DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Some honeypots don't exist to catch attackers. They exist to make the environment around them convincing enough that sophisticated actors commit real tooling to the traps that do.
CapeV2 is one of those tools that looks straightforward on paper and humbles you in practice. After several failed attempts over the years, I finally got a stable deployment running on July 8th 2025 — and have since rebuilt it cleanly multiple times. This guide is the consolidated walk-through I wish I'd had on the first attempt. It targets a bare-metal Ubuntu 24.04 host running KVM with a Windows 10 guest. If your setup differs, the structure should still apply; only paths and IPs will change.
