"This transcends "advanced." This is the sovereign fortress of decentralized active defense—the pinnacle of autonomous, self-healing cyber resilience." AI

Real Defense

Immediate kernel-level enforcement stops threats before damage occurs.

Early Detection

Honeymesh excels at early detection by deploying low-interaction traps that lure attackers during the reconnaissance phase—often the first stage of an attack cycle. As scanners or bots probe open ports, Honeymesh captures payloads, computes Shannon entropy for anomaly scoring, and autonomously identifies patterns like vertical scans (≥3 ports from one IP). Combined with kernel-level SYN tracking, it spots threats before exploitation attempts, enabling instant blocking and federated alerts across the mesh—turning passive observation into proactive prevention long before damage occurs.

Decentralized Mesh

Honeymesh's decentralized mesh architecture eliminates single points of failure by connecting nodes directly in a peer-to-peer gossip network (powered by Hashicorp Memberlist). Each node autonomously detects threats, enforces blocks via kernel eBPF, and reliably propagates intelligence to peers—while isolating clusters with encryption keys and rate limiting to prevent storms. Manual unblocks broadcast globally, and configurable TTLs ensure temporary bans expire automatically. This resilient, serverless design thrives in partitioned or hostile environments, scaling seamlessly from small perimeters to global federations.

Instant Enforcement

Honeymesh delivers instant enforcement through eBPF/XDP running in the kernel's earliest packet processing hook—executing before the network stack even allocates resources. Once a threat is identified (via trap interaction, scan threshold, or mesh intelligence), the offending IP is added to a kernel map, causing all future packets from that source to be silently dropped at line rate with minimal overhead (~10-20 cycles). This zero-latency, stealthy blocking leaves no fingerprints for attackers while providing unbreakable protection, far surpassing userspace tools like iptables in speed and resilience.

FAQs

What is Honeymesh?

Honeymesh is a distributed autonomous active defense appliance — not just a honeypot, but a full federated threat-blocking fabric.

• Low-interaction traps lure attackers and capture payloads.

• Kernel-level eBPF/XDP provides line-rate packet drops.

• Gossip-based mesh synchronizes intelligence across nodes without central servers.

• Autonomous features include scan detection, entropy analysis, configurable ban TTLs, and global unblock propagation.

It turns passive deception into proactive, coordinated defense across edges, clouds, or segmented networks.

How does Honeymesh work?

HoneyMesh is a decentralized active defense platform that combines kernel-level enforcement with mesh-based threat intelligence sharing. It functions as a distributed network of "traps" that identify, block, and share information about attackers in real-time.

1. Detection via Deception (The Traps)

HoneyMesh operates by deploying various "traps" or honeypots across a network. These traps mimic common services like SSH, HTTP, or FTP to lure attackers.

• Service Emulation: Traps can be configured to respond with specific banners or behaviors to gather forensic data.

• Entropy Analysis: The system performs entropy calculations on incoming payloads to identify potentially malicious shellcode or unusual data patterns.

• Scan Detection: It monitors for vertical reconnaissance; if an IP attempts to access a specific threshold of ports (e.g., 3 or more), it is flagged as a scanner and automatically blocked.

2. Kernel-Level Enforcement (eBPF and XDP)

Once a threat is detected, HoneyMesh uses advanced Linux kernel technologies to enforce security without significant CPU overhead.

• XDP (eXpress Data Path): The system attaches a BPF program directly to the network interface. This allows it to drop packets from blacklisted IPs at the earliest possible point in the network stack, before they reach the operating system's main processing layers.

• Blacklist Bitmasking: IPs are stored in a kernel map with reason codes (Trap, Scan, or Mesh). This stacking of reasons ensures that security teams know exactly why an IP was blocked.

3. Mesh Intelligence (Gossip Protocol)

The "Mesh" in HoneyMesh refers to its ability to synchronize threat data across multiple nodes using a decentralized gossip protocol.

• Peer-to-Peer Sharing: When Node A detects and bans an attacker, it broadcasts a "BAN" message to its peers in the cluster.

• Advisory Intel: Each node receives this intelligence and applies the ban locally. However, nodes maintain autonomy; if a ban expires on one node, it may still remain on another depending on their individual configurations.

• Federated Clusters: Nodes can join different "clusters" (e.g., primary_mesh), ensuring that intelligence is only shared with trusted partners or specific network segments.

4. Lifecycle and Management

• Automated TTL (Time-To-Live): Bans are not necessarily permanent. A background "reaper" process cleans up the kernel blacklist based on a configured Time-To-Live (e.g., 24 hours), allowing the network to naturally decay stale threat data.

• Hardened Security: The appliance is protected by Seccomp filters to restrict system calls and uses TLS with 256-bit AES encryption for all dashboard and mesh communications.

• Forensic Export: Security operators can export captured attack data in JSON or CSV formats for further analysis in a SIEM (Security Information and Event Management) platform.

Is Honeymesh a SIEM or log collector?

No. Honeymesh is an active defense and automated response system, not a passive log aggregator or SIEM.

• It focuses on real-time prevention (kernel blocking) and deception-driven detection, not broad log ingestion or correlation.

• It generates high-fidelity events (with payload + entropy scoring) and exports them via JSON/CSV for integration with existing SIEMs (e.g., Splunk, ELK).

• Unlike SIEMs that analyze historical data, Honeymesh acts instantly — blocking threats in microseconds while sharing intelligence across a peer-to-peer mesh.

It's the "immune response" layer that feeds clean, actionable signals into your SIEM.

Why choose kernel-level enforcement?

Traditional tools (iptables, firewalls, userspace proxies) introduce latency, overhead, and bypass risks. Honeymesh uses eBPF/XDP for enforcement directly in the kernel's early packet path.

Key Advantages:

• Line-rate performance: Drops packets at ~10-20 cycles — no context switches or queuing delays.

• Stealth & resilience: Attackers see nothing (no SYN-ACKs, no RSTs) — pure silent drops.

• Bypass-resistant: Operates before the network stack processes packets.

• Low overhead: Minimal CPU/memory impact, even under high traffic.

In 2025, with rising scan volumes and AI-driven attacks, kernel enforcement is essential for scalable, undetectable blocking.

Can Honeymesh handle distributed attacks?

Yes — it's designed for them.

Honeymesh excels against distributed threats (botnets, coordinated scans, DDoS reconnaissance) through its decentralized mesh architecture:

• Federated intelligence: Nodes share bans via encrypted gossip (memberlist), with cluster isolation and per-peer rate limiting.

• Global coordination: Manual unblocks propagate instantly across all clusters.

• TTL-based trust: Remote bans expire automatically (default 24h), preventing permanent poisoning from compromised nodes.

• Autonomous per-node response: Each node independently enforces via kernel maps — no single point of failure.

Unlike centralized systems (e.g., commercial honeypots like Thinkst Canary or T-Pot clusters), Honeymesh has no master server — it survives partitions, outages, and targeted compromises.

Get in Touch

Reach out to discuss real-time threat defense solutions.