Domain 1 · 1.2 Fundamental Security Concepts
1.2.7 Deception & Disruption Technology
Honeypot, Honeynet, Honeyfile, Honeytoken.
9 min
Deception & Disruption Technology → fake resources that look real, designed to deceive and detect attackers and gather TTPs.
The four "honey" assets
- Honeypot → a single fake system / server / service
- Any access = suspicious → logged
- Honeynet → an entire fake network of honeypots
- Studies lateral movement and attacker behavior
- Honeyfile → a fake file with a tempting name
- Examples: *Passwords.xlsx*, *Payroll.pdf*, *Confidential.docx*
- Opening / copying it → alert
- Honeytoken → fake data / credentials (API keys, cookies, fake CC numbers)
- Should never be used → if seen in logs → stolen data
Purpose
Not to block — to detect, monitor, and gather threat intel on attacks that would otherwise go unnoticed.
Exam shortcut
- Honeypot → fake system
- Honeynet → fake network
- Honeyfile → fake file (alert on access)
- Honeytoken → fake credential / record (alert on use)
Typical question cues
- "Admin places *CEO Salaries.xlsx*" → Honeyfile
- "Fake SSH server to analyze hackers" → Honeypot