Learn Honeypot  - Plan,Build,Deploy & Research

We do offer training on Honeypots, and other deception security technologies.

Either as "Open-class", "Private-class" or as "Pre-conference" class.

Next training event:

Class can be either one or two days events - The 2-day workshop could have the following agenda - but private classes can be tailor made upon requirements.

Day 1

Introduction to Honeypots systems, with special focus on ICS/SCADA)

The first day, the students will introduced to different types of honeypot systems and pro/con’s of each honeypot type.

The students will be guided thou the different phases in planning, deploying and analyzing the collected data from a ICS/SCADA honeypot.

We will deploy live honeypots on the internet and see how attackers would start to probe our honeypots. Furthermore, we will also attack the deployed honeypots ourselves; using SCADA pen testing tools and similar software. We will learn to spot various tools, and how to hide the signatures of a default honeypot.

Day 2

Deploy more honeypots and move from low interaction to medium/high interaction Honeypots

We will continue the modification of the SCADA honeypot from day 1 and will also deploy a new Internet based ICS/SCADA credential honeypot to our research arsenal - for further research/analyzing.

The students will on day 2 build a purpose-build in-house Honeypot lab, where we change a low interaction honeypot to act as a realistic device (medium/high interaction honeypot) to ensure that attackers can’t spot the honeypot ‘a mile away’. This would give the students even better opportunity to do research/threat intelligence data on high interaction honeypots.

The 2nd day would also provide opportunities to deep dive into students ideas for further activities after the workshop.

Course syllabus
  • Introduction to Honeypots systems, with special focus on ICS/SCADA.
  • Building and Deployment of a live honeypot on the internet.
  • Useful tools to pentest SCADA honeypot systems
  • How to read the logs, and spot different attack types
  • Useful modification of the honeypot configuration
  • Learning how to build and deploy a medium/high interactive honeypot - for even better research data/TTP’s
  • Closing remark and ideas for further activities.
Each student will get access to a numbers of virtual lab servers to learn how to deploy and customize settings to avoid the default honeypot signature and evolve the low-interaction honeypot to be a true high interactive honeypot.

Takeaway for participants

After this 2 days workshop, you will be able to plan and deploy different types of ICS/SCADA related open source honeypots, either for research or to defend your corporate/industrial assets. You will understand different Honeypot types and deceptions methods.

You will leave the class room with a knowledge on how to change the default signature on the honeypots and the understanding of the most common tools who will attack your honeypots.


Students must bring a suitable laptop able to connect to the Internet. It must have a SSH client (Putty/term or similar software) installed. All lab servers are based on the internet, so no hypervisor like Vmware/VirtualBox are required on the student device. Knowledge of basic Linux commands, text editor and usage of the command line would be beneficial, but not a strict requirement to benefit from this course.

Workshop Level -  Beginner to Intermediate


Hey....Thanks to your training, I have just put my 1’ Honey pot online - Student @ CS3 -2017
— --

Hi Mike, just want to update you on the private 1-day session, you did for our US team. Feedback was very good. - US ‘Blue team’ manager
— --