Skip to main content
The trap command deploys lightweight honeypot services that mimic real network services (SSH, HTTP, SMB, and more). When an attacker interacts with a trap, Panguard captures their tactics, generates threat intelligence, and alerts you immediately.

Usage

panguard trap <subcommand> [options]

Subcommands

SubcommandDescription
startStart honeypot services
stopStop all running honeypot services
statusShow active traps and interaction statistics
configView or modify trap configuration
profilesList attacker profiles built from trap interactions
intelExport collected threat intelligence data

Options

--services
string
Comma-separated list of honeypot service types to deploy. Options include ssh, http, smb, ftp, mysql, redis, rdp.
--data-dir
string
Override the default directory for trap logs and intelligence data. Defaults to ~/.panguard/trap/.
--no-cloud
flag
Keep all captured intelligence local — do not upload to the Panguard Threat Cloud.

Examples

panguard trap start --services ssh,http

Supported Honeypot Services

ServiceDefault PortWhat It Mimics
ssh2222OpenSSH server
http8080Apache/Nginx web server
smb4450Windows file sharing
ftp2121FTP server
mysql3307MySQL database
redis6380Redis key-value store
rdp3390Windows Remote Desktop
Honeypot ports are intentionally offset from standard ports to avoid conflicts with real services. You can customize port mappings in the trap configuration.

Plan Requirements

Trap requires the Pro ($29/mo) plan or higher. Attacker profiling and threat intelligence export are included at the Pro tier.

Honeypots Guide

Step-by-step guide for deploying and managing honeypots.

Trap Product Overview

Architecture and design of the Trap deception system.

Attacker Profiling

How Panguard builds attacker profiles from trap data.

panguard threat

Run a local Threat Cloud server for intelligence aggregation.