SoK: Honeypots & LLMs, More Than the Sum of Their Parts?

TL;DR

This paper provides a comprehensive overview of how Large Language Models are transforming honeypot design, highlighting architectural patterns, challenges, and future research directions for autonomous deception systems.

Contribution

It offers the first detailed taxonomy, architecture, evaluation framework, and research roadmap for LLM-powered honeypots and deception systems.

Findings

Identifies key detection vectors and how LLMs can aid deception.

Synthesizes emerging architectures and evaluation paradigms.

Charts evolution of honeypot log analysis into automated intelligence.

Abstract

The advent of Large Language Models (LLMs) promised to resolve the long-standing paradox in honeypot design: achieving high-fidelity deception with low operational risk. Since late 2022, a flurry of research has demonstrated steady progress from ideation to prototype implementation. While promising, evaluations show only incremental progress in real-world deployments, and the field still lacks a cohesive understanding of emerging architectural patterns, core challenges, and evaluation paradigms. To fill this gap, we provide the first comprehensive overview and analysis of this new domain, focusing on three critical, intersecting research areas: we provide a taxonomy of honeypot detection vectors, mapped to how LLM-based simulation can or cannot aid deception; we synthesize the emerging literature on LLM-powered honeypots, identifying a canonical architecture, an evaluation tetrad, and an attacker trichotomy mapped to honeypot requirements; and we chart the evolution of honeypot log analysis into automated intelligence generation. Finally, we synthesize these findings into a forward-looking research roadmap, arguing that the true potential of this technology lies in creating autonomous, self-improving deception systems to counter the emerging threat of intelligent, automated attackers.