They came within 4 minutes of deployment.
No announcement. No traffic. Just a fresh GCP instance with a honeypot running — and 240 seconds later, the first connection attempt hit.
This is the story of CERBERUS: my AI-powered honeypot system, what I built it with, and the attack patterns I observed from real threat actors in the wild.
Why I Built This
I'm a cybersecurity student and independent researcher in Nairobi, Kenya. Academic labs are fine, but I wanted real data — real attackers, real TTPs, real behavior. Not simulated exercises.
So I built CERBERUS: a honeypot deployed on GCP that doesn't just log attacks — it responds to them intelligently using an LLM layer, adapting behavior based on what the attacker does next.
A honey trap that gets smarter the longer someone stays inside it.
The Stack
Core deception layer:
- Cowrie — SSH/Telnet honeypot. Emulates a real shell, logs every command, captures files they try to upload or download
- HoneyGPT — LLM-backed response layer. Generates contextually plausible shell output instead of static fakes — keeps sophisticated attackers engaged longer Intelligence layer:
- MITRE ATT&CK mapper — automatically tags observed behaviors to ATT&CK techniques in real time
- Quorum sensing — node coordination layer that treats multiple honeypot instances as a swarm, sharing threat intel between them
- Prometheus + Grafana — metrics pipeline tracking connection rates, command frequency, geo-distribution Frontend:
- Phoenix HUD — a real-time dashboard using MapLibre GL JS with a globe projection and WebSocket feeds, updating live as attacks come in ## What Attackers Actually Do
Here's what surprised me.
They go straight for the credentials
Brute force is the default — but not random brute force. The credential lists are targeted. Common combos: admin/admin, root/root, ubuntu/ubuntu, pi/raspberry. They're scanning for Raspberry Pis, default cloud images, and unpatched IoT devices specifically.
The first 60 seconds define the session
Once inside, sophisticated actors spend the first minute doing recon before touching anything:
uname -a
whoami
id
cat /etc/passwd
ls /home
They want to know what they landed on before doing anything noisy. Unsophisticated actors skip this entirely — they immediately pull a payload via wget or curl. These are botnet operators who don't care what they landed on, they just want to add it to the fleet.
Cryptominers dominate
The most common payload I observed was XMRig variants — Monero miners. Not ransomware. Not data exfiltration. CPU cycles.
They check if they're in a sandbox
More than I expected:
cat /proc/1/cgroup
ls /.dockerenv
systemd-detect-virt
Attackers are actively checking whether they're sandboxed. Some bail immediately on container detection. Others don't care. But the check itself happening tells you something about the sophistication level of the actor.
What the AI Layer Changed
Running HoneyGPT as the response layer had a measurable effect on session duration. With contextual AI responses, sessions ran significantly longer — giving me more behavioral data and TTP coverage.
One session that stood out: an attacker tried to compile a privilege escalation exploit on the box using gcc. The AI layer returned plausible compiler output. They iterated on the "code" for nearly 15 minutes before abandoning the session. Complete TTP sequence logged.
The Architecture Mistake I Made
I started with allow_origin(Any) on the API layer and left a v2 API route completely unauthenticated. Caught it in audit — but it's a hard lesson:
Your defensive infrastructure can itself be a target.
Attackers do probe honeypot management interfaces. Lock your own house before you start watching other people's.
What's Next
CERBERUS is evolving toward a multi-node swarm — Quorum sensing across geographically distributed nodes sharing threat intel in near real-time. The goal is detecting coordinated campaigns that only become visible when you have multiple vantage points simultaneously.
The code is being prepared for open release. I'll post when it's ready.
If this kind of real-world security research interests you — not sanitized academic exercises, but actual findings from actual attackers — follow along.
Building from Nairobi, under RVC.
Top comments (0)