Lantana is a honeypot-as-code platform that deploys and operates IPv4/IPv6 dual-stack honeypots aligned with MITRE Engage principles. It treats honeypots as operational infrastructure — continuously rotated, reshaped, and adapted to evolving narratives and intelligence goals.
The platform covers the full lifecycle: from controlled exposure to structured data ingestion, enrichment, analysis, and intelligence output (STIX bundles, Discord reports, Streamlit dashboard). It emphasizes disposability, policy-driven deployment, and strict blast-radius containment.
Tip
Lantana camara is a plant that attracts insects with its colorful flowers — much like a honeypot attracts attackers with its deliberately vulnerable services. It's invasive, resilient, and thrives in hostile environments.
git clone https://github.com/lopes/lantana.git
cd lantanaProvision a Debian 13 host (VM or bare metal). Terraform support for Proxmox is available under infra/terraform/environments/proxmox/.
cd config/ansible
cp -r inventories/op_single inventories/op_myopCustomize inventory.yml, main.yml, network.yml, narrative.yml, and reporting.yml under inventories/op_myop/group_vars/all/. See the new-operation runbook for an annotated walkthrough of each file. Create the encrypted vault:
ansible-vault create inventories/op_myop/group_vars/all/vault.ymlansible-playbook -i inventories/op_myop/inventory.yml playbooks/deploy_single.yml --ask-vault-pass
ansible-playbook -i inventories/op_myop/inventory.yml playbooks/deploy_honeypots.yml --ask-vault-passansible-playbook -i inventories/op_myop/inventory.yml tests/validate-single-node.yml -vvvlantana/
config/ansible/ # Ansible roles, playbooks, inventories, validation playbooks
infra/terraform/ # Terraform host provisioning (Proxmox)
pipeline/ # Python data pipeline (enrichment, OCSF, dashboard, reports, STIX)
scripts/ # Operational scripts (bootstrap, backup, probes, dashboard)
docs/ # Full documentation
| Document | Description |
|---|---|
| Architecture | Zoned model, deployment modes, network topology, tech stack |
| New Operation Runbook | End-to-end walkthrough: prepare server, clone an operation, vault, narrative, deploy, validate |
| Pipeline | Data pipeline: bronze/silver/gold datalake, OCSF normalization, enrichment, reports, STIX |
| Integrations | Third-party threat-intel providers: endpoints, auth, rate limits, field extraction, live-probe workflow |
| Validation | Day-by-day post-deployment checklist (infrastructure, telemetry, enrichment, reports, dashboard) |
| Rules of Engagement | Ethical and operational boundaries for honeypot use |
| Glossary | Terminology and definitions |
| Troubleshooting | Common issues and fixes |
Lantana intentionally avoids Kubernetes (honeypots are disposable, not HA), SIEM-first architectures (research honeypot data benefits from batch analytics over real-time alerting), and monolithic stacks like T-Pot (Lantana is composable — infrastructure, policy, sensors, and narratives evolve independently).
For the full rationale, see docs/architecture.md.
This project is licensed under the MIT License.