Lure Center

Lure Center

Deploy and manage deception lures—types, DNS, SSL, branding, SSO, and isolation.

Last updated May 2026

What lures are

A lure is a deliberately exposed decoy service. H1VE ships dozens of product-faithful images—VPN portals, web stacks, SCADA/PLC interfaces, Grafana, GitHub mimics, and research surfaces such as Next.js CVE lures for zero-day workflows.

H1VE Lure Center with deployed deception assets
Lure Center grid showing deployed decoys with status, domains, request/threat counts, and actions to view logs or start and stop lures.

Supported lure categories

  • VPN / edge — Fortinet, Cisco AnyConnect, Palo Alto GlobalProtect, Citrix, Check Point, Ivanti, F5 BIG-IP, generic gateway
  • Web / app — Apache, Nginx, IIS, Tomcat, WordPress, router admin, Website Clone
  • Network services — SSH, FTP
  • OT / ICS — RapidSCADA, OpenSCADA, Node-RED, Modbus/S7/OpenPLC, MQTT, CoAP
  • Data & dev — InfluxDB, Grafana, TimescaleDB, GitHub

Deploying a lure

  1. Open Lure Center → Create Lure
  2. Choose a realistic name and lure type
  3. Configure DNS (recommended for production-like reachability)
  4. Optional: Public Services & Ports for multi-service personas
  5. Create, then Start if not auto-started
H1VE Create New Lure wizard
Create Lure modal with lure type categories (VPN, SCADA, data systems, web assets), DNS configuration, and optional public services.

DNS, SSL, and branding

DNS integrates via Technitium (API token or user/pass + zone) or Azure DNS (service principal + subscription + zone). Subdomains must be lowercase alphanumeric with hyphens. SSL certificates generate through the platform's ACME integration when enabled.

Branding customization adjusts login pages, logos, and copy for VPN/web personas. Website Clone accepts a seed URL—the mimic crawler reproduces assets for higher fidelity.

Sandbox isolation

Each lure runs in an isolated container with constrained capabilities. Privileged images (e.g., OpenPLC) are documented in Lure Center with build-time warnings. Never co-locate lure workloads with production data planes on the same kernel without cgroup/namespace isolation.

DNS prerequisite

If DNS fields are disabled, configure Integrations → DNS first. Port-only lab access will not reproduce internet scanner behavior.