Honeypots are deception systems that emulate vulnerable services to collect threat intelligence. While deploying many honeypots increases the opportunity to observe attacker behaviour, in practise network and computational resources limit the number of honeypots that can be exposed. Hence, practitioners must select the assets to deploy, a decision that is typically made statically despite attackers' tactics evolving over time. This work investigates an AI-driven agentic architecture that autonomously manages honeypot exposure in response to ongoing attacks. The proposed agent analyses Intrusion Detection System (IDS) alerts and network state to infer the progression of the attack, identify compromised assets, and predict likely attacker targets. Based on this assessment, the agent dynamically reconfigures the system to maintain attacker engagement while minimizing unnecessary exposure. The approach is evaluated in a simulated environment where attackers execute Proof-of-Concept exploits for known CVEs. Preliminary results indicate that the agent can effectively infer the intent of the attacker and improve the efficiency of exposure under resource constraints

翻译：蜜罐是模拟易受攻击服务以收集威胁情报的欺骗系统。尽管部署大量蜜罐能增加观测攻击者行为的机会，但在实践中，网络和计算资源限制了可暴露蜜罐的数量。因此，运维人员必须选择待部署的资产，这一决策通常是静态制定的，尽管攻击者的策略会随时间演变。本研究探讨了一种基于人工智能的自主架构，该架构能够根据持续攻击动态管理蜜罐暴露。所提出的智能体通过分析入侵检测系统警报和网络状态，推断攻击进程、识别已失陷资产并预测潜在攻击目标。基于此评估，智能体动态重构系统以维持攻击者参与度，同时最小化不必要的暴露。该方法在模拟环境中进行评估，攻击者在其中执行已知CVE的概念验证漏洞利用。初步结果表明，该智能体能有效推断攻击者意图，并在资源约束下提升暴露效率。