PR

Proposed Changes

Fixes #6403 — adds honeypot detection to reduce noise from hosts that match everything.

How it works

New --honeypot-detection (-hd) flag enables per-host tracking of unique template matches. When a host exceeds the threshold (default 10, configurable via --honeypot-threshold), it is flagged as a honeypot and all further results are suppressed.

nuclei -l targets.txt -hd

nuclei -l targets.txt -hd -hdt 15  # custom threshold

When a honeypot is detected, a warning is logged:

[WRN] Honeypot detected: 192.168.1.100 (10 unique template matches, suppressing further results)

Design

  • Thread-safe: sync.Mutex protects concurrent access during multi-threaded scans
  • Unique match tracking: Only distinct TemplateIDs count — a noisy single template won’t trigger false positives
  • Host normalization: Uses net/url.Parse + net.SplitHostPort to handle URLs, IPv6 brackets, ports consistently
  • Memory efficient: Once flagged, per-template map is freed (only the flagged set is retained)
  • Early check: Runs before any JSON/text formatting in Write() to avoid unnecessary work
  • Opt-in: Disabled by default, no impact on existing behavior

Changes

File Change
pkg/output/honeypot.go HoneypotTracker with Check() and normalizeHost()
pkg/output/honeypot_test.go Tests: basic, multi-host, normalization, concurrency
pkg/output/output.go Hook tracker into StandardWriter.Write()
pkg/types/types.go Add HoneypotDetection and HoneypotThreshold options
cmd/nuclei/main.go Register -hd and -hdt CLI flags

Test output

=== RUN   TestHoneypotTracker_Basic

--- PASS: TestHoneypotTracker_Basic (0.00s)

=== RUN   TestHoneypotTracker_DifferentHosts

--- PASS: TestHoneypotTracker_DifferentHosts (0.00s)

=== RUN   TestHoneypotTracker_HostNormalization

--- PASS: TestHoneypotTracker_HostNormalization (0.00s)

=== RUN   TestHoneypotTracker_Concurrent

--- PASS: TestHoneypotTracker_Concurrent (0.00s)

=== RUN   TestNormalizeHost

--- PASS: TestNormalizeHost (0.00s)

PASS

Checklist

  • PR created against the dev branch
  • go vet passes
  • All tests pass
  • Minimal diff: 5 files, +202 lines
  • No impact on existing behavior (opt-in flag)

/claim #6403

Summary by CodeRabbit

  • New Features
    • Optional honeypot detection with CLI flags to enable it and set the threshold of unique template matches before a host is flagged and suppressed from further output.
  • Behavior
    • Per-host detection with host normalization for consistent matching, suppression of further output for flagged hosts, memory controls to limit tracking, and warning logs when hosts are flagged.
  • Tests
    • Unit tests covering threshold behavior, per-host isolation, normalization, case-insensitivity, and concurrent usage.

Claim

Total prize pool $250
Total paid $0
Status Pending
Submitted February 27, 2026
Last updated February 27, 2026

Contributors

A6

a638011

@a638011

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$250