Spin up a high-interaction Modbus/DNP3 ICS honeypot that logs attacker register reads/writes as structured JSON.
IoT / OT / Embedded — firmware, buses, and device security.
pip install cognis-modpot
modpot scan . # → prioritized findings in secondsmodpot is a standard-library Modbus TCP honeypot that decodes and classifies attacker register reads/writes as JSON threat events. Console script: modpot.
- Install:
pipx install modpot # or: pip install modpot - Analyze a captured hex log of Modbus frames and print a classified threat table (the
--formatflag is global, before the subcommand):Exitmodpot analyze capture.hexlog cat capture.hexlog | modpot analyze - # read frames from stdin
1= at least one high-severity event (write/control/recon),0= none. - Filter to serious events and emit JSON for a SIEM:
modpot --format json analyze capture.hexlog --min-severity high | jq '.[].reasons'
- Run a live honeypot listener (no root needed on a high port); every request is logged as a JSON event on stdout:
modpot serve --host 0.0.0.0 --port 5020
- Use it as a CI / alerting gate over a capture — fail when control-plane writes appear:
modpot analyze capture.hexlog --min-severity high || echo "high-severity Modbus activity — alerting"
- Why modpot? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
OT threat-intel content engine — drop it on a VPS, share the 'someone tried to open my fake water-treatment valve' logs. ICS honeypot captures get major infosec-Twitter traction.
modpot is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ Parse Frame
- ✅ Build Response
- ✅ Classify Event
- ✅ Frame To Event
- ✅ Iter Frames From Hexlog
- ✅ Analyze Capture
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-modpot
modpot --version
modpot scan . # scan current project
modpot scan . --format json # machine-readable
modpot scan . --fail-on high # CI gate (non-zero exit)$ modpot scan .
[HIGH ] MOD-001 example finding (./src/app.py)
[MEDIUM ] MOD-002 another signal (./config.yaml)
2 findings · risk score 5 · 38ms
flowchart LR
IN[attacker traffic] --> P[modpot<br/>capture]
P --> OUT[alerts + indicators]
modpot is interoperable with every popular way of using AI:
- MCP server —
modpot mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
modpot scan . --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis modpot | conpot | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Built in the spirit of conpot, re-framed the Cognis way. Missing a credit? Open a PR.
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (modpot mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/modpot.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/modpot.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/modpot.git" # uv
pip install cognis-modpot # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/modpot:latest --help # Docker
brew install cognis-digital/tap/modpot # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/modpot/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/modpot |
DEPLOY.md (AWS/Azure/GCP/k8s) |
fwxray— Diff two firmware images and surface exactly what changed: new binaries, flipped config flags, added certs, and shifted entropy regions.canzap— Replay, fuzz, and assert on CAN bus traffic from a .pcap or SocketCAN interface with a tiny YAML DSL.sbomb— Generate a CycloneDX SBOM directly from an unpacked firmware root filesystem and flag components with known CVEs and EOL kernels.mqttspy— Passively map an MQTT broker: enumerate topics, detect unauthenticated writes, spot PII/secrets in payloads, and emit a risk report.uefiscan— Audit UEFI firmware dumps for missing Secure Boot keys, unsigned modules, S3 boot-script vulns, and known SMM threats.keyhunt— Scan firmware blobs and filesystem dumps for hardcoded private keys, API tokens, default creds, and weak RSA/ECC material.
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
{} composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.