Lateral movement
An attacker already in your LAN scans to pivot. The first port they touch is a decoy — you detect them before they reach a real server.
Sovereign honeypot · OpenCanary
Detect the attacker already in your network, before they reach your assets
Any interaction with a decoy is, by definition, malicious. SYLink deploys fake services (SSH, RDP, SMB, Active Directory, shares, APIs…) at the edge, in the DMZ and at the heart of the LAN. The slightest scan, the slightest authentication, the slightest read of a fake share triggers a qualified alert — no noise, no false positive.
0
false positive
by construction — any interaction is malicious
20+
emulated services
SSH, RDP, SMB, FTP, HTTP, MySQL, AD…
< 1 s
real-time alert
to SOC + SIEM
On-prem
or sovereign cloud
nothing leaves your network
Six invisible threats
What your IDS and EDR don't see — a honeypot reveals
Modern attacks slip past signatures. The honeypot doesn't correlate anything, doesn't score anything: it triggers as soon as someone touches it. The most reliable detection for these six scenarios.
Credential bruteforce
Authentication attempts on a fake SSH, RDP or Active Directory. You capture the credentials tested, the source IP, and the attack times.
Internal reconnaissance
nmap, masscan, port scans, SMB enumeration — actions invisible to a classic IDS but instantly revealed by a honeypot.
Data exfiltration
Fake SMB shares named “HR”, “Finance”, “Executive”. No legitimate reason to access them: any read triggers a qualified incident.
Insiders & supply chain
Curious employees, partners exceeding their scope, providers with overly broad rights. The honeypot reveals the crossing, without mass surveillance.
0-day & ransomware exploitation
A modern ransomware family scans the LAN before encrypting. The decoy captures the strain, its MITRE TTPs and its IOCs before the destructive phase.
Deployment zones
Four zones, four attacker families to trap
Zone 1External
Internet edge
Fake services exposed at the border (SSH, HTTP, RDP). Captures automated scanners, bruteforce bots, initial access vectors.
Zone 2Pivot
DMZ
Fake HTTP/SMB application server mimicking a business app. Detects the pivot of an attacker who already compromised a border service.
Zone 3Lateral
Internal LAN
Decoys at the heart of the network: SMB shares, fake Active Directory accounts, fake internal GitLab, fake API endpoints. This is where lateral movement is detected.
Zone 4Targeted
Cloud / OT-SCADA
Decoy containers and VMs in sovereign cloud, industrial modules (Modbus, S7, BACnet) for OT sites. Covers targeted attacks on hybrid infra.
Three tiers
Pick your tier — Basic, Enterprise or VIP
One single honeypot platform, three coverage depths. You switch tiers without redeploying, your capture history stays available, SOC integration follows automatically.
Honeypot Basic
7emulated services
Edge and DMZ deployment. For small businesses and SMBs wanting early detection without overloading the SOC.
Small Business · early-stage SMB
Honeypot Enterprise
14emulated services
Full LAN coverage, fake AD, canary tokens and SIEM correlation. The right tier for a structured cyber program.
SMB / Mid-market · MSP · administrations
Honeypot VIP
20emulated services
High-interaction honeypots, OT/SCADA modules, threat hunting. For OIV/OSE and industrial environments.
Enterprise · OIV / OSE · industry
| Feature | Basic 7 services | Enterprise 14 services | VIP 20 services |
|---|---|---|---|
| Fake SSH (port 22) | |||
| Fake Telnet / FTP | |||
| Fake HTTP / HTTPS | |||
| Fake RDP (3389) | |||
| Fake SMB / fake shares | |||
| nmap / masscan detection | |||
| Real-time SIEM alert | |||
| Fake MySQL / MSSQL / Redis | — | ||
| Fake Active Directory (Kerberos) | — | ||
| Monitored fake admin accounts | — | ||
| Canary tokens (docs, URLs, files) | — | ||
| MITRE ATT&CK TTP capture | — | ||
| Full session forensics | — | ||
| Auto quarantine via firewall | — | ||
| OT/SCADA modules (Modbus, S7, BACnet) | — | — | |
| Fake GitLab / internal API endpoints | — | — | |
| High-interaction honeypot (full OS) | — | — | |
| 12M+ IOC CTI correlation | — | — | |
| Analyst-assisted threat hunting | — | — | |
| Quarterly executive reporting | — | — |
Use cases
Six recurring scenarios a honeypot detects before the incident
Ransomware in reconnaissance phase
A modern strain scans the LAN before encrypting. The honeypot responds, captures the binary and IOCs — containment before the destructive phase.
Fake “administrator” account
An AD account named “adm-domain” with no legitimate use. Any auth attempt = qualified incident, source identified within seconds.
Insider exceeding their scope
“Executive” SMB share accessible but monitored. An employee who opens it triggers an HR-compliant alert — timestamped forensic evidence.
Compromised supply chain
A supplier whose credentials have leaked tries to access your fake internal GitLab. You cut access and alert the partner before real exfiltration.
Automated RDP bruteforce
Bots testing admin/password on a fake exposed RDP: you capture the credential lists used, enrich them in CTI and harden your real services.
0-day detection via TTPs
An unknown attacker uses MITRE T1021 (lateral movement). The decoy captures the sequence: you identify the group without prior signatures.
Deploy a honeypot in your network?
30-minute demo: we install a decoy on your edge or LAN — you see live what connects to it. No commitment, within 48 h.