Honeypots and deception technologies are security controls that detect attackers by luring them into interacting with fake, monitored systems. CompTIA Network+ N10-009 tests honeypot concepts and their role in threat detection. Because no legitimate user should ever access a honeypot, any interaction is by definition suspicious — honeypots generate very high-confidence alerts with minimal false positives.
Practice this topic
A honeypot is a decoy system or resource designed to attract attackers. It appears to be a legitimate, valuable target (a server, database, or file share) but is actually isolated, monitored, and contains no real data. Any access to a honeypot is a high-confidence indicator of malicious activity — legitimate users have no reason to access it.
Types: Low-interaction honeypot: simulates a few services (emulated, not real), minimal risk of attacker using it as a pivot point. High-interaction honeypot: a real system with real services — more realistic, captures more attacker behavior, but riskier if attacker escapes the isolated environment. Honeynets: multiple honeypots in a network simulating an entire environment.
Deployment uses: Early detection of lateral movement — an attacker scanning the network will probe the honeypot. Intelligence gathering — capture attacker tools, techniques, and procedures (TTPs). Delay attackers — time spent on the honeypot is time not spent on real targets.
Honey credentials: fake credentials (username/password pairs) planted in files or databases. If someone attempts to use these credentials, it's a strong indicator of compromise. Used to detect credential harvesting attacks and insider threats.
Honey tokens: fake API keys, URLs, or documents that generate alerts when accessed. If a document with embedded tracking pixels is sent to an attacker, the tracking pixel fires when the document is opened — alerting the security team. Dark web monitoring services watch for honey credentials appearing in underground markets.
Honeypot ethical considerations: in production networks, honeypots must be properly isolated to prevent attackers from pivoting to real systems. Legal considerations: passive monitoring of attacker activity is generally acceptable; active entrapment (inducing attacks) may have legal complications. Consult legal counsel before deployment.
Honeypots are only useful for large organizations
Honeypots can be simple and inexpensive — even a single VM or honey credentials on a file share provide valuable early warning for smaller organizations. A Raspberry Pi running Cowrie (SSH honeypot) detects attackers scanning for exposed SSH ports
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A security administrator deploys a system on the internal network that appears to be a production database server but contains no real data and is heavily monitored. What is this system?
Explanation: A honeypot is a decoy system designed to attract and detect attackers. It appears legitimate (like a production database server) but contains no real data and every access attempt is logged and alerted. Any interaction with a honeypot is high-confidence malicious activity. IDS passively monitors real traffic. A bastion host is a legitimate hardened management server. SIEM aggregates and correlates security logs.
Honeypots can generate high-value forensic evidence (attacker IPs, tools, techniques). However, active entrapment — inducing someone to commit an attack they otherwise wouldn't — may be legally problematic. Passive honeypots that simply wait to be discovered by attackers are generally acceptable. Consult legal counsel before using honeypot evidence for criminal prosecution. In many jurisdictions, logging must be disclosed in network access policies (banners).
Try free Honeypot and Deception practice questions with explanations, topic links and progress tracking.