gitwtfhub

wtf is tpotce?

telekom-security/tpotce — explained in plain English

Analysis updated 2026-06-24

9,143CAudience · ops devopsComplexity · 4/5Setup · hard

TL;DR

All-in-one honeypot platform from Telekom Security that runs 20+ honeypots simultaneously in Docker containers and visualizes incoming attack traffic, SSH, web, industrial systems, on a live world map via Elastic Stack.

Mindmap

mindmap
  root((T-Pot))
    What it does
      Honeypot platform
      Attack visualization
    Components
      20 plus honeypots
      Elastic Stack
      Docker containers
    Honeypot types
      SSH servers
      Industrial systems
      Web applications
    Use cases
      Security research
      Threat intelligence
      Attack monitoring

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Deploy a multi-honeypot sensor on a Linux server to capture and analyze real-world attack traffic from the internet.

REASON 2

Use the Elastic Stack dashboard to browse logs and watch a live world map of incoming attacks on your honeypot.

REASON 3

Run T-Pot in distributed mode with multiple sensors across network locations feeding into one central dashboard.

REASON 4

Contribute attack data to the Sicherheitstacho community threat intelligence feed automatically.

What's in the stack?

CDockerElastic StackKibanaLinux

How it stacks up

telekom-security/tpotcemicrosoft/react-native-code-pushtorch/torch7
Stars9,1439,1369,120
LanguageCCC
Setup difficultyhardhardhard
Complexity4/53/54/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1h+

Requires a Linux server with 8-16GB RAM and 128GB disk, a one-line install script handles setup, but resource requirements are significant.

Wtf does this do

A honeypot is a deliberately exposed computer system set up to attract attackers so that security researchers can observe what they do. T-Pot, created by Telekom Security, is a platform that runs more than 20 different honeypots at the same time on a single machine, packaging them together with visualization and analysis tools so you get a complete picture of incoming attacks without having to assemble the pieces yourself. Under the hood, T-Pot uses Docker to run all the honeypots as separate containers side by side. Each honeypot mimics a different type of service: some pretend to be SSH servers, others fake email servers, industrial control systems, printers, databases, or web applications. Attackers probing the internet stumble into these fakes, and T-Pot records everything they do. The attack data flows into Elastic Stack, which is a search and visualization tool that lets you browse logs, see charts, and watch a live map showing where attacks are coming from on a world map. Installing T-Pot requires a Linux server with at least 8 to 16 GB of RAM and 128 GB of free disk space. A one-line install script handles the setup. The platform supports both 64-bit Intel and ARM hardware, so it can run on a standard server or even a Raspberry Pi 4 with 8 GB of RAM. There is also a distributed mode for organizations that want to place multiple sensors in different network locations and feed all the data into a single central dashboard. Beyond the honeypots, T-Pot bundles several security tools including Cyberchef for data analysis, Spiderfoot for reconnaissance, and Elasticvue for browsing the underlying data store. Collected attack data is shared by default with a community threat intelligence feed called Sicherheitstacho, though this can be turned off in the configuration. The platform is open source and backed by a public community. The full README is longer than what was shown.

Yoink these prompts

Prompt 1
Walk me through installing T-Pot on an Ubuntu server with 16GB RAM so I can start capturing honeypot traffic.
Prompt 2
How do I access the Elastic Stack dashboard in T-Pot to see real-time charts and a live attack map?
Prompt 3
I want to run T-Pot on a Raspberry Pi 4 with 8GB RAM. What are the limitations and which honeypots will run on ARM?
Prompt 4
How do I set up T-Pot in distributed mode so multiple sensors feed attack data into one central Elastic Stack dashboard?
Prompt 5
Show me how to disable the Sicherheitstacho community data sharing in T-Pot's configuration.

Frequently asked questions

wtf is tpotce?

All-in-one honeypot platform from Telekom Security that runs 20+ honeypots simultaneously in Docker containers and visualizes incoming attack traffic, SSH, web, industrial systems, on a live world map via Elastic Stack.

What language is tpotce written in?

Mainly C. The stack also includes C, Docker, Elastic Stack.

How hard is tpotce to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is tpotce for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.