PR
feat: add honeypot detection to nuclei
projectdiscovery/nuclei#7131

Summary

Adds opt-in honeypot detection that tracks match density per host and flags deceptive targets (e.g., Shodan honeypots that deliberately match every nuclei template to fool scanners).

  • New pkg/honeypot package with concurrent-safe Detector using sync.Map
  • CLI flags: -hpt/-honeypot-threshold (int, 0 = disabled) and -hpsu/-honeypot-suppress (bool)
  • Integration in StandardWriter.Write() — zero overhead when disabled (threshold=0)
  • Known honeypot signature detection — checks responses for Cowrie, Kippo, Dionaea, Conpot, Glastopf, Elastichoney, Honeyd, HoneyTrap, OpenCanary, T-Pot, Mailoney, Heralding, Amun, SNARE, Tanner, Gridpot
  • honeypot_detected field in JSON/JSONL output for automated post-processing
  • [HONEYPOT] tag in screen output for flagged results
  • Summary at scan completion listing all flagged hosts and their match counts
  • 14 unit tests including concurrency stress test with race detector validation

How it works

  1. Each time a template matches a host, the detector records the (host, templateID) pair
  2. When a host accumulates more distinct template matches than the configured threshold, it gets flagged
  3. A one-time [HONEYPOT] warning is emitted per flagged host
  4. With -honeypot-suppress, results from flagged hosts are silently dropped
  5. Without suppress, results are still emitted but annotated with honeypot_detected: true

Usage examples

# Warn when a host matches more than 100 distinct templates

nuclei -u targets.txt -honeypot-threshold 100



# Same but suppress results from flagged hosts

nuclei -u targets.txt -hpt 100 -hpsu

Proposed Changes

  • pkg/honeypot/honeypot.go — Core detector logic (host normalization, match tracking, signature detection)
  • pkg/honeypot/honeypot_test.go — 14 tests (threshold, suppression, concurrency, normalization, signatures)
  • pkg/output/output.go — Integration in Write() and Close() (summary)
  • pkg/output/format_screen.go[HONEYPOT] tag in terminal output
  • pkg/types/types.goHoneypotThreshold and HoneypotSuppress options
  • cmd/nuclei/main.go — CLI flag registration

Proof

Tests pass (14/14)

=== RUN   TestNormalizeHost (16 sub-tests)      --- PASS

=== RUN   TestDetectorDisabled                  --- PASS

=== RUN   TestDetectorNil                       --- PASS

=== RUN   TestDetectorThreshold                 --- PASS

=== RUN   TestDetectorDuplicateTemplates        --- PASS

=== RUN   TestDetectorMultipleHosts             --- PASS

=== RUN   TestDetectorSuppression               --- PASS

=== RUN   TestDetectorConcurrency               --- PASS

=== RUN   TestDetectorEmptyHost                 --- PASS

=== RUN   TestContainsKnownSignature (9 sub)    --- PASS

=== RUN   TestDetectorWarningOnlyOnce           --- PASS

=== RUN   TestDetectorURLVariationsNormalize    --- PASS

ok      github.com/projectdiscovery/nuclei/v3/pkg/honeypot  0.002s

Race detector clean

$ go test -race ./pkg/honeypot/... -count=1

ok      github.com/projectdiscovery/nuclei/v3/pkg/honeypot  1.009s

Full build succeeds

$ go build ./cmd/nuclei/...

# no errors

Existing tests unaffected

$ go test ./pkg/output/... ./pkg/types/... ./internal/runner/... -count=1

ok  github.com/projectdiscovery/nuclei/v3/pkg/output        0.063s

ok  github.com/projectdiscovery/nuclei/v3/internal/runner    0.066s

CLI help shows new flags

OPTIMIZATIONS:

   -hpt, -honeypot-threshold int    threshold of unique template matches before flagging a host as honeypot (0 = disabled)

   -hpsu, -honeypot-suppress        suppress results from hosts flagged as honeypots

Checklist

  • PR created against the correct branch (dev)
  • All checks passed (go vet, build, existing + new tests)
  • Tests added that prove the feature works (14 tests)
  • Zero overhead when disabled (threshold=0, no allocations)
  • Thread-safe (sync.Map + mutex + atomic counters)
  • Race detector clean

/claim #6403

Summary by CodeRabbit

Release Notes

  • New Features
    • Introduces honeypot detection capabilities with two new CLI flags: --honeypot-threshold (int) and --honeypot-suppress (bool)
    • Detects and flags potential honeypot hosts based on template match thresholds
    • Identifies known honeypot signatures in scan responses
    • Displays honeypot indicators in output results
    • Generates summary report of flagged hosts and their match counts at scan completion

Claim

Total prize pool $250
Total paid $0
Status Pending
Submitted March 06, 2026
Last updated March 06, 2026

Contributors

SO

Solari Systems

@SolariResearch

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$250