Towards Autonomous Cyber Deception: An AI Agent for Dynamic Honeynet Management

Honeypots are deception systems used to emulate vulnerable services and collect threat intelligence. In constrained environments, where network or computational resources limit the number of deployable honeypots, security experts typically decide which assets to expose statically or semi-automatically. Attackers’ tactics change quickly, and existing rule-based deception systems cannot cope with this dynamism, reducing their ability to capture valuable information about adversarial behavior. Dynamic deception architectures, if properly tuned, can autonomously collect high-value threat intelligence without constant human supervision. This thesis addresses the lack of adaptivity and autonomy in current honeypot systems, investigating whether an AI-driven agentic architecture can autonomously manage honeypot exposure to maximize information gain from attackers. At the core of the proposed architecture, an AI agent repeatedly processes Intrusion Detection System (IDS) alerts, network configuration state and previous analyses. It infers the evolving attack steps, identifies compromised hosts and exploited services, and predicts the attacker's likely targets. Based on the attacker's progress, the agent autonomously adjusts the environment, shaping the attack surface to sustain engagement and extract intelligence. To systematically measure the agent's ability to manage this environment, I developed a simulator that iteratively launches attacks against a network of vulnerable containers, followed by agent reasoning and deployment of defensive strategies. I reproduced attackers' behavior using Proofs of Concept (PoCs) exploiting known CVEs, creating traffic patterns that simulate real intrusion attempts. Results in a simulated environment show that the AI agent achieved up to 96% accuracy in attack graph inference and 100% Exposure Efficiency, a custom metric to quantify minimized exposure. The results demonstrate the agent's ability to efficiently guide exposure and exploitation dynamics while ensuring optimal management of resources. The architecture has been deployed in a real honeynet environment hosting 15 web services. Initial data collection is ongoing to quantify the benefits of the solution when compared to static systems.