pith. machine review for the scientific record.
sign in

arxiv: 2510.25939 · v4 · submitted 2025-10-29 · 💻 cs.CR

SoK: Honeypots & LLMs, More Than the Sum of Their Parts?

Robert A. Bridges , Thomas R. Mitchell , Mauricio Mu\~noz , Ted Henriksson This is my paper

Pith reviewed 2026-05-18 03:00 UTC · model grok-4.3

classification 💻 cs.CR
keywords honeypotslarge language modelsdeception systemscybersecurityintrusion detectionsystematization of knowledgeautonomous systems
0
0 comments X

The pith

LLMs can turn static honeypots into adaptive deception systems that respond realistically to attackers.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper surveys work since late 2022 that combines large language models with honeypots to create more convincing decoys in cybersecurity. It organizes the literature around a taxonomy of how attackers detect honeypots and where LLMs help or fall short in simulating real systems. The authors identify recurring design patterns, a standard set of evaluation criteria, and a way to classify attacker types, then outline how log analysis can become automated threat intelligence. A reader would care because these steps point toward deception tools that improve themselves without constant human oversight.

Core claim

The authors claim that LLM-powered honeypots follow a canonical architecture in which the model handles interactive responses, an evaluation tetrad assesses fidelity and risk, and an attacker trichotomy maps requirements for deception. They trace how honeypot logs are shifting from manual review to automated intelligence generation and argue that the next stage is autonomous, self-improving systems capable of countering intelligent automated attackers.

What carries the argument

The canonical architecture that integrates an LLM to generate believable interactive responses while managing operational risk.

If this is right

  • Log analysis can evolve from manual inspection into real-time automated intelligence that feeds back into the deception system.
  • Evaluation frameworks built around the tetrad and trichotomy will let researchers compare prototypes more consistently.
  • Autonomous self-improving versions could reduce the need for constant human tuning of honeypot responses.
  • The taxonomy of detection vectors can be used to prioritize where LLM simulation adds the most value.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same patterns might apply to other defensive deception techniques such as fake network traffic or decoy credentials.
  • Live deployment data from production networks would be needed to check whether the identified patterns hold outside research settings.
  • Combining these systems with existing intrusion detection tools could create hybrid defenses that both lure and actively respond to threats.

Load-bearing premise

The papers published since late 2022 are representative enough to reveal stable architectural patterns, evaluation standards, and attacker categories that will guide future designs.

What would settle it

A controlled test in which an LLM-honeypot prototype is placed alongside a traditional honeypot and shows no measurable increase in successful deception or attacker engagement against automated tools would undermine the proposed roadmap.

Figures

Figures reproduced from arXiv: 2510.25939 by Mauricio Mu\~noz, Robert A. Bridges, Ted Henriksson, Thomas R. Mitchell.

Figure 1
Figure 1. Figure 1: The Canonical Architecture of an LLM-Powered Honeypot. This diagram synthesizes the architectural patterns that have [PITH_FULL_IMAGE:figures/full_fig_p011_1.png] view at source ↗
read the original abstract

The advent of Large Language Models (LLMs) promised to resolve the long-standing paradox in honeypot design: achieving high-fidelity deception with low operational risk. Since late 2022, a flurry of research has demonstrated steady progress from ideation to prototype implementation. While promising, evaluations show only incremental progress in real-world deployments, and the field still lacks a cohesive understanding of emerging architectural patterns, core challenges, and evaluation paradigms. To fill this gap, we provide the first comprehensive overview and analysis of this new domain, focusing on three critical, intersecting research areas: we provide a taxonomy of honeypot detection vectors, mapped to how LLM-based simulation can or cannot aid deception; we synthesize the emerging literature on LLM-powered honeypots, identifying a canonical architecture, an evaluation tetrad, and an attacker trichotomy mapped to honeypot requirements; and we chart the evolution of honeypot log analysis into automated intelligence generation. Finally, we synthesize these findings into a forward-looking research roadmap, arguing that the true potential of this technology lies in creating autonomous, self-improving deception systems to counter the emerging threat of intelligent, automated attackers.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. This Systematization of Knowledge (SoK) paper surveys the intersection of honeypots and Large Language Models (LLMs) since late 2022. It claims to deliver the first comprehensive overview by (1) providing a taxonomy of honeypot detection vectors and mapping them to LLM simulation capabilities, (2) synthesizing the literature to extract a canonical architecture, an evaluation tetrad, and an attacker trichotomy, (3) charting the shift from honeypot log analysis to automated intelligence generation, and (4) outlining a research roadmap whose central thesis is that the technology's true potential lies in autonomous, self-improving deception systems capable of countering intelligent, automated attackers.

Significance. If the identified canonical architecture, evaluation tetrad, and attacker trichotomy prove representative of the post-2022 literature, the SoK would supply a much-needed organizing framework for a nascent field that currently shows only incremental real-world progress. By explicitly linking LLM capabilities to deception requirements and projecting toward autonomous systems, the work could accelerate design of more robust defenses against automated attackers; the explicit acknowledgment of limited deployment success also usefully tempers expectations.

major comments (2)
  1. [Abstract] Abstract: The claim of providing 'the first comprehensive overview' and of having identified 'a canonical architecture, an evaluation tetrad, and an attacker trichotomy' that are 'sufficiently representative to guide future autonomous system design' rests on an unstated literature-search methodology and inclusion criteria. Without these details it is impossible to evaluate selection bias or completeness, which directly undermines the load-bearing assumption that the synthesized structures can reliably inform the proposed autonomous-systems roadmap.
  2. [Roadmap / Conclusion] The forward-looking roadmap section: The strongest claim—that the true potential lies in 'autonomous, self-improving deception systems'—is presented as a synthesis-derived conclusion, yet the manuscript notes only incremental real-world progress and a still-nascent field. If the tetrad and trichotomy are derived from a small early-stage sample rather than stable patterns, the extrapolation to autonomous systems constitutes an over-extension that requires either stronger empirical grounding or explicit qualification.
minor comments (2)
  1. [Abstract] The abstract and introduction would benefit from an explicit statement of the number of papers reviewed and the time window searched, even if a full PRISMA-style diagram appears later.
  2. [Taxonomy / Synthesis sections] Notation for the 'evaluation tetrad' and 'attacker trichotomy' should be introduced with a clear table or figure reference on first use to improve readability for readers unfamiliar with the subfield.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our SoK manuscript. The comments highlight important issues of methodological transparency and the appropriate strength of forward-looking claims in a nascent field. We have revised the paper to address both points directly.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The claim of providing 'the first comprehensive overview' and of having identified 'a canonical architecture, an evaluation tetrad, and an attacker trichotomy' that are 'sufficiently representative to guide future autonomous system design' rests on an unstated literature-search methodology and inclusion criteria. Without these details it is impossible to evaluate selection bias or completeness, which directly undermines the load-bearing assumption that the synthesized structures can reliably inform the proposed autonomous-systems roadmap.

    Authors: We agree that the absence of an explicit description of our literature search process and inclusion criteria reduces transparency. In the revised manuscript we have added a new subsection (Section 2.1) that details the search strategy, including the databases and repositories queried (arXiv, IEEE Xplore, ACM Digital Library, Google Scholar), the keyword combinations used, the time window (late 2022 onward), and the explicit inclusion/exclusion criteria applied. We also report the number of papers screened and retained. These additions allow readers to assess selection bias and provide a clearer basis for the synthesized structures. revision: yes

  2. Referee: [Roadmap / Conclusion] The forward-looking roadmap section: The strongest claim—that the true potential lies in 'autonomous, self-improving deception systems'—is presented as a synthesis-derived conclusion, yet the manuscript notes only incremental real-world progress and a still-nascent field. If the tetrad and trichotomy are derived from a small early-stage sample rather than stable patterns, the extrapolation to autonomous systems constitutes an over-extension that requires either stronger empirical grounding or explicit qualification.

    Authors: We acknowledge that the current literature base is small and that real-world deployment results remain incremental. In the revised version we have added explicit qualifications in both the roadmap (Section 6) and the conclusion. We now state that the canonical architecture, evaluation tetrad, and attacker trichotomy are derived from the early post-2022 corpus and should be viewed as provisional patterns rather than stable, empirically validated constructs. The language around autonomous, self-improving systems has been tempered to present this direction as a research hypothesis motivated by the synthesis, not as a guaranteed outcome, and we have inserted a limitations paragraph noting the need for larger-scale empirical studies before strong claims can be made. revision: yes

Circularity Check

0 steps flagged

No circularity: literature synthesis grounded in external sources

full rationale

This SoK paper synthesizes post-2022 literature on LLM-powered honeypots, providing taxonomies, a canonical architecture, evaluation tetrad, and attacker trichotomy drawn from reviewed external papers rather than any internal derivations, equations, or fitted parameters. The forward-looking roadmap on autonomous deception systems is presented as an argument based on the synthesized findings, not as a prediction reduced to the paper's own inputs by construction. No self-citation chains, self-definitional steps, or renamed known results appear as load-bearing elements; the work remains self-contained against external benchmarks in the cited body of research.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper rests on the domain assumption that recent LLM-honeypot prototypes share identifiable canonical structures and that a synthesis of them can reliably point toward autonomous systems; no free parameters or new invented entities are introduced.

axioms (1)
  • domain assumption The body of LLM-honeypot research since late 2022 is mature enough to support extraction of canonical architecture, evaluation tetrad, and attacker trichotomy.
    Invoked in the abstract when the authors state they synthesize the emerging literature into these named constructs.

pith-pipeline@v0.9.0 · 5739 in / 1225 out tokens · 41455 ms · 2026-05-18T03:00:51.004338+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

112 extracted references · 112 canonical work pages · 5 internal anchors

  1. [1]

    LLMPot: Dynamically configured LLM-based honey- pot for industrial protocol and physical pro- cess emulation,

    C. Vasilatos, D. J. Mahboobeh, H. Lamri, M. Alam, and M. Maniatakos, “LLMPot: Dynamically configured LLM-based honey- pot for industrial protocol and physical pro- cess emulation,” in2025 IEEE 10th Euro- pean Symposium on Security and Privacy (EuroS&P), pp. 963–979, IEEE, 2025

    work page 2025

  2. [2]

    Trap- ping misbehaving bots in an AI labyrinth

    R. Tatoris, H. Saxena, and L. Miglietti, “Trap- ping misbehaving bots in an AI labyrinth.” https://blog.cloudflare.com/ai-labyrinth/, 3

    work page

  3. [3]

    Accessed: 2025-03-24

    work page 2025

  4. [4]

    Scam- ming the scammers: Using chatgpt to reply mails for wasting time and resources,

    E. Cambiaso and L. Caviglione, “Scam- ming the scammers: Using chatgpt to reply mails for wasting time and resources,”arXiv preprint arXiv:2303.13521, 2023

    work page arXiv 2023

  5. [5]

    A British telecommunications company launched an AI “granny

    A. Desmarais, “A British telecommunications company launched an AI “granny” that will waste scammers’ time by rambling on the phone for as long as possible.,” 11 2024. Accessed: April 23, 2025

    work page 2024

  6. [6]

    Application of large language models in cybersecurity: A systematic liter- ature review,

    I. Hasanov, S. Virtanen, A. Hakkala, and J. Isoaho, “Application of large language models in cybersecurity: A systematic liter- ature review,”IEEE Access, 2024

    work page 2024

  7. [7]

    A comprehensive overview of large lan- guage models (llms) for cyber defences: Opportunities and directions,

    M. Hassanin and N. Moustafa, “A compre- hensive overview of large language models (LLMs) for cyber defences: Opportunities and directions,”arXiv preprint arXiv:2405.14487, 2024

    work page arXiv 2024

  8. [8]

    Frontier ai’s impact on the cybersecurity landscape,

    W. Guo, Y . Potter, T. Shi, Z. Wang, A. Zhang, and D. Song, “Frontier ai’s impact on the cybersecurity landscape,”arXiv preprint arXiv:2504.05408, 2025

    work page arXiv 2025

  9. [9]

    A comprehensive survey on cyber deception techniques to improve hon- eypot performance,

    A. Javadpour, F. Ja’fari, T. Taleb, M. Shojafar, and C. Benza¨ıd, “A comprehensive survey on cyber deception techniques to improve hon- eypot performance,”Computers & Security, vol. 140, p. 103792, 2024

    work page 2024

  10. [10]

    Testing SOAR tools in use,

    R. A. Bridges, A. E. Rice, S. Oesch, J. A. Nichols, C. Watson, K. Spakes, S. Norem, M. Huettel, B. Jewell, B. Weber, C. Gannon, O. Bizovi, S. C. Hollifield, and S. Erwin, “Testing SOAR tools in use,”Computers & Security, vol. 129, p. 103201, 2023

    work page 2023

  11. [11]

    Towards understanding IT security professionals and their tools,

    D. Botta, R. Werlinger, A. Gagn ´e, K. Beznosov, L. Iverson, S. Fels, and B. Fisher, “Towards understanding IT security professionals and their tools,” in Proceedings of the 3rd symposium on Usable privacy and security, pp. 100–111, 2007

    work page 2007

  12. [12]

    How do information security workers use host data? A summary of interviews with security analysts

    R. A. Bridges, M. D. Iannacone, J. R. Goodall, and J. M. Beaver, “How do informa- tion security workers use host data? a sum- mary of interviews with security analysts,” arXiv preprint arXiv:1812.02867, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  13. [13]

    Information needs of system ad- ministrators in information technology service factories,

    C. R. De Souza, C. S. Pinhanez, and V . F. Cavalcante, “Information needs of system ad- ministrators in information technology service factories,” inProceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology, pp. 1–10, 2011

    work page 2011

  14. [14]

    An integrated view of human, organizational, and technological challenges of it security management,

    R. Werlinger, K. Hawkey, and K. Beznosov, “An integrated view of human, organizational, and technological challenges of it security management,”Information Management & Computer Security, vol. 17, no. 1, pp. 4–19, 2009

    work page 2009

  15. [15]

    Preparation, detection, and analysis: the diagnostic work of it security incident response,

    R. Werlinger, K. Muldner, K. Hawkey, and K. Beznosov, “Preparation, detection, and analysis: the diagnostic work of it security incident response,”Information Management & Computer Security, vol. 18, no. 1, pp. 26– 42, 2010

    work page 2010

  16. [16]

    The work of intrusion detection: rethinking the role of security analysts,

    J. Goodall, W. Lutters, and A. Komlodi, “The work of intrusion detection: rethinking the role of security analysts,” 2004

    work page 2004

  17. [17]

    Spitzner,Honeypots: Tracking Hackers

    L. Spitzner,Honeypots: Tracking Hackers. Boston, MA, USA: Addison-Wesley Long- man Publishing Co., Inc., 2002

    work page 2002

  18. [18]

    At- tacker profiling through analysis of attack patterns in geographically distributed honey- pots,

    V . Valeros, M. Rigaki, and S. Garcia, “At- tacker profiling through analysis of attack patterns in geographically distributed honey- pots,”arXiv preprint arXiv:2305.01346, 2023

    work page arXiv 2023

  19. [19]

    Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,

    E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” white paper, Lockheed Martin Corporation, 2011

    work page 2011

  20. [20]

    Enterprise tactics

    MITRE ATT&CK, “Enterprise tactics.” https: //attack.mitre.org/tactics/enterprise/, 2024. Accessed 2024-09-03

    work page 2024

  21. [21]

    Stoll,The cuckoo’s egg: tracking a spy 14 through the maze of computer espionage

    C. Stoll,The cuckoo’s egg: tracking a spy 14 through the maze of computer espionage. Si- mon and Schuster, 2024

    work page 2024

  22. [22]

    An evening with Berferd in which a cracker is lured, endured, and stud- ied,

    B. Cheswick, “An evening with Berferd in which a cracker is lured, endured, and stud- ied,” inProc. Winter USENIX Conference, San Francisco, pp. 20–24, 1992

    work page 1992

  23. [23]

    honeypots-detection (GitHub repository)

    @UnaPibaGeek, “honeypots-detection (GitHub repository).” https://github.com/Una PibaGeek/honeypots-detection Accessed: 11 March 2025

    work page 2025

  24. [24]

    YouTube Video from Black Hat Talk

    D. Sysman, G. Evron, and I. Sher, “YouTube Video from Black Hat Talk.” BlackHat Con- ference presentation https://www.youtube. com/watch?v=HiZdkBAFp7Q, Dec. 2015. Accessed: 25 March 2025

    work page 2015

  25. [25]

    Deep gener- ative models to extend active directory graphs with honeypot users,

    O. Lukas and S. Garcia, “Deep gener- ative models to extend active directory graphs with honeypot users,”arXiv preprint arXiv:2109.06180, 2021

    work page arXiv 2021

  26. [26]

    Honeystat: Local worm detection using honeypots,

    D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen, “Honeystat: Local worm detection using honeypots,” inRecent Advances in Intrusion Detection: 7th Inter- national Symposium, RAID 2004, Sophia An- tipolis, France, September 15-17, 2004. Pro- ceedings 7, pp. 39–58, Springer, 2004

    work page 2004

  27. [27]

    Utiliz- ing virtualized honeypots for threat hunting, malware analysis, and reporting.,

    R. Holbel, J. Yerby, and W. Smith, “Utiliz- ing virtualized honeypots for threat hunting, malware analysis, and reporting.,”Issues in Information Systems, vol. 25, no. 1, 2024

    work page 2024

  28. [28]

    Cyber threat landscape study 2023: Outpost24’s honeypot findings from over 42 million attacks,

    O. R. Team, “Cyber threat landscape study 2023: Outpost24’s honeypot findings from over 42 million attacks,” 2023

    work page 2023

  29. [29]

    Countering autonomous cyber threats,

    K. M. Heckel and A. Weller, “Countering autonomous cyber threats,”arXiv preprint arXiv:2410.18312, 2024

    work page arXiv 2024

  30. [30]

    LLM agent honeypot: Monitoring ai hacking agents in the wild,

    Reworr and D. V olkov, “LLM agent honeypot: Monitoring ai hacking agents in the wild,” arXiv preprint arXiv:2410.13919, 2025

    work page arXiv 2025

  31. [31]

    Projects

    The Honeypot Project, “Projects.” https://ww w.honeynet.org/projects/. Accessed: 2025-04- 25

    work page 2025

  32. [32]

    Breaking honeypots for fun and profit and itamar sher

    D. Sysman, G. Evron, and I. Sher, “Breaking honeypots for fun and profit and itamar sher.” https://infocondb.org/con/black-hat/black-h at-usa-2015/breaking-honeypots-for-fun-and -profit, 2015. Presentation at Black Hat USA 2015, accessed April 25, 2025

    work page 2015

  33. [33]

    Attention is all you need,

    A. Vaswani, N. Shazeer, N. Parmar, J. Uszko- reit, L. Jones, A. N. Gomez, Ł. Kaiser, and I. Polosukhin, “Attention is all you need,” in Advances in Neural Information Processing Systems(I. Guyon, U. V . Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, eds.), vol. 30, 2017

    work page 2017

  34. [34]

    OpenAI, “Models.” https://platform.openai.co m/docs/models

    work page

  35. [35]

    Llama models website

    Meta, “Llama models website.” https://ai.met a.com/llama/. Accessed 2025-05-15

    work page 2025

  36. [36]

    Gemini - meet the everyday AI as- sistant from google

    Google, “Gemini - meet the everyday AI as- sistant from google.” https://gemini.google/. Accessed: 2025-04-30

    work page 2025

  37. [37]

    WhiteRabbitNeo: Offensive security Gen-AI model

    Kindo, “WhiteRabbitNeo: Offensive security Gen-AI model.” https://www.securityweek.c om/whiterabbitneo-high-powered-potential-o f-uncensored-ai-pentesting-for-attackers-and -defenders/, 2024. Accessed: 2025-10-20

    work page 2024

  38. [38]

    Large language models in cybersecu- rity: A survey of applications, vulnerabilities, and defense techniques,

    N. O. Jaffal, M. Alkhanafseh, and D. Mo- haisen, “Large language models in cybersecu- rity: A survey of applications, vulnerabilities, and defense techniques,”AI, vol. 6, no. 9, 2025

    work page 2025

  39. [39]

    A bibliometric review of large language models research from 2017 to 2023,

    L. Fan, L. Li, Z. Ma, S. Lee, H. Yu, and L. Hemphill, “A bibliometric review of large language models research from 2017 to 2023,”arXiv preprint arXiv:2304.02020, 2023

    work page arXiv 2017

  40. [40]

    Reasoning with language model prompting: A survey,

    S. Qiao, Y . Ou, N. Zhang, X. Chen, Y . Yao, S. Deng, C. Tan, F. Huang, and H. Chen, “Reasoning with language model prompting: A survey,”arXiv preprint arXiv:2212.09597, 2022

    work page arXiv 2022

  41. [41]

    A Survey of Large Language Models

    W. X. Zhao, K. Zhou, J. Li, T. Tang, X. Wang, Y . Hou, Y . Min, B. Zhang, J. Zhang, Z. Dong, D. Yifan, C. Yang, Y . Chen, Z. Chen, J. Jiang, R. Ren, Y . Li, X. Tang, Z. Liu, P. Liu, J.-Y . Nie, and J.-R. Wen, “A survey of large language models,”arXiv preprint arXiv:2303.18223, 2023

    work page internal anchor Pith review Pith/arXiv arXiv 2023

  42. [42]

    From chatgpt to threatgpt: Impact of generative AI in cybersecurity and privacy,

    M. Gupta, C. Akiri, K. Aryal, E. Parker, and L. Praharaj, “From chatgpt to threatgpt: Impact of generative AI in cybersecurity and privacy,”IEEE Access, vol. 11, pp. 80218– 80245, 2023

    work page 2023

  43. [43]

    A virtual honeypot framework,

    N. Provos, “A virtual honeypot framework,” in 13th USENIX Security Symposium, USENIX Association, 2004

    work page 2004

  44. [44]

    Detecting honeypots and other suspicious environments,

    T. Holz and F. Raynal, “Detecting honeypots and other suspicious environments,” inPro- ceedings from the sixth annual IEEE SMC information assurance workshop, pp. 29–36, IEEE, 2005

    work page 2005

  45. [45]

    Network based detection of virtual environments and low interaction honeypots,

    P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. Sung, “Network based detection of virtual environments and low interaction honeypots,” in2006 IEEE Information Assurance Workshop, 2006

    work page 2006

  46. [46]

    A honeypot detection method based on characteristic analysis and environment detection,

    D. Wenda and D. Ning, “A honeypot detection method based on characteristic analysis and environment detection,” in2011 International Conference in Electrics, Communication and Automatic Control Proceedings, pp. 201–206, Springer, 2011

    work page 2011

  47. [47]

    Unmasking de- ception: Navigating red herrings and honey- pots,

    The Censys Research Team, “Unmasking de- ception: Navigating red herrings and honey- pots,” 2023. Accessed: 2025-04-25

    work page 2023

  48. [48]

    Detect me if you... oh 15 wait. an internet-wide view of self-revealing honeypots,

    S. Morishita, T. Hoizumi, W. Ueno, R. Tan- abe, C. H. Ganan, M. van Eeten, K. Yoshioka, and T. Matsumoto, “Detect me if you... oh 15 wait. an internet-wide view of self-revealing honeypots,” pp. 134–143, 2019

    work page 2019

  49. [49]

    Gotta catch ’em all: a multistage framework for honeypot fingerprinting,

    S. Srinivasa, J. M. Pedersen, and E. Vasilo- manolakis, “Gotta catch ’em all: a multistage framework for honeypot fingerprinting,” 2021

    work page 2021

  50. [50]

    Review and analysis of Cowrie artefacts and their potential to be used deceptively,

    W. Cabral, C. Valli, L. Sikos, and S. Wakel- ing, “Review and analysis of Cowrie artefacts and their potential to be used deceptively,” in 2019 International Conference on computa- tional science and computational intelligence, pp. 166–171, IEEE, 2019

    work page 2019

  51. [51]

    Advanced Cowrie configuration to increase honeypot deceptiveness,

    W. Z. Cabral, C. Valli, L. F. Sikos, and S. G. Wakeling, “Advanced Cowrie configuration to increase honeypot deceptiveness,” inIFIP In- ternational Conference on ICT Systems Se- curity and Privacy Protection, pp. 317–331, Springer, 2021

    work page 2021

  52. [52]

    Cowrie SSH/Telnet honey- pot

    M. Oosterhof, “Cowrie SSH/Telnet honey- pot.” https://github.com/cowrie/cowrie, 2024. Accessed: 2024-09-03

    work page 2024

  53. [53]

    HoneyLLM: Enabling shell honeypots with large language models,

    C. Guan, G. Cao, and S. Zhu, “HoneyLLM: Enabling shell honeypots with large language models,” in2024 IEEE Conference on Com- munications and Network Security (CNS), pp. 1–9, 2024. https://www.cse.psu.edu/ ∼s xz16/papers/HoneyGPT.pdf

    work page 2024

  54. [54]

    Bitter har- vest: Systematically fingerprinting low- and medium-interaction honeypots at internet scale,

    A. Vetterl and R. Clayton, “Bitter har- vest: Systematically fingerprinting low- and medium-interaction honeypots at internet scale,” in12th USENIX Workshop on Of- fensive Technologies, USENIX Association, 2018

    work page 2018

  55. [55]

    On recognizing virtual honeypots and countermeasures,

    X. Fu, W. Yu, D. Cheng, X. Tan, K. Streff, and S. Graham, “On recognizing virtual honeypots and countermeasures,” in2006 2nd IEEE In- ternational Symposium on Dependable, Auto- nomic and Secure Computing, pp. 211–218, IEEE, 2006

    work page 2006

  56. [56]

    Detection of virtual environments and low interaction honeypots,

    S. Mukkamala, K. Yendrapalli, R. Basnet, M. Shankarapani, and A. Sung, “Detection of virtual environments and low interaction honeypots,” in2007 IEEE SMC Information Assurance and Security Workshop, pp. 92–98, IEEE, 2007

    work page 2007

  57. [57]

    LLM in the shell: Generative honey- pots,

    M. Sladi ´c, V . Valeros, C. Catania, and S. Gar- cia, “LLM in the shell: Generative honey- pots,” in2024 IEEE European Symposium on Security and Privacy Workshops (Eu- roS&PW), vol. 220, p. 430–435, IEEE, 2024

    work page 2024

  58. [58]

    On de- signing low-risk honeypots using generative pre-trained transformer models with curated inputs,

    J. Ragsdale and R. V . Boppana, “On de- signing low-risk honeypots using generative pre-trained transformer models with curated inputs,”IEEE Access, vol. 11, pp. 117528– 117545, 2023

    work page 2023

  59. [59]

    HoneyLLM: A large language model-powered medium-interaction honey- pot,

    W. Fan, Z. Yang, Y . Liu, L. Qin, and J. Liu, “HoneyLLM: A large language model-powered medium-interaction honey- pot,” inInternational Conference on Informa- tion and Communications Security, pp. 253– 272, Springer, 2024

    work page 2024

  60. [60]

    Honeygpt: Breaking the trilemma in terminal honeypots with large language model,

    Z. Wang, J. You, H. Wang, T. Yuan, S. Lv, Y . Wang, and L. Sun, “Honeygpt: Breaking the trilemma in terminal honeypots with large language model,” 2024

    work page 2024

  61. [61]

    Anti-honeypot technology,

    N. Krawetz, “Anti-honeypot technology,” IEEE Security & Privacy, vol. 2, no. 1, pp. 76–79, 2004

    work page 2004

  62. [62]

    Honeypot detection in advanced botnet attacks,

    P. Wang, L. Wu, R. Cunningham, and C. C. Zou, “Honeypot detection in advanced botnet attacks,”International Journal of Information and Computer Security, vol. 4, no. 1, pp. 30– 51, 2010

    work page 2010

  63. [63]

    Automatic identification of honeypot server using machine learning techniques,

    C. Huang, J. Han, X. Zhang, and J. Liu, “Automatic identification of honeypot server using machine learning techniques,”Security and Communication Networks, 2019

    work page 2019

  64. [64]

    Beekeeper: Accelerating honeypot analysis with LLM-driven feedback,

    N. Ilg, D. Germek, P. Duplys, and M. Menth, “Beekeeper: Accelerating honeypot analysis with LLM-driven feedback,”IEEE Access, 2025

    work page 2025

  65. [65]

    Chatbots in a honeypot world,

    F. McKee and D. Noever, “Chatbots in a honeypot world,”arXiv preprint arXiv:2301.03771, 2023

    work page arXiv 2023

  66. [66]

    Don’t stop believin’: A unified evaluation approach for LLM honeypots,

    S. B. Weber, M. Feger, and M. Pilgermann, “Don’t stop believin’: A unified evaluation approach for LLM honeypots,”IEEE Access, 2024

    work page 2024

  67. [67]

    LLM hon- eypot: Leveraging large language models as advanced interactive honeypot systems,

    H. T. Otal and M. A. Canbaz, “LLM hon- eypot: Leveraging large language models as advanced interactive honeypot systems,” in 2024 IEEE Conference on Communications and Network Security (CNS), pp. 1–6, IEEE, 2024

    work page 2024

  68. [68]

    A modular generative honeypot shell,

    S. Johnson, R. Hassing, J. Pijpker, and R. Loves, “A modular generative honeypot shell,” in2024 IEEE International Confer- ence on Cyber Security and Resilience (CSR), pp. 387–394, IEEE, 2024

    work page 2024

  69. [69]

    Ai- enhanced honeypots: Leveraging LLM for adaptive cybersecurity responses,

    J. A. Christli, C. Lim, and Y . Andrew, “Ai- enhanced honeypots: Leveraging LLM for adaptive cybersecurity responses,” in2024 16th International Conference on Information Technology and Electrical Engineering (ICI- TEE), pp. 451–456, 2024

    work page 2024

  70. [70]

    Honeypot and generative ai,

    E. Gizzarelli, “Honeypot and generative ai,” Master’s thesis, Politecnico di Torino, 2024

    work page 2024

  71. [71]

    Towards adap- tive web honeypots, an experimental im- plementation using LLMs,

    M. Badran and T. Niazi, “Towards adap- tive web honeypots, an experimental im- plementation using LLMs,” Master’s thesis, Malm¨o University, Malm ¨o, Sweden, 2025

    work page 2025

  72. [72]

    LLMHoney: A real-time SSH honeypot with large language model-driven dynamic response generation,

    P. Malhotra, “LLMHoney: A real-time SSH honeypot with large language model-driven dynamic response generation,”arXiv preprint arXiv:2509.01463, 2025

    work page arXiv 2025

  73. [73]

    Design and de- velopment of an intelligent LLM-based ldap honeypot,

    J. Jim ´enez-Rom´an, F. Almenares-Mendoza, and A. S ´anchez-Maci´an, “Design and de- velopment of an intelligent LLM-based ldap honeypot,”arXiv preprint arXiv:2509.16682, 2025

    work page arXiv 2025

  74. [74]

    VelLMes: A high-interaction ai-based deception framework,

    M. Sladi ´c, V . Valeros, C. Catania, and S. Gar- 16 cia, “VelLMes: A high-interaction ai-based deception framework,” in2025 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW), pp. 671–679, IEEE, 2025

    work page 2025

  75. [75]

    Ohra: dynamic multi-protocol LLM-based cyber deception,

    A. Safargalieva, A. R ¨uffer, and E. Vasilo- manolakis, “Ohra: dynamic multi-protocol LLM-based cyber deception,” inProceedings of the 30th Nordic Conference on Secure IT Systems (Nordsec 2025), Springer, 2025

    work page 2025

  76. [76]

    Amun: A Python honeypot,

    J. G. G ¨obel, “Amun: A Python honeypot,” Technical Report, University of Mannheim, Germany https:// madoc.bib.uni- mannhei m.de/2595/ 1/ amunhoneypot2.pd f, 2009. Accessed: 2025-10-20

    work page 2009

  77. [77]

    MySQL-Pot: A LLM-based honeypot for MySQL threat protection,

    Y . Hu, S. Cheng, Y . Ma, S. Chen, F. Xiao, and Q. Zheng, “MySQL-Pot: A LLM-based honeypot for MySQL threat protection,” in 2024 9th International Conference on Big Data Analytics (ICBDA), pp. 227–232, 2024

    work page 2024

  78. [78]

    DecoyPot: A large language model-driven web API honeypot for realistic attacker engagement,

    A. Sezgin and A. Boyacı, “DecoyPot: A large language model-driven web API honeypot for realistic attacker engagement,”Computers & Security, vol. 154, p. 104458, 2025

    work page 2025

  79. [79]

    Beelzebub honeypot

    B. Labs, “Beelzebub honeypot.” https://beel zebub-honeypot.com/. Accessed: April 23, 2025

    work page 2025

  80. [80]

    Galah: An LLM-powered web honeypot

    A. Karimi, “Galah: An LLM-powered web honeypot.” https://github.com/0x4D31/galah,

    work page

Showing first 80 references.