Self-Hostable Honeypot Platform

Deploy. Deceive.
Detect. Attackers don't stand a chance.

Production-grade honeypot decoys — growing. Dual IDS. MITRE ATT&CK classification. LLM-powered adaptive decoys that respond like real systems. Deploy in under 5 minutes.

↓ Get started free View pricing
2 IDS Engines
72h Grace Period
<5m To Deploy
Growing Services
hp-manager — live event stream
$
Dual IDS
Suricata + Snort
Both IDS engines run simultaneously. Suricata handles EVE-JSON streaming; Snort provides complementary rule-based detection. All alerts are correlated, classified, and tagged with attack group signatures.
MITRE ATT&CK
Session Classification
Every attacker session is automatically labelled with MITRE ATT&CK tactics and techniques using your configured LLM. Risk levels, intent analysis, and behaviour hashes give you actionable intelligence, not raw logs.
LLM Decoys
Adaptive Responses
The manager uses OpenAI, Gemini, or a local Ollama model to generate contextually appropriate shell responses, HTTP pages, and error messages — keeping attackers engaged and extracting maximum intelligence.
// capabilities

Built for security engineers,
not marketing teams

Every feature exists because it catches attackers or helps you understand them — nothing more.

🛡
Growing Honeypot Services
SSH, HTTP, HTTPS, FTP, SMTP, Telnet, DNS, Redis, MySQL, RDP today — with more protocols added continuously. Each service uses host networking to preserve real attacker source IPs and full session recording.
// more coming soon
📡
Packet · Flow · Session Intelligence
PFS stands for Packet, Flow, Session — the three pillars of network forensics. Full PCAP on demand, per-connection flow telemetry, and deep session recording. Correlate across all three layers to build a complete attacker timeline.
// that's what PFS means
🧠
LLM-Powered Decoys
Shell sessions respond intelligently using your chosen LLM. HTTP decoys serve dynamically generated pages. Attackers can't tell the difference.
// openai / gemini / ollama
🗺
MITRE ATT&CK Labels
Automatic tactic and technique classification per session. Risk scoring from low to critical. Behaviour hashing for attacker fingerprinting.
// ai-powered analysis
🔗
Distributed Mode
Run the manager on one host, deploy sensor nodes on others. Each node forwards events over HTTPS. Up to 5 nodes on Pro, unlimited on Enterprise.
// pro + enterprise
📊
Real-Time Dashboard
Live event stream, network flow graphs, IDS alert analytics, session detail views, PCAP export, and full audit logging — all in one dashboard.
// no cloud required
// decoy services

Every attack surface covered

All 10 services run in Docker containers with host networking to preserve real attacker source IPs.

🔒
SSH
:22 → 2222
🌐
HTTP
:80
🔐
HTTPS
:443 → 8184
📁
FTP
:21
📧
SMTP
:25
💻
Telnet
:23
🗄
MySQL
:3306
Redis
:6379
🖥
RDP
:3389
📡
DNS
:53 → 1553

Free tier: up to 5 services active simultaneously  ·  Pro/Enterprise: all current services

⚡ More protocols coming soon — LDAP, MQTT, Modbus, VNC, MongoDB and more. Pro/Enterprise customers get access automatically.

// deployment modes

Standalone or distributed —
your infrastructure, your rules

☁ SaaS hosted option coming soon — no server required

Free
🖥
Standalone Mode
Everything runs on a single host. Manager, IDS, services, and dashboard all co-located. Perfect for researchers, homelabs, and evaluation.
  • Up to 5 honeypot services active
  • Full dashboard and analytics
  • Dual IDS — Suricata + Snort
  • LLM decoys and MITRE labels
  • PCAP and flow telemetry
  • No license required
Pro / Enterprise
🌐
Distributed Mode
Manager on one host, sensor nodes on others. Nodes forward all events over HTTPS. Deploy across multiple subnets, cloud providers, or physical locations.
  • Manager + separate sensor nodes
  • All 10 services across any host
  • Node heartbeat and health monitoring
  • API token auth per node
  • Up to 5 nodes (Pro) or unlimited (Enterprise)
  • License validation every 24 hours
Coming Soon
☁️
SaaS Hosted
Fully managed — no server, no Docker, no maintenance. We run the infrastructure; you watch the events. Ideal for teams who want the intelligence without the ops burden.
  • Zero infrastructure to manage
  • Instant provisioning — live in seconds
  • Managed updates and scaling
  • Same dashboard and event stream
  • All honeypot services included
  • Pricing to be announced
// pricing

Honest pricing.
No per-seat nonsense.

Per organisation. Cancel any time.

Monthly
Annual SAVE 20%
// free
Standalone
Solo researchers, homelab users, evaluation
£0  forever
 
Get started free
  • Up to 5 honeypot services
  • Full dashboard & analytics
  • Dual IDS — Suricata + Snort
  • LLM decoys & MITRE labels
  • PCAP + flow telemetry
  • Distributed mode
  • Sensor nodes
  • Email support
// recommended
Pro
Security teams, MSSPs, startups
£ 29 /mo
 
Get Pro
  • All 10 honeypot services
  • Full dashboard & analytics
  • Dual IDS — Suricata + Snort
  • LLM decoys & MITRE labels
  • Distributed mode
  • Up to 5 sensor nodes
  • Private Docker image registry
  • Email support — 48h SLA
// enterprise
Enterprise
Large teams, government, high-volume MSSPs
£ 149 /mo
 
Get Enterprise
  • Everything in Pro
  • Unlimited sensor nodes
  • SSO / SAML dashboard login
  • Compliance-ready audit log export
  • Dedicated Slack channel
  • 4-hour support SLA
  • Custom annual pricing available

Need a custom quote or have more than 10 sensor nodes? Contact us →

// quick start

Running in under 5 minutes

Engineers want to run it before they buy anything. Here's how.

1
Create a free account
Sign up at pfshoneystack.io/portal. No credit card required. Works on any Linux host with Docker 24+ and Docker Compose v2 installed. Root access or Docker group membership needed.
2
Get your GHCR pull token
Log in to your portal and go to Docker Access in the sidebar. Click Request Docker Access Token — it appears on screen instantly and is sent to your email. This token authenticates Docker to pull the private HoneyStack images. All tiers — including free — receive a token.
3
Download, configure & deploy
Authenticate Docker with your token, download the compose file and env template, set ADMIN_CIDRS and your database password, then run docker compose up -d. Full walkthrough in your portal under Setup Guide. No license key needed for free tier.
4
Pro / Enterprise — unlock more
Subscribe from your portal to get a license key by email. Add it to .env as LICENSE_KEY= and restart. Unlocks all 10 services, distributed mode, and sensor nodes — no reinstall needed.
5
Start catching attackers
Open the dashboard on port 8080, activate your chosen honeypot services, and watch the live event stream. On any internet-facing host, attacker traffic appears within minutes.
bash — quick start
# Step 2 — authenticate (token from portal → Docker Access) $ echo $GHCR_TOKEN | docker login ghcr.io \ -u pfshoneystack --password-stdin # Step 3 — download files & configure $ curl -LO https://pfshoneystack.io/static/docker-compose.yml $ curl -LO https://pfshoneystack.io/static/env.example $ cp env.example .env $ nano .env # Set ADMIN_CIDRS, POSTGRES_PASSWORD, optional LLM keys $ docker compose up -d # Step 4 — Pro/Enterprise only: add your license key then restart $ echo "LICENSE_KEY=HS-PRO-XXXX-XXXX" >> .env $ docker compose restart manager # Step 5 — dashboard live on port 8080 $ open https://YOUR_SERVER_IP:8080