Top 12 OT Deception Tools (Honeypots) to Detect Intruders
Why OT deception matters
OT environments are difficult to secure with traditional IT controls alone because availability and safety come first. A good deception layer adds detection without sitting in the attacker’s path, and it works especially well where assets are old, fragile, or hard to instrument. It can also uncover attackers who are already inside the network and searching for PLCs, historians, engineering workstations, or remote-access paths.
How I selected these tools
This list focuses on tools that either emulate OT/ICS assets directly or help defenders build realistic deception layers around industrial networks. I favored tools with clear protocol support, believable decoys, useful logging, and enough current activity or documentation to be practical in 2026. I also included a few broader deception platforms because modern OT security programs often need coverage across IT, OT, and IoT together.
Top 12 OT Deception Tools (Honeypots)
1. FortiDeceptor
FortiDeceptor is one of the strongest commercial options for teams that want a full deception platform rather than a single honeypot. Fortinet positions it as a deception platform for early detection and isolation of sophisticated human and automated attacks, and its OT-focused materials explicitly highlight SCADA systems, IoT sensors, and IT/OT/IoT coverage. That makes it a strong fit for larger industrial environments that need decoys, breadcrumbs, and response integrations instead of a standalone trap.
2. Acalvio ShadowPlex
Acalvio ShadowPlex is a serious enterprise deception platform with a particularly strong OT story. Its OT security brief says it provides OT decoys, IT decoys, and endpoint deceptions, with native support for OT/ICS protocols including Modbus, BACnet, EtherNet/IP, and S7. It also mentions pre-built decoys for PLCs, HMIs, controllers, and OT-adjacent assets. For organizations with mixed IT/OT environments, that breadth is a real advantage.
3. Zscaler Deception
Zscaler Deception is broader than a classic honeypot, but it deserves a place on this list because modern OT attacks rarely stay inside one zone. Zscaler describes deception across endpoints, cloud, applications, Active Directory, and even IoT/OT devices, with decoys and breadcrumbs designed to expose pre-breach recon, identity compromise, privilege escalation, and lateral movement. It is especially relevant for converged environments where attackers may move from IT into OT through identity, remote access, or shared infrastructure.
4. Thinkst Canary and Canarytokens
Thinkst Canary is popular because it is fast to deploy and easy to operationalize. The official docs say Canarytokens need nothing to install and are designed to be dropped into an environment and forgotten until they trigger. Thinkst also offers canaries that can mimic many service personalities, and the commercial product is commonly used for breach detection, not just web or endpoint security. In OT programs, this makes it a practical choice for jump servers, file shares, shared folders, engineering workstations, and other places attackers might browse.
5. Conpot
Conpot is one of the best-known open-source ICS honeypots. Its repository describes it as an ICS honeypot built to collect intelligence about the motives and methods of adversaries targeting industrial control systems. Conpot is a strong pick when you want to emulate industrial services and observe scanning, probing, and protocol abuse without deploying a heavy enterprise platform. It is a foundational tool for labs, research, and smaller blue-team deployments that want visibility into OT-style recon.
6. HoneyPLC
HoneyPLC raises the bar by moving beyond low-interaction emulation. Its repository describes it as a high-interaction PLC honeypot that can simulate multiple PLC models from different vendors, log S7comm interactions, store Ladder Logic injected by an attacker, and record SNMP and HTTP login attempts. That makes it especially useful when defenders want to study how attackers interact with PLC-like assets, not just whether they scan them.
7. T-Pot
T-Pot is not an OT honeypot by itself, but it is one of the most useful platforms for building a honeynet around industrial environments. Telekom Security describes it as an all-in-one, optionally distributed, multiarch platform supporting 20+ honeypots with Elastic Stack visualizations and attack maps. In practice, T-Pot is valuable when you want to deploy several decoys together, centralize logs, and create a richer detection lab or perimeter deception zone near OT networks.
8. OpenCanary
OpenCanary is the open-source version of Thinkst’s canary approach. Its documentation says it is a multi-protocol network honeypot with very low resource requirements, and it can send alerts through Syslog, email, and a companion correlator. That makes it an excellent lightweight choice for plants, small utilities, and OT support networks where you want decoy services without adding much overhead.
9. GasPot
GasPot is a highly focused OT honeypot for fuel environments. Its repository says it emulates a Veeder-Root TLS-350/TLS-450 Automatic Tank Gauge controller commonly found at gas stations and logs all connection attempts and commands for threat intelligence collection. The 2026 update also adds better command coverage and structured logging. If your exposure includes fuel retail, depots, or ATG-related systems, GasPot is one of the most relevant deception tools available.
10. GridPot
GridPot is aimed at electric-grid deception. Its repository describes it as open-source tools for realistic-behaving electric grid honeynets. That makes it especially useful in power-sector labs, grid research, and utility-focused security testing where a generic honeypot is not convincing enough. Even if you do not deploy it in production, it is a strong reference point for building sector-specific deception around energy assets.
11. Cowrie
Cowrie is not OT-native, but it is still valuable in industrial environments because many attacks begin with weak SSH/Telnet exposure on jump boxes, edge Linux hosts, vendor support systems, or lightly managed DMZ assets. Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute-force activity and shell interaction, which makes it useful for catching the first signs of intrusion before the attacker reaches a PLC network.
12. Py_PLC_Honey_Pot
Py_PLC_Honey_Pot is a newer PLC-honeypot project worth watching. Its repository says it is designed to emulate an OT SCADA network environment and support key protocols such as Modbus-TCP and Siemens S7Comm, while also integrating a PLC emulator, OT controller simulator, ladder-logic verifier, data logger, attack detector, and system monitor. For teams that want a research-friendly, Python-based OT decoy with protocol realism, this one is compelling.
What makes a good OT honeypot in 2026
A good OT deception tool is not just “fake equipment.” It needs believable protocol behavior, realistic naming, sensible network placement, and logs that help analysts understand the attacker’s intent. High-interaction tools are better when you want deeper attacker engagement, but they require more care. Low-interaction tools are easier to deploy and maintain, but sophisticated attackers may fingerprint them faster. The best programs mix both styles.
In real OT environments, the most effective deployments are usually staged near engineering zones, remote-access points, legacy segments, and IT/OT transition layers. That is where attackers often reconnoiter first, and where a decoy is most likely to catch credential misuse, scanning, or unsafe protocol access without touching production controllers. NIST’s OT guidance and modern deception platforms both point toward layered, segmented defense rather than a single silver-bullet control.
Final thoughts
If you are building an OT security strategy in 2026, deception deserves a real place in the stack. Start with one or two realistic decoys, place them where an intruder would naturally look, and make sure the alerts flow into your SIEM or SOC workflow. For many teams, the most practical path is a mix of one enterprise platform, one or two protocol-specific honeypots, and a lightweight canary layer for the surrounding IT and OT support systems.
The biggest advantage of OT deception is not just catching intruders. It is learning how they move, what they touch, and how far they are willing to go when they think they have found a real industrial asset. That kind of visibility is difficult to get any other way.
