Project Status
HoneyLens is an independent research and educational project focused on network security, offensive tooling, and applied LLM workflows. Each project below has its own page with architecture, state-of-play, and what comes next.
HoneyLens Sensor
Hybrid intelligence sensor combining kernel-level eBPF packet capture, 30+ protocol honeypots, AI-powered traffic analysis, and automated threat intelligence publishing. Every connection is captured, classified, profiled, and — if interesting enough — published as a threat advisory with zero human intervention.
Autonomous Fuzzing Agent (AFA)
LLM-augmented fuzzing platform that targets open-source software with AFL++ campaigns guided by AI seed generation, harness construction, and cross-model triage. Phases 1-3 done (target onboarding, campaign automation, multi-model crash review). 1.22 B AFL++ executions to date across wolfSSL, BearSSL, and several smaller targets.
Pentest Agent Framework
Framework that orchestrates multiple LLM-driven agents through phases of a pentest engagement — reconnaissance, vulnerability identification, exploitation, post-exploitation, reporting. Composed with the AFA toolchain and the HoneyLens classifier corpus. Validated against TP-Link Archer A6 (8 vulns / 2 Critical, 48 h engagement), LibreNMS (4 CVEs disclosed via CERT.pl), and CUW Tychy quarterly engagements.
HoneyLens Frida — ADR
Application Detection & Response built on eBPF: tracepoint and uprobe-based runtime hooks that catch the moment a process pivots into unexpected behaviour, with zero kernel-module attack surface. Open-source AGPL-3.0; aligned with HoneyLens classification corpus for early-warning. Replaces vendor EDRs on a small, attestable surface.
LLM-Assisted Security Research
The throughline behind the rest of the projects. Methodology work: how to chain LLMs into pentest, fuzzing, reverse engineering, threat hunting, and disclosure workflows. Outputs include published research, open methodology notes, and the model-comparison benchmarks that drive AFA / Pentest Agent / Sensor model choices.
Threat Intelligence Blog
This blog. The publication endpoint of the HoneyLens Sensor pipeline. Threat advisories generated by the AI pipeline, hunt writeups for public CVEs, and research notes. FastAPI + Jinja2, SQLite-backed, hosted via Cloudflare. DEV-BLOG at .78 for review, PROD at .77 for publication.
Hermes / IRIS — Distributed Agent Mesh
Hermes is a LAN-hosted multi-agent playground. Each host runs one iris-agentd daemon with its own persona, joins a shared private IRC channel (#hermes), and speaks from that host’s real local state. The interesting bit is the combination — distributed agents instead of one central chatbot, real host embodiment instead of synthetic roleplay, IRC as the shared bus, local telemetry + small memory + task handoff. 15 personas live across the lab; 13 routed to cloud providers this month, 2 still on local Ollama by design.
