tpotce

A honeypot is a deliberately exposed computer system set up to attract attackers so that security researchers can observe what they do. T-Pot, created by Telekom Security, is a platform that runs more than 20 different honeypots at the same time on a single machine, packaging them together with visualization and analysis tools so you get a complete picture of incoming attacks without having to assemble the pieces yourself.

Under the hood, T-Pot uses Docker to run all the honeypots as separate containers side by side. Each honeypot mimics a different type of service: some pretend to be SSH servers, others fake email servers, industrial control systems, printers, databases, or web applications. Attackers probing the internet stumble into these fakes, and T-Pot records everything they do. The attack data flows into Elastic Stack, which is a search and visualization tool that lets you browse logs, see charts, and watch a live map showing where attacks are coming from on a world map.

Installing T-Pot requires a Linux server with at least 8 to 16 GB of RAM and 128 GB of free disk space. A one-line install script handles the setup. The platform supports both 64-bit Intel and ARM hardware, so it can run on a standard server or even a Raspberry Pi 4 with 8 GB of RAM. There is also a distributed mode for organizations that want to place multiple sensors in different network locations and feed all the data into a single central dashboard.

Beyond the honeypots, T-Pot bundles several security tools including Cyberchef for data analysis, Spiderfoot for reconnaissance, and Elasticvue for browsing the underlying data store. Collected attack data is shared by default with a community threat intelligence feed called Sicherheitstacho, though this can be turned off in the configuration.

The platform is open source and backed by a public community. The full README is longer than what was shown.