Beelzebub is a secure, low-code honeypot framework designed to detect and analyze real attacker activity through deception. It uses large language models to simulate realistic, high-interaction behavior while keeping the underlying architecture safer and easier to operate.

Key Features

YAML-based low-code configuration for defining decoy services and behaviors
LLM-backed “high-interaction” simulation for realistic SSH and service responses
Multi-protocol support including SSH, HTTP, raw TCP, and MCP-style tool honeypots
Designed to reduce false positives by alerting only on interaction with decoys
Prometheus metrics for observability and operational monitoring
Container- and Kubernetes-friendly deployment (Docker Compose and Helm)

Use Cases

Detect lateral movement and hands-on-keyboard activity inside networks using decoys
Capture real attacker commands, payloads, and tactics for threat analysis and research
Protect AI agent environments by deploying MCP/tool decoys to detect prompt-injection-driven tool abuse

Limitations and Considerations

Realism and interaction quality depend on the chosen LLM provider/model and prompt design
Operating internet-exposed honeypots requires careful isolation, logging, and incident processes

Beelzebub is well-suited for security teams and researchers who want flexible, cloud-native deception with minimal configuration overhead. It provides a practical way to observe attacker behavior and generate actionable telemetry without running fully vulnerable systems.