Self-Hostable Honeypot Platform

Deploy. Deceive.
Detect. Attackers don't stand a chance.

10 production-grade decoy services. Dual IDS. MITRE ATT&CK classification. LLM-powered adaptive decoys that respond like real systems. Deploy in under 5 minutes.

↓ Download free View pricing
10 Decoy Services
2 IDS Engines
72h Grace Period
<5m To Deploy
hp-manager — live event stream
$
Dual IDS
Suricata + Snort
Both IDS engines run simultaneously. Suricata handles EVE-JSON streaming; Snort provides complementary rule-based detection. All alerts are correlated, classified, and tagged with attack group signatures.
MITRE ATT&CK
Session Classification
Every attacker session is automatically labelled with MITRE ATT&CK tactics and techniques using your configured LLM. Risk levels, intent analysis, and behaviour hashes give you actionable intelligence, not raw logs.
LLM Decoys
Adaptive Responses
The manager uses OpenAI, Gemini, or a local Ollama model to generate contextually appropriate shell responses, HTTP pages, and error messages — keeping attackers engaged and extracting maximum intelligence.
// capabilities

Built for security engineers,
not marketing teams

Every feature exists because it catches attackers or helps you understand them — nothing more.

🛡
10 Honeypot Services
SSH, HTTP, HTTPS, FTP, SMTP, Telnet, DNS, Redis, MySQL, RDP — each with realistic protocol emulation and full session recording.
// host network mode
📡
PCAP + Flow Telemetry
Full packet capture on demand. Flow statistics with per-connection correlation across services. Export to SIEM via API or webhook.
// real-time streaming
🧠
LLM-Powered Decoys
Shell sessions respond intelligently using your chosen LLM. HTTP decoys serve dynamically generated pages. Attackers can't tell the difference.
// openai / gemini / ollama
🗺
MITRE ATT&CK Labels
Automatic tactic and technique classification per session. Risk scoring from low to critical. Behaviour hashing for attacker fingerprinting.
// ai-powered analysis
🔗
Distributed Mode
Run the manager on one host, deploy sensor nodes on others. Each node forwards events over HTTPS. Up to 5 nodes on Pro, unlimited on Enterprise.
// pro + enterprise
📊
Real-Time Dashboard
Live event stream, network flow graphs, IDS alert analytics, session detail views, PCAP export, and full audit logging — all in one dashboard.
// no cloud required
// decoy services

Every attack surface covered

All 10 services run in Docker containers with host networking to preserve real attacker source IPs.

🔒
SSH
:22 → 2222
🌐
HTTP
:80
🔐
HTTPS
:443 → 8184
📁
FTP
:21
📧
SMTP
:25
💻
Telnet
:23
🗄
MySQL
:3306
Redis
:6379
🖥
RDP
:3389
📡
DNS
:53 → 1553

Free tier: up to 5 services active simultaneously  ·  Pro/Enterprise: all 10

// deployment modes

Standalone or distributed —
your infrastructure, your rules

Free
🖥
Standalone Mode
Everything runs on a single host. Manager, IDS, services, and dashboard all co-located. Perfect for researchers, homelabs, and evaluation.
  • Up to 5 honeypot services active
  • Full dashboard and analytics
  • Dual IDS — Suricata + Snort
  • LLM decoys and MITRE labels
  • PCAP and flow telemetry
  • No license required
Pro / Enterprise
🌐
Distributed Mode
Manager on one host, sensor nodes on others. Nodes forward all events over HTTPS. Deploy across multiple subnets, cloud providers, or physical locations.
  • Manager + separate sensor nodes
  • All 10 services across any host
  • Node heartbeat and health monitoring
  • API token auth per node
  • Up to 5 nodes (Pro) or unlimited (Enterprise)
  • License validation every 24 hours
// pricing

Honest pricing.
No per-seat nonsense.

Per organisation. Cancel any time.

Monthly
Annual SAVE 20%
// free
Standalone
Solo researchers, homelab users, evaluation
£0  forever
 
Download free
  • Up to 5 honeypot services
  • Full dashboard & analytics
  • Dual IDS — Suricata + Snort
  • LLM decoys & MITRE labels
  • PCAP + flow telemetry
  • Distributed mode
  • Sensor nodes
  • Email support
// recommended
Pro
Security teams, MSSPs, startups
£ 29 /mo
 
Get Pro
  • All 10 honeypot services
  • Full dashboard & analytics
  • Dual IDS — Suricata + Snort
  • LLM decoys & MITRE labels
  • Distributed mode
  • Up to 5 sensor nodes
  • Private Docker image registry
  • Email support — 48h SLA
// enterprise
Enterprise
Large teams, government, high-volume MSSPs
£ 149 /mo
 
Get Enterprise
  • Everything in Pro
  • Unlimited sensor nodes
  • SSO / SAML dashboard login
  • Compliance-ready audit log export
  • Dedicated Slack channel
  • 4-hour support SLA
  • Custom annual pricing available

Need a custom quote or have more than 10 sensor nodes? Contact us →

// quick start

Running in under 5 minutes

Engineers want to run it before they buy anything. Here's how.

1
Prerequisites
Docker 24+ and Docker Compose v2. A Linux host (Ubuntu 22.04 recommended). Run as root or a user with Docker socket access.
2
Pull and configure
Clone the repo, copy .env.example to .env, and set your ADMIN_CIDRS so you don't lock yourself out of SSH.
3
Deploy
Run the install script. It configures iptables, generates credentials, pulls all images, and opens the dashboard.
4
Start catching attackers
Open the dashboard on port 8080, start your chosen honeypot services, and watch the event stream fill up within minutes on any internet-facing host.
bash — install.sh
# 1. Authenticate with your GHCR token (Pro/Enterprise) # Free users skip this step $ echo $GHCR_TOKEN | docker login ghcr.io \ -u pfshoneystack --password-stdin # 2. Clone and configure $ git clone https://github.com/pfshoneystack/honeystack $ cd honeystack $ cp .env.example .env $ nano .env # Set ADMIN_CIDRS, LICENSE_KEY, LLM keys # 3. Deploy $ bash install.sh # 4. Dashboard is live $ open https://YOUR_SERVER_IP:8080