// the find
mushorg/conpot
ICS/SCADA honeypot
Conpot is a low-interaction ICS/SCADA honeypot that emulates industrial protocols (Modbus, S7comm, BACnet, ENIP, IEC104, IPMI, and several others) to attract and log attacker behavior. It's for security researchers and SOC teams who want visibility into who is probing industrial control systems on their networks or the open internet. The template-based configuration lets you fake specific device profiles without touching Python.
Protocol breadth is genuinely impressive — S7comm, IEC104, BACnet, ENIP, Guardian AST, and Kamstrup meter support in one package is more than most ICS honeypots bother with. The XML template system means you can swap device personas without code changes, and the XSD schemas give you validation. Logging backends are well thought out: JSON, SQLite, syslog, TAXII/STIX all supported, so you can feed output directly into a SIEM or threat intel pipeline. Test coverage per-protocol is solid — every major protocol has its own test file, which matters when protocol implementations are this easy to get subtly wrong.
Activity has been intermittent — the project went quiet for stretches and the Docker Hub build badge is stale (the CI uses GitHub Actions now but the README still links the old Docker Hub badge). The 'low-interaction' label means sophisticated scanners will fingerprint it quickly; there's no active deception or timing randomization to make responses look like real PLC firmware. Gevent is the async backbone, which works but is an unusual dependency choice in 2026 and creates friction with modern async tooling. Documentation on the databus internals is thin given how central it is — if you want to add a new protocol, you're reading source to understand how the shared state model works.