honeypot logs for attacker activity. 7. **Tune and Maintain**: Update configurations based on detection results. ## Key Concepts | Concept | Description | |---------|-------------| | OpenCanary | Lightweight Python honeypot with modular service emulation | | Cowrie | Medium-interaction SSH/Telnet honeypot capturing commands | | T-Pot | Multi-honeypot platform with ELK stack visualization | | Canary Token | Tripwire credential or file that alerts when accessed | | Low-Interaction | Emulates services at protocol level without full OS | | High-Interaction | Full OS honeypot capturing complete attacker sessions | ## Tools & Systems | Tool | Purpose | |------|---------| | OpenCanary | Modular honeypot daemon with service emulation | | Cowrie | SSH/Telnet honeypot with session recording | | T-Pot | All-in-one multi-honeypot platform | | Dionaea | Malware-capturing honeypot for exploit detection | | Splunk/Elastic | SIEM for honeypot alert aggregation | ## Output Format ``` Alert: HONEYPOT-[SERVICE]-[DATE]-[SEQ] Honeypot: [Hostname/IP] Service: [SSH/HTTP/SMB/FTP/RDP] Source IP: [Attacker IP] Interaction: [Login attempt/Port scan/File access] Credentials Used: [Username:Password if applicable] Commands Executed: [For SSH honeypots] Risk Level: [Critical/High/Medium/Low] ```
Related Skills
scanning-network-with-nmap-advanced
Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, evasion techniques, and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across authorized target networks.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-web-cache-deception-attack
Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.
performing-ot-network-security-assessment
This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical infrastructure.
performing-network-traffic-analysis-with-zeek
Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
performing-network-traffic-analysis-with-tshark
Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, DNS anomaly identification, and IOC extraction from PCAP files
performing-network-packet-capture-analysis
Perform forensic analysis of network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump to reconstruct network communications, extract transferred files, identify malicious traffic, and establish evidence of data exfiltration or command-and-control activity.
performing-network-forensics-with-wireshark
Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, and identify malicious communications.
performing-external-network-penetration-test
Conduct a comprehensive external network penetration test to identify vulnerabilities in internet-facing infrastructure using PTES methodology, reconnaissance, scanning, exploitation, and reporting.
performing-deception-technology-deployment
Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have bypassed perimeter defenses, providing high-fidelity alerts with near-zero false positive rates. Use when SOC teams need early warning of lateral movement, credential abuse, or internal reconnaissance by deploying convincing traps across the network.
implementing-zero-trust-with-hashicorp-boundary
Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.
implementing-zero-trust-with-beyondcorp
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.