Summer 2026 Internship — Project Track 5

Ghost Cloud: LLM Honeypots in AWS

Build and evaluate LLM-assisted honeypots in AWS using Beelzebub, with a focus on safe deployment, realistic attacker interaction, and useful security telemetry.

Track Focus

Cloud deception and telemetry

Isolated AWS honeypots, Beelzebub, SSH and web attack telemetry, LLM interaction realism, safety guardrails, and defender reporting.

Industry Experts

This track is designed for industry collaboration across cloud security, managed detection, application security, and AI security.

Status

Pending confirmation

Potential expert partners include a cloud security company, MDR/SOC provider, AWS consultant, AppSec company, SaaS security team, nonprofit security team, AI security company, security research team, or university lab.

About This Track

A four-student pod building shared cloud deception infrastructure and three focused research workstreams.

Students will create isolated AWS deception environments that emulate SSH servers, web applications, and fake cloud admin panels without exposing real systems or secrets.

The pod will experiment with LLM-generated interaction patterns, compare static and dynamic honeypot behavior, and evaluate attacker engagement across SSH, HTTP, and administrative web scenarios. Students will collect and analyze commands, payloads, indicators, scanner behavior, credential attempts, and session timelines.

Three Workstreams

The strongest structure is one shared pod with three coordinated project areas and a shared dataset.

Project 1

Cloud Deception Lab: LLM-Powered SSH Honeypots in AWS

Potential partners: cloud security company, MDR/SOC provider, or AWS consultant.

Deploy a safely isolated SSH honeypot in AWS, collect commands and credential attempts, and evaluate how LLM-assisted responses affect attacker engagement and telemetry quality.

Project 2

Fake Cloud Admin Panel: Web Honeypot for Attack Telemetry

Potential partners: AppSec company, SaaS security team, or nonprofit security team.

Build a fake administrative web surface that captures scanner behavior, payloads, URLs, authentication attempts, and session timelines without connecting to real cloud resources.

Project 3

Honeypot or Hallucination? Evaluating LLM Deception Safety and Realism

Potential partners: AI security company, security research team, or university lab.

Compare static and dynamic honeypot behavior, test prompt and response guardrails, and evaluate whether LLM-generated interactions are realistic, safe, and useful for defenders.

Expected Deliverables

Shared infrastructure and practical outputs that translate honeypot observations into defensive value.

Deployment guide for isolated AWS honeypot environments with logging, alerting, and cost controls.
Dashboards or structured reports summarizing commands, payloads, indicators, scanner behavior, credential attempts, and session timelines.
Safety guardrails that prevent exposure of real systems, secrets, credentials, or operationally sensitive information.
Evaluation results comparing static and LLM-assisted honeypot behavior across SSH, HTTP, and fake admin scenarios.
Defender-focused reports that turn observed attacker behavior into practical recommendations for small organizations.

Skills You’ll Learn

Hands-on experience across cloud security, deception engineering, telemetry, and AI safety evaluation.

AWS Security

Designing isolated cloud environments with logging, access controls, cost controls, and safe teardown practices.

Honeypot Engineering

Deploying deception services that capture useful telemetry while avoiding exposure of real systems.

Threat Telemetry

Collecting and analyzing commands, payloads, indicators, scanner behavior, credential attempts, and timelines.

LLM Safety

Evaluating generated interactions for realism, leakage risk, safe boundaries, and defender usefulness.

Defender Reporting

Turning raw attack sessions into concise reports and practical recommendations for small organizations.