Beelzebub
Beelzebub deploys adaptive, LLM-driven decoy services across SSH, HTTP, TCP, TELNET, and MCP. It actively engages attackers, collects TTPs, and detects AI prompt injections. Low-code YAML config, plugin system, full observability, and production-ready.
Smart Download
Visit Project Homepage
No installer available yet — head to the source repository
An LLM-powered deception framework that engages attackers with realistic decoys and extracts high-fidelity threat intel.
Core Features
- Adaptive deception engine with LLM (OpenAI/Ollama) generating context-aware responses in real time
- Low-code service definition via YAML and regex matching—no code needed for new decoys
- Multi-protocol support: SSH, HTTP, TCP, TELNET, MCP covering both infrastructure and AI agent attack surfaces
- Extensible plugin system: implement CommandPlugin or HTTPPlugin interface, register via init()
- Full observability: Prometheus metrics + RabbitMQ event streaming for SIEM integration
What It Can't Do
- •LLM API keys (OpenAI or Ollama) are required; without them the LLM mode falls back to static responses, reducing effectiveness.,Plugin system requires Go knowledge; YAML regex commands require familiarity with regex syntax.,Default memory limit is 100 MiB; adjust if deploying multiple high-interaction services.
Use Cases
- Deploy on enterprise network perimeters to actively lure lateral movement attackers
- AI agent security: capture prompt injection attacks targeting AI assistants
- Red/blue team exercises: rapidly stand up realistic decoys for defensive training
Detailed Introduction
Beelzebub is an open-source deception runtime framework that deploys adaptive, LLM-powered decoy services across SSH, HTTP, TCP, TELNET, and MCP protocols. It goes beyond passive honeypots by actively engaging attackers in realistic interactions, collecting high-fidelity threat intelligence, and detecting prompt injection attacks against AI agents. With low-code YAML configuration and a plugin system, operators can quickly deploy custom decoys without writing core code. It includes full observability via Prometheus metrics and RabbitMQ event streaming, and is production-ready with Docker and Helm support.
Troubleshooting & FAQ (2)
TroubleshootingHow to fix intermittent DATA RACE errors in Go unit tests using httpmock with background goroutines?
The data race occurs when httpmock.DeactivateAndReset() is called while an HTTP request is still in progress in a background goroutine. To fix: 1) Extract the background loop logic into a testable synchronous function. 2) Add a stop mechanism via a channel (e.g., chan struct{}). 3) Ensure the goroutine terminates before teardown (send stop signal, then httpmock.DeactivateAndReset()). 4) Remove shared mutable state from tests or use sync/atomic for counters. These changes are demonstrated in the fix from issue #300 and allow tests to pass with the -race flag.
ConfigurationHow to configure Anthropic (Claude) as the LLM provider in GoPot?
Set llmProvider to anthropic and provide the model name and API key. For direct Anthropic access, use:
plugin:
llmProvider: "anthropic"
llmModel: "claude-haiku-4-5-20251001"
anthropicSecretKey: "sk-ant-..."For Databricks AI Gateway (Anthropic-compatible), override the host:
plugin:
llmProvider: "anthropic"
llmModel: "databricks-claude-sonnet-4-6"
host: "https://adb-<workspace-id>.azuredatabricks.net/serving-endpoints/anthropic/v1"
anthropicSecretKey: "<databricks-pat-or-oauth-token>"The key can also be set via environment variable.
Tags
Getting Started
Download installer
Click the button above to download the installer for your system
Install the software
Double-click the downloaded installer and follow the prompts
Clone the repo and enter the project directory
Run `docker compose up -d` to start all decoy services
Attackers connecting to exposed ports (e.g., SSH 22, HTTP 80) receive LLM-generated realistic responses
- Clone the repo and enter the project directory
- Run `docker compose up -d` to start all decoy services
- Attackers connecting to exposed ports (e.g., SSH 22, HTTP 80) receive LLM-generated realistic responses
Checksum not available
This project has not published a SHA-256 checksum on its GitHub Release page
SHA256 Checksum
No checksum available
Download directly from GitHub Releases and verify file integrity yourself
All SHA-256 checksums on this platform are extracted from the project's official GitHub Release page, without any modification. You can independently verify them on the GitHub Releases page.
Open Source Transparency
View GitHub SourceUninstall Info
Run `docker compose down` to stop containers. Delete the project folder for complete removal.
No Extra Dependencies
Ready to use after download. No additional runtime required.
Having issues? Check the FAQ below
2 FAQs
Similar Projects
pocketbase
PocketBase is an open source Go backend that includes embedded SQLite with realtime subscriptions, built-in file & user management, admin dashboard UI, and simple REST API. Can be used as standalone app or Go framework.
Visual Studio Code (Code - OSS)
A free, open-source code editor by Microsoft with rich extensions, debugging, and Git integration. The most popular developer tool worldwide.
scrcpy
Display and control your Android device from your computer via USB or TCP/IP. No root required, high performance, low latency, supports audio and video mirroring.