Panguard Trap
Deploy honeypot decoys to detect, profile, and block attackers before they reach real assets. Captured intelligence feeds directly into Guard blocklists.
Quick Start
Deploy honeypots with a single command. All services run in isolated containers.
Deploy all configured honeypots:
panguard trap startCheck running honeypots and captured events:
panguard trap statusStop all honeypot services:
panguard trap stopHoneypot Types
Three honeypot services cover the most common attack vectors.
SSH Honeypot
Port 2222Emulates an OpenSSH server. Captures login attempts, passwords, and post-auth commands entered by attackers.
Captures: Credentials, commands, session recordings
HTTP Honeypot
Port 8080Serves fake admin panels (WordPress, phpMyAdmin, cPanel). Records all HTTP requests and submitted credentials.
Captures: URLs, payloads, user agents, exploit attempts
DNS Honeypot
Port 5353Detects DNS tunneling and data exfiltration. Identifies C2 communication channels hidden in DNS traffic.
Captures: Query patterns, tunneling attempts, exfiltration
Deploy a specific honeypot type:
panguard trap start --type ssh --port 2222 panguard trap start --type http --port 8080 panguard trap start --type dns --port 5353
How It Works
The Trap pipeline operates in four stages, from initial contact to automated defense.
Attacker Connects
An attacker discovers and connects to a decoy service, believing it to be a real target.
Capture Intelligence
Panguard records credentials, source IP, geolocation, tools used, and attack techniques (mapped to MITRE ATT&CK).
Auto-Block
The attacker IP is automatically added to Guard blocklists, preventing access to real services.
Feed Threat Intel
Captured data enriches your local threat intelligence database and optionally uploads to Panguard Threat Cloud.
Threat Intelligence
View and manage the intelligence captured by your honeypots.
View captured threat data:
panguard trap intelExport intelligence as JSON for integration with SIEMs:
panguard trap intel --json --last 7dAuto-feed to Guard
All captured attacker IPs are automatically added to Guard blocklists. No manual configuration required. The integration is bidirectional: Guard events can also trigger Trap to deploy targeted honeypots.
Threat Cloud (Optional)
Opt in to share anonymized threat data with the Panguard Threat Cloud. In return, receive community-sourced blocklists from other Panguard deployments worldwide.
panguard trap intel --cloud-upload enableConfiguration
Customize ports, interaction levels, and auto-block behavior.
# panguard.yaml — Trap configuration trap: ssh: enabled: true port: 2222 interaction: medium # low | medium | high auto_block: true http: enabled: true port: 8080 interaction: high auto_block: true panels: - wordpress - phpmyadmin dns: enabled: false port: 5353 interaction: low auto_block: true auto_block_duration: 24h # how long IPs stay blocked resource_limits: max_memory: 256m max_cpu: 0.5
Interaction Levels
| Level | Behavior | Use Case |
|---|---|---|
| low | Captures connection metadata only | Minimal resource usage, IP collection |
| medium | Accepts credentials, records commands | Balanced intelligence gathering |
| high | Full emulation with fake file system | Maximum attacker profiling |
Safety
Honeypots are designed to be safe by default. No real data is ever exposed.
Container Isolation
Each honeypot runs in an isolated container with no access to the host filesystem or network services.
No Real Data
Decoy services contain only synthetic data. Fake credentials, dummy files, and fabricated database entries.
Resource Limits
Configurable CPU and memory caps prevent honeypots from consuming production resources.
Network Segmentation
Honeypot traffic is isolated on a dedicated virtual network, separate from production traffic.
Get Started
Deploy your first honeypot and start collecting threat intelligence today.