Frequently asked questions
Plain answers for business owners, office managers, and IT teams who want to understand how the Dataforge Honeypot works and how it helps.
Beta (version 0.2): This service is under active development. It is intended for pilot and early production use on private networks. Features, deployment steps, and security requirements may still change.
What is a honeypot?
A honeypot is a fake system on your network that looks interesting to an attacker but has no real business purpose. Your staff should never use it for daily work. If something connects to it or scans it, that is a strong sign someone is exploring your network who should not be.
What problem does this solve?
Firewalls mostly protect the edge of your network. Antivirus and endpoint tools watch individual computers. Neither gives you a clear, reliable signal when someone is already inside and searching for the next target.
Attackers who get onto your LAN usually have to scan and probe to find servers, remote access, and other valuable systems. A honeypot catches that behaviour early — often before they reach your real data.
How does the Dataforge Honeypot work?
The system has two parts:
- Detectors — small virtual or physical machines on your LAN that run fake services (such as remote access or mail-style ports) and optionally watch for network probes.
- The Dataforge director — a cloud service operated by Dataforge that collects activity from your detectors, shows it in a web portal, and sends alerts. You do not host or manage this part.
You register each detector in the portal, deploy it on your network, and monitor what touches it.
Who should use this?
It is a good fit if you:
- Run a business network with servers, file shares, or sensitive data
- Want early warning when someone is moving around inside the network
- Do not have full security monitoring on every part of the LAN
- Work with an IT provider who can place detectors sensibly and respond to alerts
It is not a replacement for passwords, updates, backups, endpoint protection, or an incident response plan.
Will this stop an attacker?
No. It is a tripwire, not a wall. It tells you someone is probing so your team can investigate, isolate machines, reset passwords, or call for help. You still need a plan for what to do when an alert arrives.
Why are honeypot alerts more trustworthy than other alerts?
Most security tools generate a lot of noise — unusual traffic, policy violations, and false positives. A honeypot is different: it has no legitimate users and no real workload. Almost any contact is suspicious by definition.
That makes alerts easier to act on: you spend less time debating “was that bad?” and more time responding.
What kind of activity does it detect?
Detectors can attract and log things like:
- Connections to fake remote-access or mail-style services
- Probes from other machines on your internal network
- Scanning behaviour that hits the detector
When activity comes from private internal addresses (typical office LAN ranges), the director can alert you by email or messaging integrations you configure.
Where should detectors be placed?
Placement matters. Put detectors where an attacker would actually look:
- On or near your server network
- Near critical systems such as file servers or domain services
- At branch offices that may have lighter monitoring
- On network segments where you want to test whether guest or IoT traffic can reach internal-only areas
A detector on the wrong part of the network may never see the traffic you care about.
Do my employees need software installed?
No. The detector runs as a Docker container (dataforgecanada/honeypot on Docker Hub) on a dedicated VM or physical machine — you are not installing anything on laptops or desktops. The portal generates a ready-to-run docker run command for each detector; your IT team pastes it on the host and the detector starts immediately.
Is it expensive to run?
Compared with monitoring every device and every packet on the LAN, honeypots are lightweight. You typically need:
- One or more detector machines on key network segments
- Time for your team or IT provider to review alerts and respond
Many organizations start with one detector and add more over time.
What happens if the Dataforge service is briefly unreachable?
Detectors buffer events locally and send them when connectivity returns. That is intentional — a short outage should not silently erase a tripwire hit. Events will upload automatically once the connection is restored.
How do I get notified?
You can receive alerts by email. You can also connect Telegram (your own bot and chat) in portal settings for faster mobile notification. Device health alerts (such as a detector going offline) use the same channels.
What should we do when we get an alert?
Treat it as credible until proven otherwise:
- Note the source address and time from the alert
- Identify which machine or user that address belongs to
- Isolate or investigate that system if appropriate
- Check whether other systems show signs of compromise
- Escalate to your IT provider or incident response process
An alert only helps if someone responds.
Can we test that it works?
Yes — and you should. During a controlled drill, run an internal scan or connect to a detector port from a test machine. Confirm the event appears in the portal and that alerts reach the right people. That builds confidence before you rely on it in a real incident.
How does it hold up in real-world testing?
Well. We have deployed Dataforge Honeypot across a range of real-world environments, including engagements where professional third-party penetration testers were brought in to test the network without advance knowledge of the detectors.
In every case, the honeypot was among the first controls to fire an alert. A penetration tester — like a real attacker — has little choice but to probe the network to find targets. That reconnaissance activity hits the detector before it reaches anything real, and the alert arrives while they are still in the discovery phase.
That early warning is exactly the point: you want to know someone is looking before they find something worth taking.
Does this help after we have already had a breach?
Yes. After cleanup, detectors can remain in place to detect return visits, missed persistence, or someone still moving on the network.
Does it replace our firewall or antivirus?
No. It complements them:
| Tool | What it mainly watches |
|---|---|
| Firewall | Traffic in and out of the network |
| Endpoint protection | Individual computers |
| Honeypot | Fake internal targets — catches probing and lateral movement |
Together they cover different parts of the attack path.
What about compliance and insurance?
Deploying internal detection controls can support conversations with auditors, clients, and insurers — it shows you are not only relying on perimeter defences. It does not by itself satisfy every compliance requirement; your advisor can say what fits your industry.
What are the honest limitations?
- Beta — features and deployment may still change; plan for occasional updates.
- Placement and response are on you — wrong location or ignored alerts mean little value.
- Detection, not prevention — it warns you; it does not block attackers automatically.
How do I get started?
- Create an account (when sign-up is enabled) or ask your administrator for portal access.
- Register a detector in the portal.
- Deploy the detector on a VM or physical system on your LAN using the generated commands.
- Configure alerts (email or Telegram) and run a quick test to confirm everything works.
- Monitor the portal and define who responds when an alert fires.
For technical setup details, sign in to the portal after your account is ready.
Is there a free tier?
Yes. When enabled on your deployment, the Community plan is free: one detector, limited stored events, and daily digest alerts. Upgrade to Standard from Billing for more detectors, immediate alerts, and support access.
Do I get a free trial on Standard?
No. Standard is billed monthly through PayPal when you subscribe or upgrade from Community. There is no separate free-trial period.
How do I cancel?
Sign in to the portal, open Billing, and use Cancel subscription. Your detectors keep working until the end of the current paid period. PayPal stops future charges.
Where are my invoices?
Invoices and payment history are in your PayPal account (Activity). The portal shows subscription status and next billing date but does not store PDF invoices.