HFish

What is HFish?

HFish is a free, open-source honeypot platform built by ThreatBook — deception technology that plants convincing fake services across your network so that the moment an attacker (or a compromised internal host) touches one, you get a high-signal alert with almost zero false positives. Written in Golang and built for the enterprise, it is deployed by 4,000+ companies and ships 40+ honeypot environments out of the box.

The core idea of deception: a honeypot has no legitimate business purpose, so any interaction with it is suspicious by definition. That makes honeypot alerts some of the highest-fidelity signals in all of security — the polar opposite of a noisy IDS.

What it's for

ThreatBook positions HFish around three use cases:

• Intranet compromise detection — catch lateral movement early. An attacker who has breached one machine will scan and probe internally; HFish honeypots sitting on that internal network light up the instant they're touched.
• External threat perception — internet-facing honeypots reveal who is scanning and attacking your perimeter, and how.
• Threat-intelligence production — every interaction is captured attacker behaviour, feeding back into intelligence.

40+ honeypot environments

HFish goes well beyond a simple fake web page. It can stand up believable services across protocols, including:

The "honeybait" is highly customisable — you tailor the traps so they blend into your environment rather than looking like an obvious decoy.

Architecture: management end + node end

HFish uses a B/S (browser/server) architecture with two roles:

• Management end — the brain. Generates and manages node ends, and receives, analyses, and displays all the data the nodes return. This is the web dashboard your team works from.
• Node end — the traps. Controlled by the management end, each node is responsible for actually running the honeypot services and capturing interactions.

This split is what lets HFish scale: deploy lightweight nodes anywhere — across physical machines, virtual machines, cloud environments, and IoT — all reporting back to one management console. It is cross-platform and multi-architecture, with one-click deployment.

Source traceability + threat intelligence

Two features lift HFish above a generic open-source honeypot:

Built-in source-traceability module. Enabled on demand, it helps trace and attribute the source of an attack — counter-attribution and active-defence capabilities that most free honeypots simply don't have.

Native ThreatBook intelligence. HFish offers free access to the HFish.net honeypot intelligence base, and natively integrates with ThreatBook's Threat Intelligence Platform (TIP). So when a honeypot is hit, the attacking IP can be enriched against ThreatBook's intelligence automatically — turning "something touched the trap" into "a known scanner / known-bad actor touched the trap." Cloud real-time detection features are pushed to deployments and can be flexibly customised.

How an HFish detection flows

1. Deploy nodes across your intranet and perimeter via one-click install.
2. Attacker or compromised host probes the network and hits a honeypot service.
3. Node captures the interaction — source IP, payloads, behaviour — and reports to the management end.
4. Management end enriches + alerts — the source is checked against ThreatBook intelligence, and a high-confidence alert is raised.
5. Trace + respond — the source-traceability module helps attribute the attacker; the event becomes intelligence.

Why it's a strong free option

The honeypot space has excellent open-source projects, but HFish stands out for an enterprise audience: it's genuinely free (the community edition recently lifted its node limit), it's broad (40+ environments vs single-protocol tools), it has a real management console rather than raw logs, and — uniquely — it ships with first-party threat-intelligence enrichment from a serious CTI vendor. For an APAC enterprise already evaluating ThreatBook's intelligence, HFish is the no-cost on-ramp that feeds the same ecosystem.

Why APAC teams should care

HFish is built by an APAC-headquartered vendor (ThreatBook — Singapore, Hong Kong, China, UAE), and its native TIP integration means honeypot hits are enriched against intelligence with strong regional collection. For internal-threat detection programmes under MAS TRM (Singapore), HKMA cyber-resilience (Hong Kong), and PDPA frameworks across ASEAN, a free, self-hosted, on-prem-capable honeypot grid that produces audit-friendly high-fidelity alerts is an easy addition to a defence-in-depth story.

Pricing

• Free + open source — community edition, node limit lifted. Self-host on physical, virtual, cloud, or IoT.
• Free HFish.net intelligence base access for enrichment.
• Native, optional integration with the paid ThreatBook TIP for teams that want deeper intelligence.

Download and deploy from hfish.net — one-click install, cross-platform, free.