Skip to main content
Panguard Trap deploys lightweight honeypots that mimic real services. When attackers interact with these decoys, Panguard captures their techniques, tools, and intent — giving you early warning and threat intelligence.
Honeypots require a Pro plan or higher. Community and Solo plans do not include Trap functionality.
1

Start honeypots

Deploy one or more decoy services with a single command:
panguard trap start --services ssh,http

  PANGUARD AI - Trap Engine

  Deploying honeypots...

  -- Active Traps ---------------------------

  SSH    port 2222   status: listening
  HTTP   port 8080   status: listening

  2 honeypots deployed.
  Attacker interactions will be logged and profiled.
Honeypots bind to non-standard ports by default to avoid conflicts with real services. Use --port-map to customize: panguard trap start --services ssh --port-map ssh:22.
2

Choose service types

Panguard supports 8 honeypot service types:
ServiceDefault PortEmulates
ssh2222OpenSSH server with fake authentication
http8080Apache/Nginx web server with decoy pages
ftp2121FTP server with fake file listings
smb4450Windows file share (SMB/CIFS)
mysql3307MySQL database with fake credentials
rdp3390Remote Desktop Protocol handshake
telnet2323Telnet login prompt
redis6380Redis in-memory store
Deploy all 8 at once:
panguard trap start --services ssh,http,ftp,smb,mysql,rdp,telnet,redis
Start with ssh and http — these attract the most attacker traffic. Add additional services based on your environment (e.g., mysql if you run databases, smb if you run Windows networks).
3

View attacker profiles

Panguard automatically builds profiles of attackers based on their interactions:
panguard trap profiles

  PANGUARD AI - Attacker Profiles

  -- Profile #1 -----------------------------

  IP:          203.0.113.42
  Country:     CN
  First seen:  2026-03-05 08:12:00
  Last seen:   2026-03-07 14:30:22
  Sessions:    47
  Services:    ssh (39), http (8)
  Techniques:  brute-force, credential-stuffing
  Tools:       Hydra, custom scanner
  Risk:        HIGH

  -- Profile #2 -----------------------------

  IP:          198.51.100.17
  Country:     RU
  First seen:  2026-03-07 02:45:11
  Last seen:   2026-03-07 03:12:44
  Sessions:    3
  Services:    http (2), mysql (1)
  Techniques:  SQL injection probe, directory traversal
  Tools:       sqlmap
  Risk:        MEDIUM
4

Access threat intelligence

Aggregate attacker data into actionable threat intelligence:
panguard trap intel

  PANGUARD AI - Threat Intelligence

  -- Summary (Last 7 Days) ------------------

  Total interactions:  312
  Unique IPs:          28
  Countries:           8 (CN, RU, US, BR, KR, IN, DE, NL)
  Top technique:       SSH brute-force (68%)
  Top tool:            Hydra (41%)

  -- Indicators of Compromise ---------------

  203.0.113.42    HIGH    brute-force     blocked
  198.51.100.17   MEDIUM  sql-injection   monitoring
  192.0.2.88      LOW     port-scan       logged
Export IoCs for use in other security tools:
panguard trap intel --output iocs.json
5

Check trap status

View the state of all deployed honeypots:
panguard trap status
Stop all honeypots:
panguard trap stop
Stop a specific service:
panguard trap stop --services ssh

What to do next

Honeypot types reference

Detailed documentation for each of the 8 service emulators.

Attacker profiling

How Panguard builds behavioral profiles from honeypot interactions.

Deploy Threat Cloud

Share threat intelligence across your fleet with a centralized Threat Cloud server.

Configure notifications

Get alerted when attackers interact with your honeypots.