Review: Virtual Honeypots

A book review of the 2007 classic ‘Virtual Honeypots.’
deception
Author

Joe Lopes

Published

March 10, 2026

While working on a personal project involving honeypots, I decided to stop taking the foundational concepts for granted and dive into the literature. Surprisingly, there are only a handful of books dedicated to deception technologies, the most famous being Virtual Honeypots (Provos & Holz, 2007).

Despite it being nearly twenty years old with no subsequent editions or revisions, I decided to give it a try. After all, one of its authors is Niels Provos, the creator of Honeyd, one of the most famous honeypot frameworks ever written.

Here is my review of the book after reading it cover-to-cover in 2026.

The Book

Virtual Honeypots showcases the authors’ vast expertise in deception technologies. However, to truly appreciate its greatness, we must put ourselves in the shoes of a late-90s or early-2000s IT practitioner. At that time, VMware and hardware virtualization were just starting to gain traction, Linux systems were undergoing massive consolidation, and many of our common security tools and taxonomies had yet to be invented.

Provos and Thorsten Holz demonstrate remarkable technical depth throughout the pages, teaching network protocols, OS configuration (Linux and Windows), and even systems programming, including Python 🐍. Since they personally developed core tools presented in the text, like Honeyd, their authority on the subject is undeniable.

The language is accessible, and the text is packed with practical examples, ranging from raw command outputs to complete configuration files. In several instances, the authors hold your hand, explaining what a program does, how to compile and configure it, its execution flags, and its practical use cases.

Although the chapters are not explicitly grouped, I mentally divide the book into three sections: Part I covers theory and motivation (Chapters 1-3); Part II focuses on Honeyd and other honeypots (Chapters 4-8); and Part III delves into practical use cases (Chapters 9-12).

Impressions

I gained numerous insights from this book, primarily from Part I. The discussions on honeypot types and architectures for safe deployment are priceless. Furthermore, the taxonomy the authors employ to categorize honeypots is well-thought-out and highly effective at teaching readers how to design robust deception topologies. As expected, foundational theory has longevity, and Part I has absolutely stood the test of time.

Most of Part II is dedicated to Honeyd, and it is clear that Provos was proud of his creation. This is entirely justified, as Honeyd was a massively successful project in its day. However, since the tool has been deprecated for years, this section lacks engagement. Today, the only people likely to benefit from these chapters are developers actively writing honeypot software. Even for professionals seeking modern honeypot deployment advice, these chapters are a tough read.

Part III presents numerous use cases, covering everything from motivation and network topology to analysis and results. Unfortunately, the authors once again dedicated a large portion of these chapters to deep dives into tools that clearly haven’t aged well. Had they focused more strictly on architectural topologies and breach analysis, this section would have remained highly relevant.

This effectively summarizes my overall feeling about the book: a fantastic resource for its time, but one that is overly fixated on tooling that is now obsolete, like UML, DTK, LaBrea, Sebek, and Nepenthes. While I understand the authors’ desire to teach exactly how these tools worked and integrated under the hood, the lack of architectural abstraction makes the text less appealing to a modern audience.

Historically, a significant portion of deception software was linked to academic research, and even today, high-interaction deception technology isn’t a mainstream enterprise staple. In the two decades since this book’s release, entirely new paradigms like containerization and specialized honeypots have emerged, radically changing how we implement the scenarios the authors presented. Combining this evolution with the authors’ choice to tightly couple their lessons to specific, now-deprecated tools creates the perfect storm: a large portion of this book is, unfortunately, forgettable.

Last Words

Virtual Honeypots was undoubtedly a great book for its time, and I suspect it inspired many professionals to dive into deception engineering. Even today, the foundational first part remains excellent and proves the authors were true pioneers.

However, as explained, from Chapter 4 onward, the book starts feeling like a photo album showing scenes from a distant IT past. My recommendation depends heavily on your current goals:

  • If you are deploying honeypots: Read Chapters 1-3 carefully and skim the rest, paying slight attention to the topologies in Chapters 9-12.
  • If you are writing honeypot software: Chapters 1-3 remain required reading, but you should also pay close attention to Chapters 4-8 to extract architectural insights from the development of Honeyd.

For any other InfoSec practitioner simply curious about honeypots: read Chapters 1-3 and close the book. I want to emphasize that I deeply respect the quality of this work and the skill of its authors. It is genuinely impressive to recommend a 20-year-old technology book with no further revisions, but it is almost impossible to tie a book this closely to specific tooling and have it survive the ages. 🪴

Reuse

Citation

BibTeX citation:
@online{lopes2026,
  author = {Lopes, Joe},
  title = {Review: {Virtual} {Honeypots}},
  date = {2026-03-10},
  url = {https://lopes.id/log/review-virtual-honeypots/},
  langid = {en}
}
For attribution, please cite this work as:
Lopes, Joe. 2026. “Review: Virtual Honeypots.” March 10, 2026. https://lopes.id/log/review-virtual-honeypots/.