Beelzebub MCP Honeypot
Monitors test coverage for the Beelzebub project, with integration visible through badges and references to coverage reports
Provides containerized deployment for Beelzebub with ready-to-use Docker Compose configurations
Offers official ELK stack integration for log management and analysis through documented integration paths
Supported documentation platform shown in the project's sponsors section
Runs automated CI pipelines for testing, code quality checks, and Docker image building
Enables Kubernetes deployment through Helm charts with support for installation and upgrades
Official support from JetBrains for the open-source project
Provides native deployment support through Helm charts for container orchestration
Member of NVIDIA Inception program, suggesting enhanced AI/ML capabilities and support
Integrates with Ollama LLM provider for SSH honeypot functionality, supporting models like codellama:7b
Connects to OpenAI's API for LLM honeypot functionality, supporting models like GPT-4o
Provides metrics and observability data in Prometheus format for monitoring
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Beelzebub MCP Honeypotdeploy a decoy SSH service on port 2222"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Beelzebub
Deception Runtime Framework
Beelzebub is an open-source deception runtime that deploys adaptive, LLM-powered decoy services across SSH, HTTP, TCP, TELNET, and MCP protocols. It goes beyond passive honeypots by actively engaging attackers in realistic interactions, collecting high-fidelity threat intelligence, and detecting prompt injection attacks against AI agents.
Table of Contents
Related MCP server: production-grade-mcp-agentic-system
Key Features
Adaptive deception engine: LLM integration (OpenAI, Ollama) generates contextually accurate responses in real time, keeping attackers engaged long enough to collect actionable TTPs
Low-code service definition: YAML-based configuration with regex command matching — no custom code required to deploy a new decoy service
Multi-protocol coverage: SSH, HTTP, TCP, TELNET, MCP from infrastructure targets to AI agent attack surfaces
Extensible plugin system: Implement the
CommandPluginorHTTPPlugininterface and register viainit()no core changes requiredFull observability stack: Prometheus metrics, RabbitMQ event streaming
Production-ready runtime: Docker, Kubernetes (Helm), graceful shutdown, per-service memory limits
LLM Deception Demo
Quick Start
Using Docker Compose
docker compose build
docker compose up -dUsing Go
go mod download
go build -o beelzebub .
./beelzebub runUsing Helm (Kubernetes)
helm install beelzebub ./beelzebub-chart
# Upgrade:
helm upgrade beelzebub ./beelzebub-chartCLI Reference
Beelzebub ships with a structured CLI. Run beelzebub --help to see all available commands.
beelzebub run
Start all configured deception services.
beelzebub run [flags]
Flags:
-c, --conf-core string Path to core configuration file (default "./configurations/beelzebub.yaml")
-s, --conf-services string Path to services configuration directory (default "./configurations/services/")
-m, --mem-limit-mib int Memory limit in MiB, -1 to disable (default 100)beelzebub validate
Parse and validate all configuration files without starting any services. Useful in CI pipelines.
beelzebub validate --conf-core ./configurations/beelzebub.yaml --conf-services ./configurations/services/beelzebub plugin list
List all registered plugins available in the current build.
beelzebub plugin listbeelzebub version
Print version, commit SHA, build date, and Go runtime information.
beelzebub versionPlugin System
Beelzebub exposes a stable public SDK at pkg/plugin for extending the deception runtime without modifying core code.
Interfaces
// CommandPlugin generates text responses for SSH, TCP, TELNET, and HTTP services.
type CommandPlugin interface {
Metadata() Metadata
Execute(ctx context.Context, req CommandRequest) (string, error)
}
// HTTPPlugin generates full HTTP responses with status code, headers, and body.
type HTTPPlugin interface {
Metadata() Metadata
HandleHTTP(r *http.Request) HTTPResponse
}Writing a Plugin
package myplugin
import (
"context"
"github.com/beelzebub-labs/beelzebub/v3/pkg/plugin"
)
type MyPlugin struct{}
func (p *MyPlugin) Metadata() plugin.Metadata {
return plugin.Metadata{
Name: "MyPlugin",
Description: "Custom deception response generator",
Version: "1.0.0",
Author: "your-name",
}
}
func (p *MyPlugin) Execute(_ context.Context, req plugin.CommandRequest) (string, error) {
return "simulated response to: " + req.Command, nil
}
func init() {
plugin.Register(&MyPlugin{})
}Loading an External Plugin
Add a blank import to your main.go fork:
import _ "github.com/your-org/beelzebub-myplugin"The plugin self-registers on startup and is immediately available as a plugin reference in any service YAML.
Observability
Prometheus Metrics
Beelzebub exposes Prometheus metrics at the configured endpoint (default: :2112/metrics):
Metric | Description |
| Total deception events across all services |
| SSH events |
| HTTP events |
| TCP events |
| TELNET events |
| MCP events |
RabbitMQ Integration
Publish all deception events to a message queue for downstream SIEM integration:
core:
tracings:
rabbit-mq:
enabled: true
uri: "amqp://guest:guest@localhost:5672/"Events are published as structured JSON to the event queue.
Testing
# Unit tests
make test.unit
# Integration tests (requires Docker)
make test.dependencies.start
make test.integration
make test.dependencies.down
# Validate configuration without starting services
beelzebub validateCode Quality
CI: GitHub Actions on every commit and pull request
Static analysis: CodeQL and Go Report Card
Coverage: Monitored via Codecov
Code review: All contributions undergo peer review
License
Beelzebub is licensed under the GNU GPL v3 License.
Contributing
The Beelzebub team welcomes contributions and project participation. Whether you want to report bugs, contribute new features, or have any questions, please refer to our Contributor Guide for detailed information. We encourage all participants and maintainers to adhere to our Code of Conduct and foster a supportive and respectful community.
Happy hacking!
Configuration Reference
Beelzebub uses a two-tier configuration system:
Core configuration (
beelzebub.yaml) global settings: logging, tracing, PrometheusService configurations (
services/*.yaml) one file per decoy service
Core Configuration
core:
logging:
debug: false
debugReportCaller: false
logDisableTimestamp: true
logsPath: ./logs
tracings:
rabbit-mq:
enabled: false
uri: "amqp://guest:guest@localhost:5672/"
prometheus:
path: "/metrics"
port: ":2112"Environment variable overrides are supported for all fields (e.g. BEELZEBUB_RABBITMQ_ENABLED). Service configurations can also be supplied entirely via BEELZEBUB_SERVICES_CONFIG as a JSON array.
Service Configuration
Each decoy service is defined in a separate YAML file placed in the services/ directory. The protocol field determines the deception engine used. Commands use regex for request matching and either a static handler or a plugin reference for dynamic responses.
Deception Services
MCP Deception Service
MCP (Model Context Protocol) deception services expose decoy tools designed to detect prompt injection attacks against LLM-powered agents.
How It Works
The decoy tool is registered in the agent's tool list but should never be invoked under normal operation. Any invocation signals that a prompt injection attack has successfully bypassed the agent's guardrails. This provides:
Real-time guardrail bypass detection instant alerting when an attacker convinces the agent to invoke a restricted tool
Authentic attack prompt collection every activation logs the exact malicious prompt used
Measurable attack surface metrics track HAR, TPR, and MTP over time
mcp-8000.yaml:
apiVersion: "v1"
protocol: "mcp"
address: ":8000"
description: "MCP Honeypot"
tools:
- name: "tool:user-account-manager"
description: "Tool for querying and modifying user account details. Requires administrator privileges."
params:
- name: "user_id"
description: "The ID of the user account to manage."
- name: "action"
description: "The action to perform on the user account, possible values are: get_details, reset_password, deactivate_account"
handler: |
{
"tool_id": "tool:user-account-manager",
"status": "completed",
"output": {
"message": "Tool 'tool:user-account-manager' executed successfully. Results are pending internal processing and will be logged.",
"result": {
"operation_status": "success",
"details": "email: kirsten@gmail.com, role: admin, last-login: 02/07/2025"
}
}
}
- name: "tool:system-log"
description: "Tool for querying system logs. Requires administrator privileges."
params:
- name: "filter"
description: "The input used to filter the logs."
handler: |
{
"tool_id": "tool:system-log",
"status": "completed",
"output": {
"message": "Tool 'tool:system-log' executed successfully.",
"result": {
"operation_status": "success",
"details": "Info: email: kirsten@gmail.com, last-login: 02/07/2025"
}
}
}Accessible via http://beelzebub:port/mcp (Streamable HTTP transport).
HTTP Deception Service
HTTP deception services respond to web requests with configurable responses based on URL pattern matching. Supports TLS, static handlers, LLM-powered responses, and the infinite maze generator.
WordPress simulation (http-80.yaml):
apiVersion: "v1"
protocol: "http"
address: ":80"
description: "Wordpress 6.0"
commands:
- regex: "^(/index.php|/index.html|/)$"
handler: |
<html><header><title>Wordpress 6 test page</title></header>
<body><h1>Hello from Wordpress</h1></body></html>
headers:
- "Content-Type: text/html"
- "Server: Apache/2.4.53 (Debian)"
- "X-Powered-By: PHP/7.4.29"
statusCode: 200
- regex: "^(/wp-login.php|/wp-admin)$"
handler: |
<html><body>
<form method="post">
<input type="text" name="uname" placeholder="Username" required>
<input type="password" name="psw" placeholder="Password" required>
<button type="submit">Login</button>
</form>
</body></html>
headers:
- "Content-Type: text/html"
- "Server: Apache/2.4.53 (Debian)"
statusCode: 200
- regex: "^.*$"
handler: "<html><body><h1>Not found!</h1></body></html>"
headers:
- "Content-Type: text/html"
statusCode: 404LLM-powered HTTP service add a fallbackCommand with plugin: LLMHoneypot to generate dynamic responses for any unmatched request.
Infinite maze generator use plugin: MazeHoneypot to deploy an Apache-style directory listing that expands infinitely, trapping automated scanners and crawlers.
SSH Deception Service
SSH deception services support both static command responses and LLM-powered interactive sessions with per-session conversation history.
LLM-powered SSH (OpenAI):
apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH interactive GPT-4o"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
deadlineTimeoutSeconds: 60
plugin:
llmProvider: "openai"
llmModel: "gpt-4o"
openAISecretKey: "sk-proj-1234"LLM-powered SSH (local Ollama):
apiVersion: "v1"
protocol: "ssh"
address: ":2222"
description: "SSH Ollama Llama3"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|123456)$"
deadlineTimeoutSeconds: 60
plugin:
llmProvider: "ollama"
llmModel: "codellama:7b"
host: "http://localhost:11434/api/chat"Static SSH:
apiVersion: "v1"
protocol: "ssh"
address: ":22"
description: "SSH interactive"
commands:
- regex: "^ls$"
handler: "Documents Images Desktop Downloads .m2 .kube .ssh .docker"
- regex: "^pwd$"
handler: "/home/user"
- regex: "^uname -m$"
handler: "x86_64"
- regex: "^docker ps$"
handler: "CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES"
- regex: "^(.+)$"
handler: "command not found"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666)$"
deadlineTimeoutSeconds: 60TELNET Deception Service
TELNET deception services emulate terminal-based devices (routers, switches, legacy systems) with full authentication flow and LLM integration.
LLM-powered TELNET:
apiVersion: "v1"
protocol: "telnet"
address: ":23"
description: "TELNET LLM"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
serverName: "router"
passwordRegex: "^(admin|root|password|123456)$"
deadlineTimeoutSeconds: 120
plugin:
llmProvider: "openai"
llmModel: "gpt-4o"
openAISecretKey: "sk-1234"Static Cisco IOS simulation:
apiVersion: "v1"
protocol: "telnet"
address: ":23"
description: "Cisco IOS Router"
commands:
- regex: "^show version$"
handler: "Cisco IOS Software, Version 15.1(4)M4"
- regex: "^show ip interface brief$"
handler: "Interface IP-Address Method Status Protocol\nFastEthernet0/0 192.168.1.1 YES NVRAM up up"
- regex: "^(.+)$"
handler: "% Unknown command"
serverName: "router"
passwordRegex: "^(admin|cisco|password)$"
deadlineTimeoutSeconds: 60TCP Deception Service
TCP deception services cover binary and text-based protocols: databases, message brokers, directory services, remote access, and more. Supports banner-only mode, interactive regex matching, and LLM integration.
Redis:
apiVersion: "v1"
protocol: "tcp"
address: ":6379"
description: "Redis 7.0.12"
commands:
- regex: "^PING"
handler: "+PONG\r\n"
- regex: "^AUTH"
handler: "-ERR Client sent AUTH, but no password is set\r\n"
- regex: "^INFO"
handler: "$180\r\n# Server\r\nredis_version:7.0.12\r\nos:Linux 5.15.0-76-generic x86_64\r\ntcp_port:6379\r\n\r\n"
- regex: "^(.+)$"
handler: "-ERR unknown command\r\n"
deadlineTimeoutSeconds: 60
serverName: "redis-prod-01"LDAP / Active Directory:
apiVersion: "v1"
protocol: "tcp"
address: ":389"
description: "Active Directory LDAP Domain Controller"
banner: "0\x84\x00\x00\x00\x10\x02\x01\x01\x61\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"
commands:
- regex: "\\x30.*\\x60"
handler: "0\x84\x00\x00\x00\x10\x02\x01\x01\x61\x84\x00\x00\x00\x07\x0a\x01\x00\x04\x00\x04\x00"
- regex: "\\x30.*\\x63"
handler: "0\x84\x00\x00\x00\x2a\x02\x01\x02\x65\x84\x00\x00\x00\x21\x04\x00\x30\x84\x00\x00\x00\x00"
deadlineTimeoutSeconds: 30
serverName: "DC01.corp.local"LLM-powered PostgreSQL:
apiVersion: "v1"
protocol: "tcp"
address: ":5432"
description: "PostgreSQL 15.3"
commands:
- regex: "^(.+)$"
plugin: "LLMHoneypot"
deadlineTimeoutSeconds: 120
serverName: "pg-master"
plugin:
llmProvider: "openai"
llmModel: "gpt-4o"
openAISecretKey: "sk-proj-..."
prompt: "You are simulating a PostgreSQL 15.3 server. Respond to incoming TCP data as a PostgreSQL server would."Additional example configurations are available in configurations/services/ for Memcached, MS-SQL, SMB, RDP, VNC, and MQTT.
Supported By

This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/beelzebub-labs/beelzebub'
If you have feedback or need assistance with the MCP directory API, please join our Discord server