Skip to main content

Portspoof Pro - Active Deception System for Network Security and Threat Detection

Go beyond passive honeypots

Detect attackers Break their OPSEC Strengthen compliance

What is Portspoof Pro?

Portspoof Pro is an active deception system: it fills the unused address space in your network with thousands of decoy hosts that look and behave like real systems, running quietly beside production. Anything that touches them is a confirmed threat: detection from the first probe, alerts that are signal, not noise.

While attackers waste days scanning services that do not exist, your SOC gets the full picture: source, tools, and techniques, streamed to your SIEM and mapped to MITRE ATT&CK. The same events support your compliance reporting for NIS2, DORA, and ISO 27001.

Portspoof Pro builds on the deception concept proven by the open-source Portspoof, rebuilt in Rust for enterprise production and regulated environments.

1st
Probe
Know Before They Attack

Detection starts on the first packet an attacker sends. Any decoy touch is a confirmed threat: near-zero false positives, safe for automated response.

0
Agents
Runs Beside Production

Deploys out-of-band via simple routing rules, with nothing on production hosts. No tuning, no baseline: events reach your SIEM from day one.

92x
Slowdown
Measured Against nmap

The heavier their scan, the more time they lose. Faster tools skip the tarpit but drown in fake hosts, and every probe burns their OPSEC.

65k+
Hosts
One Sensor, Entire Subnets

Each sensor turns whole subnets into decoys, with no per-host deployment. Add sensors to scale your coverage as the network grows.

One Sensor. Many Networks.

See how active deception detects lateral movement before attackers reach real assets

Without Portspoof Pro
10.0.0.0/16WebDBAuthFilesAPICOMPROMISEDPASS-THE-HASHRANSOMWARECompromisedReal
With Portspoof Pro
10.0.0.0/16 + DECEPTION GRIDWebDBAuthFilesAPICOMPROMISEDCompromisedDecoyReal

Benefits

Every probe costs them time and exposure, at almost no cost to you.

Empty Space Becomes Defense

Turn entire unused subnets, VPC ranges, and dark IP blocks into an active defense grid. A single sensor emulates thousands of IPs, transforming empty infrastructure into a detection layer that catches every probe. Deploys into existing infrastructure with no agents, no tuning, and minimal impact on production.

Attribution, Not Just Alerts

Detect threats before they've mapped your environment. Real-time behavioral profiling confirms malicious intent and identifies tool signatures, attack techniques, and sophistication levels. Stream rich JSON events directly to your SIEM/SOAR for instant triage.

Attacker Exhaustion

Shift the advantage back to the defender. While attackers burn resources, every probe is fingerprinted and attributed. Scanners drown in thousands of polymorphic service signatures while tarpitting holds connections open. Scans that take minutes now take days. AI reconnaissance agents exhaust their context windows on fabricated data, wasting compute and budget on decoys.

Isolated by Design

Built for strict isolation and compliance using Micro-Segmented Deception Sensors. The deception engine runs in an isolated network sandbox, fully separated from your production workload.

Technical Details

Emulate entire networks with unique, per-host service profiles

Protocol Coverage

  • Full TCP/UDP Stack
  • Protocol Service Emulation
  • ICMP Response Handling
  • Stateful, multi-step interactions

Scan Technique Detection

  • SYN Stealth Scans
  • Connect() Scans
  • FIN/NULL/XMAS/ACK Scans
  • UDP Port Scans

Tool Fingerprinting

  • Nmap (All scan types)
  • Masscan & ZMap
  • Hping3
  • Custom Scanner Profiling

Performance & Architecture

  • Built with Rust
  • High-Concurrency Async I/O
  • Stateless, Instant Recovery
  • Can emulate 65,535 Ports/IP

Deception Engine

  • Full Subnet Emulation (65k+ Hosts)
  • Per-IP Unique Host Profiles
  • Polymorphic Service Signatures
  • Anti-Fingerprinting Diversity

Active Countermeasures

  • Socket Tarpitting (Slow Drip)
  • Attacker Socket Pool Exhaustion
  • Dynamic Session Throttling
  • Random Stream Responses
demo@attacker: ~/nmap_results
demo@attacker:~$ nmap -sV --top-ports 100 --open -Pn 10.200.1.1-10

Starting Nmap 7.93 ( https://nmap.org )

Nmap scan report for 10.200.1.1
PORT     STATE  SERVICE       VERSION
21/tcp   open   ftp           CrushFTP (IP banned)
26/tcp   open   irc           Crackalaka ircd
111/tcp  open   shell         FreeBSD rshd
Service Info: Host: qpxyeyb.iqyswjf.org; OS: Unix

Nmap scan report for 10.200.1.2
PORT       STATE  SERVICE     VERSION
548/tcp    open   afp
554/tcp    open   rtsp
2717/tcp   open   speechd     Speech Dispatcher text-to-speech
49152/tcp  open   unknown

Nmap scan report for 10.200.1.3
PORT      STATE  SERVICE        VERSION
389/tcp   open   ldap
445/tcp   open   microsoft-ds
990/tcp   open   ftp-proxy     Zscaler ftp proxy
5060/tcp  open   sip

Nmap scan report for 10.200.1.4
PORT       STATE  SERVICE       VERSION
139/tcp    open   netbios-ssn
1723/tcp   open   pptp
49154/tcp  open   unknown

Nmap scan report for 10.200.1.5
PORT       STATE  SERVICE       VERSION
139/tcp    open   netbios-ssn
144/tcp    open   telnet        BusyBox telnetd 1.14.0
544/tcp    open   kerberos-sec  MIT Kerberos
1755/tcp   open   nbd           Network Block Device 2.9.17
49152/tcp  open   smux          Linux SNMP multiplexer
Service Info: OS: Linux

Nmap scan report for 10.200.1.6
PORT      STATE  SERVICE    VERSION
990/tcp   open   hylafax   HylaFAX 4.2.0
5000/tcp  open   upnp      Pelco Spectra Mini IP webcam
Service Info: Device: webcam; OS: Linux

Nmap scan report for 10.200.1.7
PORT       STATE  SERVICE     VERSION
22/tcp     open   ssh        Neteyes C Series load balancer sshd
389/tcp    open   ldap       Cisco LDAP server
1433/tcp   open   ms-sql-s
1723/tcp   open   uucp       Taylor uucpd
10000/tcp  open   ndmp       BlueArc ndmp (NDMPv4)
Service Info: Device: load balancer

Nmap scan report for 10.200.1.8
PORT      STATE  SERVICE        VERSION
1720/tcp  open   h323q931
5666/tcp  open   daytime       American Dynamics EDVR security camera
Service Info: Device: webcam

Nmap scan report for 10.200.1.9
PORT      STATE  SERVICE        VERSION
13/tcp    open   daytime       Tardis 2000 daytime
88/tcp    open   kerberos-sec
3128/tcp  open   squid-http
6000/tcp  open   X11

Nmap scan report for 10.200.1.10
PORT       STATE  SERVICE     VERSION
23/tcp     open   telnet     Avaya Call Manager telnetd
993/tcp    open   imap       eXtremail IMAP server
32768/tcp  open   thinprint  ThinPrint print server
Service Info: Devices: PBX, print server

Nmap done: 10 IP addresses (10 hosts up) scanned in 219.37 seconds

Real nmap scan: 10 hosts, each with unique polymorphic service signatures. See more demos

SIEM & Threat Intelligence Integrations

Detection events flowing to your existing security stack

Runs on AWS, Azure, and Google Cloud

Amazon Web ServicesMicrosoft AzureGoogle Cloud Platform

Also integrates with Splunk, QRadar, ArcSight, Syslog/CEF, and SOAR platforms

Compliance & Frameworks

Supports ISO 27001, NIST CSF, CIS Controls, NIS2, and DORA requirements

NIS2 Article 21

Requires network monitoring and detection capabilities with prompt detection of anomalous activities and continuous ICT risk monitoring.

Portspoof Pro provides continuous session-based reconnaissance detection with detailed incident timelines for threat analysis and incident documentation.

DORA Article 10

Requires detection of anomalous network activity and ICT-related incidents with mechanisms to promptly identify unusual patterns and potential threats.

Portspoof Pro delivers behavioral profiling that identifies stealth reconnaissance, mass scanning campaigns, and unknown device probing patterns.

ISO 27001 A.8.20

Requires defense against port scanning and reconnaissance attacks including network monitoring and logging to detect scanning activities.

Portspoof Pro detects SYN, FIN, NULL, XMAS, and ACK scan techniques and fingerprints common scanning tools.

NIST CSF DE.CM-01

Requires networks and network services be monitored to find potentially adverse events including reconnaissance activities and anomalous behavior.

Portspoof Pro provides MITRE ATT&CK technique mapping with behavioral threat intelligence for adverse event detection.

CIS Control 13

Requires deployment of network monitoring and defense capabilities to detect scanning or probing of systems accessible to networks.

Portspoof Pro provides out-of-band reconnaissance detection that runs separately from production traffic, eliminating the need for extensive baseline learning periods.

Logging Standards

ISO 27002 Section 8.15 and NIST SP 800-92 require security event logging with sufficient detail for incident analysis and compliance audits.

Portspoof Pro generates structured JSON security events with session forensics, MITRE ATT&CK mapping, and SIEM integration for compliant log management workflows.

Ready to Turn Empty Space Into Defense?

Detect attackers before they breach.

View Pricing