Occasionally we get questions about different terms that we use and the confusion of how everyone uses them. So here we will define some of those terms and add to them over time as needed or we get new questions.



  • high-interaction - This term is used in conjunction with other security related terms. It implies that the amount of activity that the system interacts with some target is of a high and dynamic amount. As an example, a high-interaction honeypot would be one that is a full and real running system that allows direct access inbound and usually limited outbound network traffic.
  • honeyclient - Either a low or high interaction system that accesses web sites to see if the client can be exploited to deliver a payload. Wikipedia reference
  • honeypot - Either a low or high interaction system that is or appears to be vulnerable to collect and harvest information about remote based attacks to capture exploit information as well as any delivered payloads. Wikipedia reference


  • low-interaction - Another term that is usually used with other security terms implying that the allowed remote or hostile interaction would be as minimal as possible. An example of this would be a low-interaction honeypot. These are normally emulated systems that simulate different vulnerabilities either through signatures or dynamic action. These systems will appear vulnerable long enough for an exploit to be used and a payload delivered. It would then terminate any connections.


  • sinkhole - Usually a passive system that malicious domain names or IP's are directed to to harvest the connection information. Usually are built to emulate different protocols and functionality.