Portspoof Pro - Active Deception System for Network Security and Threat Detection
Detect attackers Break their OPSEC Strengthen compliance
What is Portspoof Pro?
Portspoof Pro is an active deception system: it fills the unused address space in your network with thousands of decoy hosts that look and behave like real systems, running quietly beside production. Anything that touches them is a confirmed threat: detection from the first probe, alerts that are signal, not noise.
While attackers waste days scanning services that do not exist, your SOC gets the full picture: source, tools, and techniques, streamed to your SIEM and mapped to MITRE ATT&CK. The same events support your compliance reporting for NIS2, DORA, and ISO 27001.
Portspoof Pro builds on the deception concept proven by the open-source Portspoof, rebuilt in Rust for enterprise production and regulated environments.
Probe
Detection starts on the first packet an attacker sends. Any decoy touch is a confirmed threat: near-zero false positives, safe for automated response.
Agents
Deploys out-of-band via simple routing rules, with nothing on production hosts. No tuning, no baseline: events reach your SIEM from day one.
Slowdown
The heavier their scan, the more time they lose. Faster tools skip the tarpit but drown in fake hosts, and every probe burns their OPSEC.
Hosts
Each sensor turns whole subnets into decoys, with no per-host deployment. Add sensors to scale your coverage as the network grows.
One Sensor. Many Networks.
See how active deception detects lateral movement before attackers reach real assets
Benefits
Every probe costs them time and exposure, at almost no cost to you.
Turn entire unused subnets, VPC ranges, and dark IP blocks into an active defense grid. A single sensor emulates thousands of IPs, transforming empty infrastructure into a detection layer that catches every probe. Deploys into existing infrastructure with no agents, no tuning, and minimal impact on production.
Detect threats before they've mapped your environment. Real-time behavioral profiling confirms malicious intent and identifies tool signatures, attack techniques, and sophistication levels. Stream rich JSON events directly to your SIEM/SOAR for instant triage.
Shift the advantage back to the defender. While attackers burn resources, every probe is fingerprinted and attributed. Scanners drown in thousands of polymorphic service signatures while tarpitting holds connections open. Scans that take minutes now take days. AI reconnaissance agents exhaust their context windows on fabricated data, wasting compute and budget on decoys.
Built for strict isolation and compliance using Micro-Segmented Deception Sensors. The deception engine runs in an isolated network sandbox, fully separated from your production workload.
Technical Details
Emulate entire networks with unique, per-host service profiles
Protocol Coverage
- ›Full TCP/UDP Stack
- ›Protocol Service Emulation
- ›ICMP Response Handling
- ›Stateful, multi-step interactions
Scan Technique Detection
- ›SYN Stealth Scans
- ›Connect() Scans
- ›FIN/NULL/XMAS/ACK Scans
- ›UDP Port Scans
Tool Fingerprinting
- ›Nmap (All scan types)
- ›Masscan & ZMap
- ›Hping3
- ›Custom Scanner Profiling
Performance & Architecture
- ›Built with Rust
- ›High-Concurrency Async I/O
- ›Stateless, Instant Recovery
- ›Can emulate 65,535 Ports/IP
Deception Engine
- ›Full Subnet Emulation (65k+ Hosts)
- ›Per-IP Unique Host Profiles
- ›Polymorphic Service Signatures
- ›Anti-Fingerprinting Diversity
Active Countermeasures
- ›Socket Tarpitting (Slow Drip)
- ›Attacker Socket Pool Exhaustion
- ›Dynamic Session Throttling
- ›Random Stream Responses
demo@attacker:~$ nmap -sV --top-ports 100 --open -Pn 10.200.1.1-10 Starting Nmap 7.93 ( https://nmap.org ) Nmap scan report for 10.200.1.1 PORT STATE SERVICE VERSION 21/tcp open ftp CrushFTP (IP banned) 26/tcp open irc Crackalaka ircd 111/tcp open shell FreeBSD rshd Service Info: Host: qpxyeyb.iqyswjf.org; OS: Unix Nmap scan report for 10.200.1.2 PORT STATE SERVICE VERSION 548/tcp open afp 554/tcp open rtsp 2717/tcp open speechd Speech Dispatcher text-to-speech 49152/tcp open unknown Nmap scan report for 10.200.1.3 PORT STATE SERVICE VERSION 389/tcp open ldap 445/tcp open microsoft-ds 990/tcp open ftp-proxy Zscaler ftp proxy 5060/tcp open sip Nmap scan report for 10.200.1.4 PORT STATE SERVICE VERSION 139/tcp open netbios-ssn 1723/tcp open pptp 49154/tcp open unknown Nmap scan report for 10.200.1.5 PORT STATE SERVICE VERSION 139/tcp open netbios-ssn 144/tcp open telnet BusyBox telnetd 1.14.0 544/tcp open kerberos-sec MIT Kerberos 1755/tcp open nbd Network Block Device 2.9.17 49152/tcp open smux Linux SNMP multiplexer Service Info: OS: Linux Nmap scan report for 10.200.1.6 PORT STATE SERVICE VERSION 990/tcp open hylafax HylaFAX 4.2.0 5000/tcp open upnp Pelco Spectra Mini IP webcam Service Info: Device: webcam; OS: Linux Nmap scan report for 10.200.1.7 PORT STATE SERVICE VERSION 22/tcp open ssh Neteyes C Series load balancer sshd 389/tcp open ldap Cisco LDAP server 1433/tcp open ms-sql-s 1723/tcp open uucp Taylor uucpd 10000/tcp open ndmp BlueArc ndmp (NDMPv4) Service Info: Device: load balancer Nmap scan report for 10.200.1.8 PORT STATE SERVICE VERSION 1720/tcp open h323q931 5666/tcp open daytime American Dynamics EDVR security camera Service Info: Device: webcam Nmap scan report for 10.200.1.9 PORT STATE SERVICE VERSION 13/tcp open daytime Tardis 2000 daytime 88/tcp open kerberos-sec 3128/tcp open squid-http 6000/tcp open X11 Nmap scan report for 10.200.1.10 PORT STATE SERVICE VERSION 23/tcp open telnet Avaya Call Manager telnetd 993/tcp open imap eXtremail IMAP server 32768/tcp open thinprint ThinPrint print server Service Info: Devices: PBX, print server Nmap done: 10 IP addresses (10 hosts up) scanned in 219.37 seconds
Real nmap scan: 10 hosts, each with unique polymorphic service signatures. See more demos
SIEM & Threat Intelligence Integrations
Detection events flowing to your existing security stack

Elastic SIEM
Real-time dashboards with MITRE ATT&CK mapping

OpenCTI
Threat intelligence enrichment and IOC tracking
Runs on AWS, Azure, and Google Cloud
Also integrates with Splunk, QRadar, ArcSight, Syslog/CEF, and SOAR platforms
Compliance & Frameworks
Supports ISO 27001, NIST CSF, CIS Controls, NIS2, and DORA requirements
NIS2 Article 21
Requires network monitoring and detection capabilities with prompt detection of anomalous activities and continuous ICT risk monitoring.
Portspoof Pro provides continuous session-based reconnaissance detection with detailed incident timelines for threat analysis and incident documentation.
DORA Article 10
Requires detection of anomalous network activity and ICT-related incidents with mechanisms to promptly identify unusual patterns and potential threats.
Portspoof Pro delivers behavioral profiling that identifies stealth reconnaissance, mass scanning campaigns, and unknown device probing patterns.
ISO 27001 A.8.20
Requires defense against port scanning and reconnaissance attacks including network monitoring and logging to detect scanning activities.
Portspoof Pro detects SYN, FIN, NULL, XMAS, and ACK scan techniques and fingerprints common scanning tools.
NIST CSF DE.CM-01
Requires networks and network services be monitored to find potentially adverse events including reconnaissance activities and anomalous behavior.
Portspoof Pro provides MITRE ATT&CK technique mapping with behavioral threat intelligence for adverse event detection.
CIS Control 13
Requires deployment of network monitoring and defense capabilities to detect scanning or probing of systems accessible to networks.
Portspoof Pro provides out-of-band reconnaissance detection that runs separately from production traffic, eliminating the need for extensive baseline learning periods.
Logging Standards
ISO 27002 Section 8.15 and NIST SP 800-92 require security event logging with sufficient detail for incident analysis and compliance audits.
Portspoof Pro generates structured JSON security events with session forensics, MITRE ATT&CK mapping, and SIEM integration for compliant log management workflows.