The Problem With Every Other Honeypot Tool

I started with Cowrie. Then Dionaea. Then OpenCanary. They're all good at exactly one thing. Cowrie records SSH sessions. Dionaea catches malware. OpenCanary watches a dozen ports. But none of them talk to each other, none of them have real dashboards, and none of them can tell you why an attacker did what they did.

I wanted a platform, not a collection of scripts. Something that ingests attacks from multiple sensors, stores everything in a proper database, runs AI analysis locally, and lets me replay attacker sessions like rewinding a security camera. Something I could deploy with one docker compose command and hand to a security team without a three-hour onboarding session.

So we built HoneyAegis.

FastAPI API modules in the HoneyAegis platform. Sensor management, session tracking, AI analysis, threat intelligence, billing, plugins, and everything in between.

The best security tool is one that makes attackers think they've succeeded. HoneyAegis doesn't just detect intrusions. It builds an entire fake world for attackers to explore while you watch every move.

Cybersecurity operations center with multiple screens showing network monitoring data — HoneyAegis turns your network into a research lab. Attackers think they're winning. You're taking notes.

The Architecture (No Cloud Required)

Every architectural decision in HoneyAegis comes back to one principle: your security data never leaves your network. Not for AI analysis. Not for dashboards. Not for anything.

Backend: Python (FastAPI) with 29 modular API endpoints
Frontend: Next.js with real-time dashboards, session replay, and threat maps
Database: PostgreSQL with SQLAlchemy async for high-throughput event ingestion
AI: Ollama running local LLMs for threat classification and report generation
Monitoring: Grafana with pre-built security dashboards
Deployment: Docker Compose for dev, Kubernetes + Helm for production

Why Local AI Matters

Every commercial security platform sends your threat data to their cloud for analysis. They see your attackers before you do. HoneyAegis runs Ollama locally, so AI classification, pattern detection, and report generation all happen on your hardware. Your data stays yours. That's not a privacy policy. That's physics.

What 29 Modules Actually Looks Like

This isn't 29 variations of the same thing. Each module handles a distinct concern, organized into four domains.

Core Security

Module	What It Does
`sensors`	Deploy and manage honeypot sensors across your network
`sessions`	Track attacker sessions with full command history and timing
`events`	Ingest and process security events from all sensors
`alerts`	Rule-based and ML alerting with severity levels and escalation
`threat_intel`	MITRE ATT&CK mapping and threat intelligence feeds
`honey_tokens`	Generate and track fake credentials, files, and API keys
`sandbox`	Isolated malware execution and behavior analysis

Honey tokens deserve special attention. You scatter fake AWS credentials, API keys, and database passwords across your network. When an attacker finds one and tries to use it, HoneyAegis lights up. You know exactly which system was compromised, when, and what the attacker tried to do with the stolen credential. It's a tripwire with a camera attached.

Digital lock icon with glowing security shield on a dark circuit board background — Honey tokens are the simplest and most effective early warning system in security. Fake credentials that scream when someone touches them.

Analysis and Visualization

Module	What It Does
`ai`	Ollama-powered threat classification, pattern detection, report generation
`replay`	Full session replay of attacker activity
`video`	Session recording for forensic review and export
`metrics`	Prometheus-format metrics for Grafana dashboards
`reporting`	Scheduled threat reports (daily, weekly, custom intervals)
`reports`	Ad-hoc query engine for security data
`export`	Export in CSV, JSON, or STIX format for external tools

Session replay is the killer feature. Instead of reading log files, you watch the attacker navigate your fake environment in real time. Every command, every file access, every lateral movement attempt. Recorded and replayable.

Platform

Module	What It Does
`auth`	Authentication, API keys, session management
`rbac`	Role-based access control (analyst, admin, viewer)
`sso`	Single sign-on integration
`tenants`	Multi-tenant isolation for SaaS or enterprise deployment
`billing`	Usage-based billing for managed service providers
`config`	System configuration management
`console`	Admin console operations
`client_portal`	Customer-facing dashboard
`marketplace`	Community plugin marketplace
`plugins`	Plugin lifecycle management

Multi-Tenant From Day One

Each tenant gets isolated data, custom sensor configurations, and independent alerting rules. A managed security provider can run HoneyAegis for dozens of clients from a single deployment. The tenancy boundary is at the database level, not just the UI.

Integration

Module	What It Does
`relay`	Forward events to external SIEMs (Splunk, QRadar, Elastic)
`webhooks`	Incoming and outgoing webhook management
`websocket`	Real-time event streaming for live dashboards
`health`	Health checks and readiness probes
`benchmark`	Performance benchmarking and load testing

STIX/TAXII

Standardized threat intelligence format supported by the relay module. HoneyAegis both consumes and produces threat data compatible with every major SIEM on the market.

The AI Layer

The Ollama integration isn't a gimmick bolted onto the side. It's integrated into the analysis pipeline, handling four specific jobs:

Attack Classification identifies what kind of attack is happening. Credential stuffing, port scanning, APT lateral movement, or something novel.
Pattern Detection matches attacker behavior against known threat actor profiles. "This session matches documented APT29 tactics."
Report Generation produces natural language summaries of attack sessions. A non-technical executive can read these and understand what happened.
Anomaly Detection flags sessions that deviate from known attack patterns. The weird ones are often the interesting ones.

Zero Cloud Dependencies

All AI processing runs locally via Ollama. You choose the model. Llama, Mistral, whatever fits your VRAM. For air-gapped environments or organizations with strict data sovereignty requirements, this is the only viable approach to AI-powered threat analysis.

0 bytes

Amount of your security data sent to external APIs for AI analysis. Ollama runs on your hardware. Your threat intelligence stays on your network.

Plugin Architecture

HoneyAegis uses a container-isolated plugin system. Plugins can add new sensor types (SSH, HTTP, DNS, SMTP, custom protocols), define custom alert rules, integrate with external services, or add analysis pipelines.

Each plugin follows the lifecycle: Install, Configure, Enable, Run. Every plugin runs in its own Docker container, completely isolated from the core platform. If a plugin crashes, the rest of the system doesn't notice.

Modular software architecture diagram with interconnected components — Plugins drop into HoneyAegis like containers into a ship. Isolated, replaceable, and they can't sink the vessel if one goes wrong.

Deployment

Quick Start (Docker Compose)

Three commands from zero to a running platform:

bash

1git clone https://github.com/thesecretchief/HoneyAegis.git
2cd HoneyAegis
3docker compose --profile full up -d

That brings up the full stack: FastAPI backend, Next.js frontend, PostgreSQL, Grafana, and Ollama. Pull a model and you're analyzing attacks.

Production (Kubernetes + Helm)

bash

1helm install honeyaegis ./charts/honeyaegis \
2  --set global.domain=security.yourdomain.com \
3  --set postgresql.persistence.size=100Gi \
4  --set ollama.model=llama3

Production deployment scales horizontally. Sensors run as DaemonSets across your cluster. The backend scales by replica count. PostgreSQL handles the event firehose with async writes.

Commands to go from nothing to a running honeypot platform with AI analysis, real-time dashboards, and session replay. git clone, cd, docker compose up.

Server rack with blinking lights in a dark data center — From a single Docker Compose stack on a laptop to a Kubernetes cluster handling enterprise-scale threat data. Same codebase, different deployment profile.

What's Next

The Platform Is the Point

HoneyAegis isn't just a honeypot. The honeypot is the data collection layer. The real value is in the 29 modules that analyze, visualize, correlate, and automate responses on top of that data. The honeypot gets you the intelligence. The platform makes it actionable.

HoneyAegis Roadmap 0/5

Kerberos ecosystem auth integration (unified identity across all platforms)
Cross-platform observability for AgentFoundry and AgentOrchestra
Advanced ML models for zero-day behavioral detection
Community plugin marketplace with automated verification
Mobile alerting app for on-the-go threat monitoring

Google Calendar Outlook

Open source. Docker-deployable. 29 API modules. Built for 2026's threat landscape. Come poke at it. That's literally what it's designed for.

How was this article?

HoneyAegis: Why We Built a 29-Module Honeypot Platform From Scratch

Contents

The Problem With Every Other Honeypot Tool

The Architecture (No Cloud Required)