Honeypot-as-a-Service

Mansfeld-Südharz, Germany - December 2, 2025

Turning the county network into a living sensor field—without baiting citizens’ real data

The first time we switched on the grid, the most active visitor was a script kiddie in São Paulo who spent forty-three minutes trying to teach a fake Siemens S7-1500 how to mine Dogecoin. He never noticed that every PLC command he typed was being replayed into a shadow memory zone, timestamped, fingerprinted and forwarded to five European CERTs before his SSH session finished negotiating cipher suites. That is the quiet promise of the Alliance’s Honeypot-as-a-Service: give adversaries the illusion they have breached the plant, while the plant itself keeps humming, untouched, behind a one-way valve of containers and virtual wires. We do not sell the service; we simply hand each new federation member a Kubernetes manifest and a DNS name, and within fifteen minutes their own slice of the county’s synthetic factory is alive, logging, lying—and learning.

The architecture is deliberately frugal. A standard deployment needs only three bare-metal hosts—each the size of a desktop PC—nested inside the county’s existing fibre loop. Those boxes run a lightweight K3s distribution that keeps the control plane on premises, ensuring that metadata about attacks never leaves German soil. Every honeypot is packaged as a micro-VM built with Firecracker, the same virtualisation engine that powers AWS Lambda, but compiled without any network egress except the encrypted telemetry channel back to the shared SOC. The result is a fleet of decoys that appear to offer the full surface area of an industrial park—modbus gateways, OPC-UA brokers, even a convincing Emerson Delta-V batch panel—while occupying less than 6 GB of RAM and rebooting in 130 milliseconds if an attacker manages to crash the illusion. Because the images are read-only, persistence is impossible; the worst a hostile shell can do is scribble into a tmpfs that evaporates the moment the session drops.

What makes the offer “as-a-service” is not the software alone but the accompanying intelligence loop. Each honeypot ships with a sidecar sensor that speaks STIX-TAXII natively, so every command sequence is translated into a structured object that can be compared across the entire federation within sixty seconds. If the São Paulo script attempts the same payload against a chemical tank in Brno six hours later, the grid recognises the TTP overlap and raises a federation-wide early-warning flag before the second victim even registers an anomaly. That correlation happens inside an in-memory graph maintained by the Alliance’s shared SOC; no raw packet ever leaves the originating county, preserving both privacy and sovereignty. Members simply subscribe to the threat-feed they want—TAXII, JSON, or plain-email—and consume indicators that are already pre-filtered for false positives by Validato’s graph-based reputation engine.

Membership economics are refreshingly zero-sum for the user. The baseline package—ten honeypots, 100 GB of log retention, unlimited STIX feed—costs nothing because the marginal cost of spinning another Firecracker VM is literally a rounding error on the county’s renewable-energy invoice. We finance the overhead through the federation membership fee that every participant already pays for shared SOC and certification vouchers, so the honeypots appear as a line-item labelled “sensor grid” but priced at zero. If a member wants custom decoys—say, a perfect clone of their own packaging line’s Beckhoff PLC—we charge only the engineer’s time to strip proprietary serial numbers and rebuild the firmware image; typically two days billed at 900 €, a fraction of what a commercial red-team would invoice for equivalent reconnaissance. The source Dockerfiles are published under EUPL-1.2, so even that fee disappears if the member prefers to bake their own images and simply hook into the telemetry API.

"We give away sensors like seeds; the harvest is a threat graph too large for any single attacker to game."

Legal exposure was the last dragon to slay. German industrial law still treats any “active measure” that entices an attacker as a potential grey-zone, especially if the decoy impersonates critical infrastructure. We solved the riddle by registering the entire IP space used by the honeypots in the name of the county’s economic-development agency, a public body immune from private tort claims under § 839 BGB as long as the activity serves regional innovation. A formal opinion by the state data-protection commissioner confirms that because the service never stores third-party personal data—only attack artefacts—the deployment is classified as legitimate network-defence research, not covert surveillance. Members therefore receive the diplomatic equivalent of a hall-pass: they can stand up convincing replicas of their own production systems without fear of violating the BSI-KritisV or the upcoming NIS2 implementation act, because the legal entity absorbing risk is sovereign and insured.

The first year of operation has already produced a dataset that traditional vendors would classify as proprietary gold. Across 127 federation members, the grid has recorded 1 400 000 distinct intrusion attempts, of which 11 % targeted industrial control protocols, a share three times higher than recorded in generic cloud honeynets. More valuable is the temporal pattern: attacks against decoy PLCs spike exactly 48 hours after each Microsoft Patch-Tuesday, suggesting that adversaries scan for unpatched OPC servers once desktop vulnerabilities are exhausted. That insight is now fed back into the county’s own patch-management calendar, moving industrial updates ahead of the desktop wave and cutting successful breach attempts by 38 % in six months. Because the finding is derived from anonymised metadata, it can be shared freely with other European regions without triggering GDPR objections, creating a feedback loop in which every new member improves the shield for everyone else.

Scaling beyond the county border does not require new hardware; it requires new trust anchors. We are piloting a federated key-management scheme that lets a Slovenian university operate its own honeypot cell while still signing every STIX object with a county-issued certificate, preserving chain-of-custody across jurisdictions. The blueprint is ready, the containers are portable, and the legal opinion is reusable; the only missing piece is the next region willing to treat its industrial heritage as fertile soil for digital antibodies. If the pilot succeeds, the bicycle keeps pedalling itself: every fresh sensor increases the correlation surface, every new correlation refines the feed, and every refined feed makes membership more attractive, turning the original county into the seed crystal of a continent-wide immune system that never has to ask permission to protect its own.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.