Deploy Honeypots
at scale

Emulate more than 1,200 CPE and IoT devices solely
based on their firmware.

Manage honware instances
Get started

Rapidly find unknown issues and learn whether known vulnerabilities are being exploited in the wild

Honware automatically processes a standard firmware image (as is commonly provided for updates), customises the filesystem and runs the system with special pre-built Linux kernels for ARM and MIPS.

Honware brands
More than 1,200 devices

Supports more than 1,200 firmware images including images from Asus, Belkin, D-Link, EYEMAX-DVR, Linksys, Netgear, OpenWrt, TP-Link, TRENDNET, Tomato by Shibby and Zyxel.

Instant deployment

Honeypots are set up within minutes and shortly thereafter, log traffic. Each honeypot has its own IPv4 address based on DigitalOcean/Hetzner VMs.

Upload firmware image

Use any firmware image and honware will check if it can be run. Get in touch if you need help processing your image.

Quickly analyze network traffic and signs of compromise

Honware uses Moloch to store and index network traffic in standard PCAP format and to provide fast, indexed access with lots of search capabilities.

  • View raw network traffic to find signs of compromises.
  • Inspect device communication.
  • Monitor network services such as web, ssh and telnet servers.
Honware Moloch PCAP
Quickly create and manage honeypot instances

The honeypot framework allows you to select from more than 1,200 firmware images across 11 vendors, but also to upload your own firmware images.

  • Provides an easy-to-use graphical interface to view network traffic.
  • Reboot your honeypot instances if services or applications have crashed and need to be restarted.
  • Wipe the honeypot instance and replace it with the default factory image.
Honware create instance
Analyse firmware images and their applications

Lock down your honeypot so that only you can interact with it to find vulnerabilities or to verify system properties.

  • Send payloads to listening ports and capture system responses.
  • Verify payloads of your own (custom) honeypots by probing "real" devices.
  • Verify proof of concept (PoC) exploits.
Router Web Interface

Are you ready to create your own honeypot instance?

Contact me
Variety of devices

ADSL Modems, Routers, Access Points, Webcams, DVRs - we got them all.

Individual IPv4 address

Each honeypot has its own IPv4 address based on DigitalOcean droplets.


Honware runs Linux-based devices for ARM and MIPS architectures.

Emulating applications

We run all applications (e.g. web/telnet/upnp) as shipped by the firmware - run the real "thing" and not just any thing.

Fully virtualized

Honware uses QEMU and customised kernels to decouple the execution of the firmware from the underlying hardware.

Research foundation

Honware was presented at APWG eCrime 2019. The paper can be found here and the presentation here.

Contact me

If you want access to honware, you will need to contact me.
In the first instance you should briefly describe your (research) project, a bit about yourself/affiliation and how honware can help out. Keep it brief, but write enough so that we can confirm you're going to be using honware non-maliciously.