HoneyBee accelerates red team lab creation by using large language models to generate intentionally misconfigured application deployments. The tool outputs Dockerfiles, Docker Compose manifests, Nuclei detection templates, and README guidance, enabling an operator to quickly stand up realistic vulnerable instances such as Jenkins, Jupyter Notebook, and Grafana. That makes it practical to rehearse exploitation chains, validate detection logic, and build repeatable playbooks without handcrafting each environment from scratch.

Why HoneyBee matters for red teams

Reproducing real-world misconfigurations takes time. HoneyBee compresses the setup phase into minutes so offensive teams can iterate on exploitation playbooks, train junior operators, and validate monitoring coverage. For the purple team workflows, HoneyBee also produces Nuclei templates that defenders can ingest to test their rules and signatures. Use the tool to model chained misconfiguration attacks where multiple minor configuration issues create an exploitable attack path.

Key features

• Misconfiguration generator produces Dockerfiles and Docker Compose manifests tailored to the chosen application and misconfiguration scenario.
• Detection template generator emits Nuclei templates to reproduce the misconfiguration for detection verification and automated scanning.
• Streamlit UI with one-click deploy. Select options in a browser interface and deploy the generated compose locally for immediate testing.
• LLM-driven README and templates uses configurable prompts to create human-readable instructions and comments inside generated artifacts.
• Extensible add or modify templates and misconfiguration definitions for organisation-specific exercises.

Installation

HoneyBee offers a quick install for operators and an editable developer install. These commands are reproduced from the project README.

Requirements: Python 3.10 or newer and an OpenAI API key for LLM generation. Optional integrations, such as Docker Compose and Jina, require their own installation and tokens, as documented in the project README.

Usage

Start the HoneyBee Streamlit server and open the provided localhost URL. The UI exposes a curated list of applications and misconfigurations, generation controls, and a deploy button.

Note: the project README does not include a full CLI help dump. To view any CLI options available in your installed version, run honeybee --help locally after installation.

How HoneyBee works

Pick an application and a misconfiguration profile or craft a custom prompt. HoneyBee formats the selection into a structured prompt for the configured large language model. The model returns templated artifacts: Dockerfile, Docker-Compose YAML, and Nuclei templates. The Streamlit frontend displays those artifacts for review and provides a deploy action that uses Docker Compose locally to spin up the environment on your test host. Generated READMEs and detection templates are intended as reproducible artefacts for reporting and defender validation.

Attack scenario (authorized red team exercise only)

Context = reproduce an exposed Jenkins instance with anonymous access and a weak admin password.

• Generate Use HoneyBee to create a Jenkins Docker compose with anonymous API endpoints and a default weak password.
• Deploy Launch the environment locally and confirm the admin console is reachable on the exposed port.
• Enumerate Use automated scanning and the generated Nuclei template to validate whether detection rules trigger and to locate API endpoints that accept unauthenticated requests.
• Exploit If anonymous endpoints permit job creation or script execution, stage a benign job that writes a file or makes a safe outbound request to demonstrate impact while remaining revertible.
• Document Capture the generated artifacts and remediation steps for the client report.

Purple team value and follow-up targets

HoneyBee is strongest when paired with prebuilt vulnerable environments and training targets to create multi-host, multi-service scenarios. For richer follow-up targets consider using prebuilt vulnerable Docker collections such as Vulhub, which provide many complex multi-container labs that complement HoneyBee’s single-app misconfigurations.

For simpler web app practice, Darknet maintains a long-standing collection of intentionally vulnerable web applications and guides that work well as post-deployment targets. Use the Darknet vulnerable web apps category to expand lab coverage and replay manual exploitation steps after HoneyBee deployment: Vulnerable web apps on Darknet.

Safety and operational guidance

• Run HoneyBee only in isolated test networks, virtual machines, or lab hosts and never against production systems.
• Sanitise generated artifacts before sharing. Large language models can suggest plausible but unsafe defaults. Remove any genuine keys or credentials that may appear in generated text.
• Use container network isolation, snapshots, and ephemeral environments so tests are reversible and contained.

Examples

The README includes example outputs such as a PostgreSQL Docker Compose with an empty password field and a Grafana compose snippet demonstrating multiple misconfigurations. Use those samples as templates for building controlled exercises. Always manually review generated YAML before deployment.

Conclusion

HoneyBee is a practical accelerator for red teams and purple teams that need repeatable misconfiguration lab targets. It reduces setup time, creates documented artefacts for reporting, and produces detection templates to close the loop with defenders. Use HoneyBee in authorised testbeds to validate exploitation playbooks and to ensure monitoring and alerting catch realistic misconfiguration abuse patterns.

You can read more or download HoneyBee here: https://github.com/yaaras/honeybee