SecurityNetwork+

Honeypots and Deception Technology for CompTIA Network+ N10-009

Honeypots and deception technologies are security controls that detect attackers by luring them into interacting with fake, monitored systems. CompTIA Network+ N10-009 tests honeypot concepts and their role in threat detection. Because no legitimate user should ever access a honeypot, any interaction is by definition suspicious — honeypots generate very high-confidence alerts with minimal false positives.

6 min

2 sections · 7 exam key points

1 practice questions

Honeypots

A honeypot is a decoy system or resource designed to attract attackers. It appears to be a legitimate, valuable target (a server, database, or file share) but is actually isolated, monitored, and contains no real data. Any access to a honeypot is a high-confidence indicator of malicious activity — legitimate users have no reason to access it.

Types: Low-interaction honeypot: simulates a few services (emulated, not real), minimal risk of attacker using it as a pivot point. High-interaction honeypot: a real system with real services — more realistic, captures more attacker behavior, but riskier if attacker escapes the isolated environment. Honeynets: multiple honeypots in a network simulating an entire environment.

Deployment uses: Early detection of lateral movement — an attacker scanning the network will probe the honeypot. Intelligence gathering — capture attacker tools, techniques, and procedures (TTPs). Delay attackers — time spent on the honeypot is time not spent on real targets.

Broader Deception Technologies

Honey credentials: fake credentials (username/password pairs) planted in files or databases. If someone attempts to use these credentials, it's a strong indicator of compromise. Used to detect credential harvesting attacks and insider threats.

Honey tokens: fake API keys, URLs, or documents that generate alerts when accessed. If a document with embedded tracking pixels is sent to an attacker, the tracking pixel fires when the document is opened — alerting the security team. Dark web monitoring services watch for honey credentials appearing in underground markets.

Honeypot ethical considerations: in production networks, honeypots must be properly isolated to prevent attackers from pivoting to real systems. Legal considerations: passive monitoring of attacker activity is generally acceptable; active entrapment (inducing attacks) may have legal complications. Consult legal counsel before deployment.

Key exam facts — Network+

Honeypot: decoy system — any interaction is suspicious (minimal false positives)
Low-interaction: emulated services, safe; High-interaction: real system, more data
Honeynet: multiple honeypots simulating an entire network environment
Honey credentials: fake credentials that alert when used
Honeypots detect lateral movement when attackers scan internal networks
No legitimate user should ever access a honeypot — any access = alert
Honeypots provide intelligence on attacker TTPs (tools, techniques, procedures)

Common exam traps

Honeypots are only useful for large organizations

Honeypots can be simple and inexpensive — even a single VM or honey credentials on a file share provide valuable early warning for smaller organizations. A Raspberry Pi running Cowrie (SSH honeypot) detects attackers scanning for exposed SSH ports

Practice questions — Honeypot and Deception

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A security administrator deploys a system on the internal network that appears to be a production database server but contains no real data and is heavily monitored. What is this system?

A.IDS sensor

B.Honeypot

C.Bastion host

D.SIEM

Explanation: A honeypot is a decoy system designed to attract and detect attackers. It appears legitimate (like a production database server) but contains no real data and every access attempt is logged and alerted. Any interaction with a honeypot is high-confidence malicious activity. IDS passively monitors real traffic. A bastion host is a legitimate hardened management server. SIEM aggregates and correlates security logs.

Frequently asked questions — Honeypot and Deception

Can a honeypot be used to legally collect evidence against attackers?

Honeypots can generate high-value forensic evidence (attacker IPs, tools, techniques). However, active entrapment — inducing someone to commit an attack they otherwise wouldn't — may be legally problematic. Passive honeypots that simply wait to be discovered by attackers are generally acceptable. Consult legal counsel before using honeypot evidence for criminal prosecution. In many jurisdictions, logging must be disclosed in network access policies (banners).

Practice this topic

Network+practice questions

Test yourself on Honeypot and Deception

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime