01
Preparation
Pick the target network segment (office LAN, server VLAN, OT) and the decoy persona (backup server, secondary controller, NAS).
Step 01
Product catalog
Family Threat Intel
SYLink Hornetbot
Enterprise honeypot · MTTD < 30 s · lateral-movement detection
The silent tripwire that fires when the attacker thinks they're invisible. SYLink Hornetbot is a self-hosted enterprise decoy deployed within minutes inside your LAN or server VLAN: it impersonates a legitimate Windows server (SMB shares, RDP, SSH, fake business apps) and alerts on the first scan, the first authentication attempt, the first write to a trapped share. No user has any legitimate reason to touch it — every interaction is a qualified attack signal.
The product, in plain words
What it does SYLink Hornetbot
The silent tripwire that fires when the attacker thinks they're invisible. SYLink Hornetbot is a self-hosted enterprise decoy deployed within minutes inside your LAN or server VLAN: it impersonates a legitimate Windows server (SMB shares, RDP, SSH, fake business apps) and alerts on the first scan, the first authentication attempt, the first write to a trapped share. No user has any legitimate reason to touch it — every interaction is a qualified attack signal.
Key takeaway
SYLink Hornetbot — Enterprise honeypot · MTTD < 30 s · lateral-movement detection.
The technical playbook
How to use it
The decoy that speaks attacker
Le Hornetbot expose un éventail crédible de services réseau d'entreprise : un faux serveur de sauvegarde, des partages SMB sensibles (comptabilité, RH, sauvegardes), un accès RDP exposé, des bases de données apparemment mal sécurisées. Côté attaquant, c'est un poste de travail qu'on adore trouver — sous-sécurisé, riche en données, isolé. Côté défense, c'est un piège : aucun utilisateur n'y a accès, aucun process métier n'y écrit, aucune appli ne s'y connecte.
Toute interaction est qualifiée à la source : une simple sonde TCP devient un signal "reconnaissance", une tentative d'authentification SSH devient "credential spraying", la lecture du partage Comptabilité$ devient "exfiltration de stade 2". Le moteur SYLink corrèle l'événement avec le contexte (heure, IP source, vélocité), enrichit avec la CTI souveraine et déclenche l'alerte vers UniSOC ou votre SIEM en moins de 30 secondes.
L'attaquant ne sait pas qu'il est observé. Pendant qu'il déroule sa kill-chain sur ce qu'il croit être un serveur réel, vos analystes ont déjà identifié son IP source, listé ses outils et démarré le confinement.
Key capabilities
- Detection at recon / lateral-movement stage, ahead of the EDR
- Typical observed MTTD on customer rollouts: 18 to 30 minutes after initial compromise
- No personal data, no uncontrolled outbound traffic
- LAN-, server-VLAN-, OT-VLAN-, DMZ-compatible — multi-instance for multi-site
- Native UniSOC integration: events correlated with global supervision
Where the product fits in your topology
Network placement
VM leurre déployée dans votre LAN ou VLAN serveurs : elle imite un serveur d'entreprise (partages SMB, RDP, SSH, applicatifs factices) et alerte au premier scan ou à la première tentative d'authentification. Aucune fonction métier — toute interaction est qualifiée.
Deployment pipeline
Deployment diagram
Typical deployment: import the signed VM into your hypervisor, assign an IP consistent with the target segment, choose a plausible hostname, plug syslog output into your SIEM or UniSOC. First alert tested via a controlled internal scan.
- 02
VM import
qcow2.zst into Proxmox / KVM or OVA into VMware. GPG signature verified at import.
Step 02 - 03
Personalization
Hostname, static IP, fake shares, banners aligned with your internal naming.
Step 03 - 04
Alerting wire-up
Signed syslog / webhook output to UniSOC SYLink or your SIEM. Alert test via controlled internal scan.
Step 04 - 05
Run & MCO
Signed image updates pushed via the SYLink channel (or manual import for air-gap). Quarterly review of the decoy persona.
Step 05
- 01
Preparation
Pick the target network segment (office LAN, server VLAN, OT) and the decoy persona (backup server, secondary controller, NAS).
Step 01 - 02
VM import
qcow2.zst into Proxmox / KVM or OVA into VMware. GPG signature verified at import.
Step 02 - 03
Personalization
Hostname, static IP, fake shares, banners aligned with your internal naming.
Step 03 - 04
Alerting wire-up
Signed syslog / webhook output to UniSOC SYLink or your SIEM. Alert test via controlled internal scan.
Step 04 - 05
Run & MCO
Signed image updates pushed via the SYLink channel (or manual import for air-gap). Quarterly review of the decoy persona.
Step 05
↓ Integration pipeline — step by step, from scoping to production ↓
Prerequisites
- Proxmox / KVM or VMware ESXi / Workstation hypervisor
- 1 IP per instance in the target segment
- syslog / webhook output reachable to UniSOC or your SIEM
- For OT perimeters: dedicated VLAN and adapted filtering rules
What you concretely gain
Benefits
- 01
Lateral-movement detection in under 30 seconds
Where an EDR detects ongoing behavior on an already-compromised endpoint, the Hornetbot reveals the attacker the moment they scan or enumerate the network — often before the first malicious execution.
- 02
Zero false positives by construction
No legitimate user has any reason to touch this server. Every interaction is an attack signal, qualified at source.
- 03
Self-hosted, your data stays with you
Signed Debian 13 VM image. No outbound telemetry, no third-party cloud, no callbacks outside your perimeter. Air-gap-compatible for sensitive networks.
- 04
NIS2 · DORA · GDPR-compliant
Covers incident-detection requirements (NIS2 art. 21), notification (art. 23), DORA operational resilience and GDPR minimization — no personal data collected.
The full datasheet
Specifications
Format & deployment
| Image | VM Debian 13 minimale · signée GPG |
| Formats | qcow2.zst (Proxmox / KVM) · OVA (VMware / Workstation) |
| Footprint | ≈ 250–280 Mo · 1 vCPU · 1 Go RAM · 4 Go disque |
| Go-live | Import VM → IP statique → premier signal en < 5 min |
| Update | Image signée poussée par canal SYLink ou import manuel air-gap |
Decoy services exposed
| SSH (port 22) | Bannière serveur Linux crédible · capture creds + commandes saisies |
| HTTP (port 80) | Page "BackupServer" thématisée · formulaire login factice |
| SMB (port 445) | Partages factices (ex. Comptabilité$, RH$, Sauvegardes$) · capture des accès |
| RDP (port 3389) | Bannière Windows Server · détection brute-force et énumération |
| Bases de données | Stubs Postgres · Redis · MongoDB · Elasticsearch (réponses minimales, log complet) |
| SNMP (port 161) | Réponses System / Interface crédibles pour piéger les outils de découverte |
| Tarpit TCP | Ralentit volontairement les scans massifs pour grappiller du temps de détection |
Fingerprint & stealth
| OS fingerprint | TTL 128 · stack TCP/IP simulant Windows Server 2019 |
| Banners | Versions et noms d'hôte cohérents avec votre nomenclature interne (configurable) |
| Hostname / domain | Personnalisable pour s'intégrer dans votre AD (ex. SRV-BKP-03.intra) |
| Behavior | Aucune réponse aux scans "trop curieux" qui pourraient révéler la nature leurre |
Alerting & integration
| Event output | Syslog · JSON HTTP · webhook signé · e-mail |
| Native connectors | UniSOC SYLink · SIEM Splunk / Elastic / QRadar / Sentinel |
| Alert levels | Info (scan) · Suspect (auth tentée) · Critique (creds capturés / fichier déposé) |
| Local retention | 30 jours de logs sur la VM · export continu vers SIEM |
| Event signing | HMAC pour intégrité forensique |
Built for
Target customers
Multi-site town — detection of an annex compromise
A town of around 80,000 inhabitants deploys 3 Hornetbots (city hall, library, technical services). A library endpoint is compromised by an office-suite malware: 18 minutes after infection the local Hornetbot captures an SMB enumeration attempt from that endpoint — the attack is contained before reaching the central SI.
Law firm — RDP brute-force detected during business hours
A 120-person firm deploys a Hornetbot with a "backup server" persona (RDP only exposed internally). Mid-day, RDP attempts arrive from a user endpoint — the user has no reason to touch it. Compromised AD account isolated within the hour.
Clinic / hospital network — detection on the biomedical VLAN
Hornetbot with a "secondary PACS" persona deployed on the medical-imaging VLAN. Any interaction is abnormal by construction — qualified alert immediately on lateral propagation from the office VLAN.
Industry / OT — sentinel before the process zone
Hornetbot positioned at the IT/OT boundary, exposing a fake PLC and a "Schemas$" share. Detects OT mapping tools (Modbus / SNMP enumeration) before they reach the real systems.
Mid-market 100–500 endpoints — multi-zone, UniSOC alerting
3 to 5 Hornetbots deployed in sensitive zones (HQ LAN, AD, backups, finance). All feed UniSOC, correlated with the SYLink CTI — unified view of "who's poking around where" in the SI.
Law / accounting firm — credential-theft signal
"Client folder server" persona exposed via SMB. Any enumeration of the share triggers a critical alert — a compromised AD session is caught before sensitive data is exfiltrated.
Test SYLink Hornetbot on your infrastructure
30-minute guided demo, PoC on a pilot perimeter, support by our French teams based in Clermont-Ferrand, Marseille and Rennes.