beelzebub

Forensics & Incident Response

Open‑source deception runtime that deploys adaptive, LLM‑powered decoy services across SSH, HTTP, TCP, TELNET and MCP to engage attackers and collect high‑fidelity threat intelligence

Track releases GitHub Website

Go Latest v3.8.0 · 1d ago Security brief →

Features

Adaptive LLM‑driven responses (OpenAI, Ollama) for realistic attacker engagement
Low‑code YAML service definitions with regex command matching – no custom code needed
Multi‑protocol coverage: SSH, HTTP, TCP, TELNET and MCP deception services
Extensible plugin system via `CommandPlugin` and `HTTPPlugin` interfaces
Full observability: Prometheus metrics and RabbitMQ event streaming

Recent releases

View all 21 releases →

No immediate action

v3.8.0 New feature 1d

Preserve TCP raw bytes

Open

No immediate action

v3.7.3 New feature 6d

validate flag

Open

Review required

v3.7.2 Bug fix 16d

Dependencies

HistoryCleaner leak fix

Open

v3.7.1 New feature 1mo

Notable features

Add realClientAddr configuration option
Improve CLI functionality and increase code coverage

Full changelog

What's Changed

Feat: Add realClientAddr by @mariocandela in https://github.com/beelzebub-labs/beelzebub/pull/301
Feat: Improve cli and code coverage by @mariocandela in https://github.com/beelzebub-labs/beelzebub/pull/303

Full Changelog: https://github.com/beelzebub-labs/beelzebub/compare/v3.7.0...v3.7.1

View release on GitHub

v3.7.0 New feature 1mo

Notable features

Brand new plugin system
Redesigned plugin architecture

Full changelog

What's Changed

feat: implement brand new plugin system by @mariocandela in https://github.com/beelzebub-labs/beelzebub/pull/294
Build(deps): Bump golang.org/x/term from 0.40.0 to 0.42.0 by @dependabot[bot] in https://github.com/beelzebub-labs/beelzebub/pull/297
ci: run deploy only on tag by @airscripts in https://github.com/beelzebub-labs/beelzebub/pull/299