HoneyWire

Deception technology.
Wherever you want.

The open-source Canary builder. Turn any Linux machine into enterprise-grade deception in 60 seconds.
Deploy. Forget. Detect.

Deploy HoneyWire See how it works
hub.honeywire.lan/dashboard
HoneyWire Hub Dashboard in Light Mode
9:41
G
Gotify
now
🚨Threat detected on MyNode
Trigger: Tcp Connection
Sensor: Tcp Tarpit
Source: 192.168.1.250
Target: Port 2222

Why Deception Technology?

Perimeter defenses fail. When attackers breach your firewall, they prowl your internal network, sit there for months looking for juicy targets, active directories, and databases. HoneyWire turns your network into a minefield for intruders.

No False Positives

Standard security tools drown you in logs. A HoneyWire has no legitimate reason to be accessed. If it alerts, it has been touched.

Instant Awareness

Detect lateral movement the second it happens. Instead of relying on complex heuristics, rely on the simple fact that the attacker touched something they shouldn't have.

Security Compliance

Compliance frameworks and modern zero-trust architectures now explicitly recommend deception technology as a defense mechanism.

How HoneyWire works

1. Deploy your HoneyWires. Stand up a fake Router Login Page, a canary TCP tarpit, a Network Scan Detector and many more HoneyWires anywhere on your network using our simple TUI CLI wizard.

2. Wait in silence. Your HoneyWires run silently in the background. Because they are distroless and purely fake, legitimate users and automated systems have no reason to interact with them.

3. Catch the intruder. Attackers pivoting through your network will inevitably touch the HoneyWires. The second they do, they fire a high-fidelity alert to the Hub, forwarding it to your SIEM, Slack, or phone.

HoneyWire Hub

Centralized management for your entire deception fleet. Ditch the manual JSON configs.

Your deployed HoneyWires constantly report into the Hub. This isn't another "pane of glass" you need to stare at all day. It's a completely self-hosted control center that handles configuration, fleet management, and event routing.

When an incident occurs, the Hub instantly processes the telemetry and fires off alerts to the integrations you've configured. Set it up once, and let it work for you.

hub.honeywire.lan/dashboard
HoneyWire Hub Dashboard in Light Mode

Honeywire CLI Wizard

Zero-footprint deployment and automation.

The Honeywire CLI Wizard is a zero-footprint command-line tool built to automate manual operator tasks and instantly reconcile edge infrastructure against the Hub's configurations.

bash - honeywire-wizard
=== HoneyWire Wizard ===
Existing HoneyWire node detected
ID:node-08c61e55
Hub:https://hub.honeywire.lan
Choose action:
[1] Apply Hub's state
[2] Run discovery & recommendations
[3] Show node status
[4] Trigger firedrill (live test)
[5] Re-link node
[6] Uninstall node
[7] Exit
Choice:
Docker Native

Micro-Sensors.
Massive Impact.

HoneyWire sensors are built for the edge. Each sensor is a single, statically compiled Go binary running inside a distroless, least-privilege Docker container.

  • Sub-5MB Footprint

    Ultra-lightweight images that pull and deploy in milliseconds.

  • Zero Dependencies

    No shell, no package manager, no OS bloat. Just the compiled sensor logic.

  • Virtually Zero CPU & RAM

    Runs completely unnoticed by both monitoring tools and attackers.

bash - docker stats & images
root@node:~$ docker images | grep honeywire
REPOSITORY
TAG
IMAGE ID
SIZE
ghcr.io/.../honeywire-icmpcanary
latest
baf7bb761a
3.96MB
ghcr.io/.../honeywire-tcptarpit
latest
b82a990ed5
3.94MB
ghcr.io/.../honeywire-filecanary
latest
89a7b08885
3.24MB
root@node:~$ docker stats --no-stream
NAME
CPU %
MEM USAGE
MEM %
hw-sensor-file-canary
0.00%
2.84MiB
0.03%
hw-sensor-icmp-canary
0.00%
2.80MiB
0.03%
hw-sensor-tcp-tarpit
0.00%
2.61MiB
0.03%
root@node:~$

See HoneyWire in Action

Watch how easy it is to deploy a tripwire and catch an intruder in under 60 seconds.

deploy-demo.mp4

Ready to set your traps?

Get the Hub running locally in seconds.
Save the file below as docker-compose.yml and run docker compose up -d. 

services:
  # 1. THE PERMISSION FIXER: Runs once to ensure the Hub can write to the data volume
  permission-fixer:
    image: alpine:latest
    container_name: honeywire-permission-fixer
    command: sh -c "chown -R 65532:65532 /data"
    volumes:
      - ./honeywire_data:/data

  # 2. THE HUB: The central Go-based dashboard and API
  hub:
    image: ghcr.io/andreicscs/honeywire-hub:latest
    container_name: honeywire-hub
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - ./honeywire_data:/data
    depends_on:
      permission-fixer:
        condition: service_completed_successfully
        
    # Strict Security Sandbox
    user: "65532:65532"
    read_only: true
    cap_drop: ["ALL"]
    security_opt: ["no-new-privileges:true"]
    
    environment:
      # Required if not using HTTPS, in production it is highly recommended to remove this
      # and run the Hub behind a reverse proxy using HTTPS.
      - HW_ENV=development 
      - HW_PORT=8080
      - HW_DB_PATH=/data/honeywire.db
Read the full documentation →
Enterprise Beta

Scaling to the Enterprise?

HoneyWire is unapologetically open-source. But if you are deploying across hundreds of subnets and need corporate compliance, granular access controls, and HA integrations, let's talk.

or contact at info@honeywire.dev

Pro features on the roadmap:

  • SAML / SSO IntegrationPlug directly into Okta, Entra ID, or Google Workspace.
  • Role-Based Access ControlGranular permissions for SOC analysts vs. infrastructure admins.
  • Cloud HubCloud hosted Hub for seamless deployment and management.
  • Advanced SIEM ForwardingNative Splunk, CrowdStrike, and Datadog data pipelines.
  • Audit LogsComprehensive tracking of all user actions and system changes.
  • Compliance ReportsAutomated reporting for SOC 2, ISO 27001, and HIPAA requirements.