[FEATURE] Add honeypot detection to nuclei

[Ice3man543]

Describe your feature request

Many hosts on shodan have all the matchers from nuclei in order to fool scanner (show each vuln as matching). we should have some sort of detection to match such scenarios and ignore their matches (at least inform user)

Describe the use case of the feature

Reduce noise while scanning

Describe alternatives you've considered

No response

Additional context

<!--
--
<Username Level="40/40" Dispatch="account">admin</Username><User1><Password Level="40/40" Dispatch="account">admin</Password></User1>
/var/pinglog
<TITLE>Login</TITLE>
<a href="jpg.html">LIVE JPEG</a><br>
<a href="liveie.html">Internet Monitor (Microsoft Internet Explorer 8, 9, 10, 11) </a><br>
<a href="DVRRemoteAP.exe">Download 32 bits DVR Client (Windows 7, Windows 8, Windows 10)</a><br>
<a href="DVRRemoteAP_X64.exe">Download 64 bits DVR Client (Windows 7, Windows 8, Windows 10)</a><br>
<a href="DVFPlayer.zip">Download 32/64 bits File Player (Windows 7, Windows 8, Windows 10)</a><br>
<\?xml version="1.0" encoding="utf-8"?><base64Binary xmlns="http://micros-hosting.com/EGateway/">
Location: /admin
<meta name="generator" content="vBulletin 5.5.4" />
Location: http://120.26.237.211:80/relogin.htm?_t=3541144909
Location: http://120.26.237.211:80/syscmd.htm"
Location: /ui/login
/cgi-bin/webctrl.cgi?action=index_page
PDR-M800
function btnPing()
<HTML><HEAD><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>.The document has moved<A HREF="http://120.26.237.211:80/relogin.htm?_t=179439949">here</A></BODY></HTML>
<link type="image/x-icon" rel="shortcut icon" href="/themes/img/icon/cisco_shortcut.png">
<link type="image/x-icon" rel="shortcut icon" href="/themes/img/icon/cisco_logo.png">
<td class="Copyright" colspan="2" style="text-align:justify" height="20" valign="bottom">© 2017 Cisco Systems, Inc. All Rights Reserved.
<br>Cisco, Cisco Systems, and the Cisco Systems logo are registered
trademarks or trademarks of Cisco Systems, Inc. and/or it's affiliates
in the United States and certain other countries.
</td>
:
#
>
$
SSH key is good
is not a valid ref and may not be archived
pcPassword2
'&sessionKey=790148060;'
name="sessionKey" value="790148060"
Set-Cookie: loginName=admin
var fgt_lang = /dev/cmdb/sslvpn_websession
php 8.1.0-dev exit
springframework
Tomcat
DEVICE.ACCOUNT=admin
AUTHORIZED_GROUP=1
<uid></uid>
<name>Admin</name>
<usrid></usrid>
<password>admin</password>
<group></group>
cpto /tmp/"root"
Model=AC1450
Firmware=V1.0.0.36_10.0.17
"exceptionMessageValue":"javax.servlet.ServletException: No valid forensics analysis solrDocIds parameter found."
BIG-IP release 15.0.0
user:root
12345admin123'
Failed to process image
 
Location: http://192.168.0.1:52869/picsdesc.xml
You don't have permission to access /vpns/ on this server.
[global]
workgroup = intranet
encrypt passwords = Yes
update encrypted = Yes
 
funcionando
system_sofia
name resolve order
InfoOS:Linux node01 uid=0(root) gid=0(root) groups=0(root)OSInfo
<b>File Uploaded !!!</b><br>
ant=951d11e51392117311602d0c25435d7f
38ee63071a04dc5e04ed22624c38e648
6f3249aa304055d63828af3bfab778f6
<h1> a8748198bf4c454b078f069b109f91af </h1>
[local]
tid = OGRjYjc0YTY0ZGM5ODRmYjlhYmUzZTdjMjAxZjgxMGQ5ZWM5MGVkOGU0Y2E3M2M2M2ZiNDliZTFmYmMyM2IwZDIxPT0=
addr = 120.26.237.211
"Powered by vBulletin Version 5.5.4"
789551
Linear eMerge
SuperSign
ubiq
Yacht
Zeroshell
FastWeb
AuthInfo:
loadingIndicator_bk
Zyxel
skyrouter
WAP54
org.apache.spark.ui
 
CVE-2024-50379-CONFIRMED HTTP/1.1
Host: 120.26.237.211:12577
Sec-Ch-Ua-Mobile:
RESULT=0
 

<br class="Apple-interchange-newline">

[smallseacreature]

I’m working on this and plan to submit a PR.

approach:

• Add a small, optional post-processing detector that tracks match density per URL/host.
• Flag cases where an unusually high number of distinct template IDs match the same response
• Default behavior would be warn-only; optionally allow tagging or suppression via a flag.
• Logic would live in a new package and hook into the output/reporting stage
• Include unit tests for the detection logic.

Happy to adjust based on feedback.

[dogancanbakir]

/bounty $250

[algora-pbc]

💎 $250 bounty • ProjectDiscovery Bounty Available

How to Participate:

• Claim attempt: Comment /attempt #6403 on this issue. Multiple participants can attempt, but only the first to submit a complete, mergeable solution will receive the reward.
• Work on the issue: Follow the Contribution Guidelines and ensure your solution fully addresses the issue requirements.
• Submit your PR: Open a pull request to projectdiscovery/nuclei and include /claim #6403 in the PR body.
• Receive payment: Upon successful merge, you will receive 100% of the bounty through Algora within 2-5 days.

Thank you for contributing to projectdiscovery/nuclei and helping us democratize security!

---

PR Requirements

Your PR must include the following. PRs that don't meet these requirements may not be reviewed and could be closed.

Proposed Changes

Describe the overall picture of your modifications to help maintainers understand the pull request.

Proof

Demonstrate your changes work. Include before/after examples, screenshots, or terminal output showing the fix/feature in action.

Checklist

• PR created against the correct branch (usually dev)
• All checks passed (lint, unit/integration/regression tests)
• Tests added that prove the fix is effective or feature works
• Documentation added (if appropriate)

---

Add a bounty • Share on socials

Attempt	Started (UTC)	Solution	Actions
🟢 @natinew77-creator	Feb 02, 2026, 03:31:47 PM	#6798	Reward
🟢 @erdogan98	Feb 02, 2026, 05:46:27 PM	#6801	Reward
🟢 @rajim59	Feb 03, 2026, 11:51:32 AM	WIP
🟢 @Hardik-Taneja	Feb 03, 2026, 01:02:29 PM	#6815	Reward
🟢 @nenadilic84	Feb 12, 2026, 12:15:14 PM	#6883	Reward
🟢 @alibader-alt	Feb 14, 2026, 06:19:52 PM	WIP
🟢 @Marwin5411-Winner	Feb 17, 2026, 03:28:28 AM	WIP
🟢 @St34lthcole	Feb 17, 2026, 08:50:14 AM	#6923	Reward
🟢 @285729101	Feb 17, 2026, 03:14:55 PM	#6931	Reward
🟢 @	Feb 20, 2026, 12:35:44 PM	WIP
🟢 @wh0amibjm	Feb 20, 2026, 10:24:39 PM	#6984	Reward
🟢 @shukwei899	Feb 20, 2026, 10:08:48 PM	#6983	Reward
🟢 @sonumishrAA	Feb 25, 2026, 07:48:43 PM	WIP
🟢 @Kevin737866	Feb 26, 2026, 10:32:45 AM	#7048	Reward
🟢 @FuZoe	Feb 27, 2026, 02:07:49 AM	#7056	Reward
🟢 @a638011	Feb 27, 2026, 07:07:10 AM	#7061	Reward
🟢 @astraxghost	Feb 27, 2026, 03:12:06 PM	#7068	Reward
🟢 @teredasites	Feb 27, 2026, 08:01:55 PM	#7071	Reward

[natinew77-creator]

/attempt #6403

I’m working on this and plan to submit a PR as soon as i'm done.

[dogancanbakir]

Hey contributors! Please make sure your PR follows the PR template and includes proof that your changes work (before/after examples, screenshots, or terminal output). Reviewer time is limited! Incomplete PRs may be closed without review. Thanks!

[dogancanbakir]

Hey @natinew77-creator — just a heads up, you've got multiple bounty issues claimed. We ask contributors to work on one at a time. Pick the one you'd like to focus on and we'll go from there.

[rajim59]

/attempt #6403

[Simplereally]

I'd like to work on this!

Proposed approach:

1. Track match counts per host during scanning
2. If a host matches an unusually high percentage of templates (configurable threshold, e.g., >80%), flag it as a potential honeypot
3. Add CLI flag --honeypot-threshold to control sensitivity
4. Output warning like "[HONEYPOT?] host.example.com matched 95% of templates (likely honeypot, results may be unreliable)"

Alternative approaches:

• Statistical analysis comparing match rate to baseline
• Known honeypot signature detection
• Entropy analysis of response patterns

Would love feedback on the preferred approach before I dive in.

/attempt