Honeypots are no longer a research curiosity — they’re an audit talking point !
Mark Ledman, IT Audit Manager at Duke University (CPA, CISA), has a new piece out: Honeypots: An Advanced Solution in IT Threat Detection making the case that honeypot management systems belong in every higher-ed CISO’s defense-in-depth strategy, not just in the lab. His audit-perspective framing is worth a read:
- Education is now the most-attacked industry globally, averaging 4,388 cyberattacks per week in 2025.
- A newly deployed honeypot typically attracts attacker activity in under two minutes.
- STINGAR, the honeypot management platform originally developed at Duke and now used by 100+ higher-ed institutions, runs as a federated blocklist: one institution blocks a malicious IP or ASN and every member gets the intel within seconds.
- Networks running honeypots to collect attack data and block on that data see inbound malicious traffic fall by 10x to 100x, with larger reductions during DDoS events.
Ledman closes with the questions internal auditors should be asking their CIO/CISO about alert fatigue, false-positive overhead, and how the security team is adapting to AI-powered attackers.
Honeypots: An Advanced Solution in IT Threat Detection was published in College & University Auditors Journal last month, addressing concerns over the increase in AI generated cyberattacks and the inadequate responses currently available to prevent more attacks.