At the Network and Distributed System Security Symposium (NDSS) 2026, researchers introduced a groundbreaking advance in space cybersecurity: HoneySat, the first high-interaction satellite honeypot framework that convincingly emulates real satellites to attract and study real adversaries. The work addresses a critical shortfall in our understanding of how threat actors target space systems.
Satellites underpin countless essential services, from global navigation and communications to Earth observation and scientific research. For many years, the cybersecurity of space systems was often seen as a niche concern, partly due to proprietary technologies and the perceived isolation of satellite links. But with the rise of small satellites, accessible ground station technology, and standardized communications protocols, that perception no longer holds. These shifts have broadened the potential attack surface and made it easier for both benign researchers and malicious actors to interact with space assets.
A major challenge in securing satellites has been the lack of real-world empirical data on attacks.
Without authentic datasets, security researchers must rely on theoretical models and simulations that may miss critical details about adversarial behavior. To bridge that gap, the authors of the HoneySat paper, including a multidisciplinary team from institutions such as CISPA Helmholtz Center for Information Security, New Mexico State University, Universidad de Santiago de Chile, Texas A&M University–Corpus Christi, and collaborators from industry and academia, proposed an innovative solution: a high-interaction honeypot tailored specifically for satellites.
What sets HoneySat apart is its depth of simulation.
Unlike low-interaction honeypots that offer limited scripted responses, HoneySat simulates both the network services and the deeper operational behavior of a satellite. It provides realistic command interfaces, believable telemetry, and mission-like interactions, presenting attackers with an environment that closely mimics an actual spacecraft’s systems. This realism helps lure adversaries into revealing their tactics, techniques, and procedures in a controlled research environment.
To evaluate the effectiveness and fidelity of HoneySat, the working team deployed the system on the public Internet. They also surveyed experienced small satellite operators about the realism of the emulation. The results were compelling: 90 % of operators rated HoneySat as realistic, and the online honeypot captured four distinct adversarial interaction sessions, collecting 22 specific flight software commands sent to the satellites. These interactions provide rare and valuable insight into how real-world attackers behave when engaging with what they perceive as satellite targets.
In addition to Internet-based deployment, the authors carried out a hardware-in-the-loop experiment with an operational small satellite in orbit. HoneySat successfully communicated with the real spacecraft, validating the fidelity and extensibility of the framework in a real-world context.
Crucially, HoneySat brings incredible ease and flexibility, empowering players both big and small to adapt the tool to their specific missions and infrastructure. Utilizing a highly modular design featuring customizable “Satellite Personalities” and “Ground Configurations”, organizations can effortlessly mimic their unique assets. Because of this streamlined architecture, changing simulated satellites and communication protocols to fit a specific mission takes as little as a couple of days of development.
The development of HoneySat marks a significant step forward for satellite cybersecurity. By generating authentic adversarial interaction data, the research community can now analyze real attack behavior rather than relying solely on speculative models. This knowledge can feed into more robust threat modeling, enhanced defensive designs, and improved operational practices for satellite systems.
Gabriele Marra, one of the main contributors to the HoneySat framework and now Security Engineer at CYSEC, a company known for its focus on space cybersecurity solutions, commented that frameworks like HoneySat represent a much-needed evolution in how the industry approaches threat intelligence. According to Gabriele Marra, “Realistic attack data is key to building resilient space systems; tools like HoneySat enable defenders to understand not just that attacks happen, but how and why they unfold the way they do.”
Indeed, as satellite deployments grow in number and importance, so does the necessity of understanding how adversaries engage with these systems. HoneySat’s open-source framework and demonstrated efficacy establish a new benchmark for research into space threats, empowering defenders with data that was previously inaccessible.
As space continues to become an increasingly contested domain, empirical frameworks like HoneySat will be instrumental in evolving both the theory and practice of satellite defense. By capturing real adversarial behavior in realistic interactions, this work not only advances academic research but also offers tangible tools and insights for operators, policymakers, and engineers striving to protect the critical infrastructure orbiting above us.
To continue the discussion, join the sixth edition of CYSAT Paris planed on May 20-21, 2026 in Paris, Station F!