Back to CatalogNext Project
Project Overview

Academic & Personal Threat Intelligence Research

LLM-Powered Adaptive Honeypot

Built a deception platform as a layered pipeline: Cowrie/FastAPI collect attacker input, a policy-gated LLM generates realistic responses, and Wazuh ingests normalized telemetry. The key value was not only trapping attackers longer, but learning how to turn noisy interaction logs into structured intelligence we could act on.

Visual Architecture

Initialize Stream

System Architecture

The platform consists of containerized honeypot services (Cowrie, custom FastAPI endpoints) that forward raw attacker input to a centralized Python orchestration layer. This layer performs policy-based filtering and prompts an LLM via API to generate context-aware SSH/HTTP responses. Telemetry is normalized and ingested into a Wazuh SIEM for real-time analysis.

Implementation Strategy

Implementation involved developing custom Cowrie handlers to intercept and relay terminal input, building a high-performance orchestration layer to manage LLM latency, and configuring fine-grained Wazuh decoders for non-standard honeypot logs.

Technical Outcome

Provides a scalable architecture for AI-assisted deception, demonstrating improved attacker dwell time and systematic ingestion of structured threat intelligence into security operations.

Key Features

01
Dynamic LLM-driven SSH and HTTP interaction modules
02
Policy-guided output sanitization and model gating
03
Centralized event normalization and Wazuh SIEM integration
04
Automated IoC extraction from adversarial sessions
01

Clone & Initialize

git clone https://github.com/khalilammarr/LLM_Honeypot.git

Retrieve the core deception engine and SIEM infrastructure.

02

Cognitive Config

cp .env.example .env && nano .env

Inject Groq API keys and define behavioral security policies.

03

Containerized Orchestration

docker compose up -d --build

Spin up the Cowrie, FastAPI, and Wazuh stack in isolated zones.

System Capabilities

Cognitive SSH

Cowrie-based shell that hallucinates entire file systems and command responses in real-time via LLM reasoning.

Dynamic HTTP Surface

FastAPI-driven adaptive portal that generates realistic config files and database dumps on the fly.

Zero-Leak Gating

Custom Python filters that strip model-specific reasoning tags to maintain full environmental immersion.

SIEM Intelligence

Native Wazuh integration for real-time telemetry ingestion and automated adversarial behavioral analysis.

Security Advisory

This is an active deception lab platform. These services should only be hosted in strictly firewalled or host-only environments. Do not deploy on the public internet without proper sandboxing or isolation protocols.

Continue Exploration

Next Project

Home SOC Setup