Why Concept Logging

SIGNAL VS NOISE

Generic firewalls log every packet. NovaHoney logs only attacker intent — recon, exploit, credential probe, RCE — already labelled.

PAYLOAD-FREE LOG

Records the concept that fired, not the raw exploit string. Logs are safe to forward, archive, and share between teams.

DEPLOYMENT FOOTPRINT

Ships as a single ultra-compact native binary. Drops onto routers, IoT, edge VMs, dev VPSs — anywhere you want a quiet ear on the open internet.

INTENT RESOLUTION

Each connection is fingerprinted by SHA-256 and tagged with every concept it tripped. One attacker, one fingerprint, multiple labelled intents.

FLEET COMPATIBILITY

A connection that fires the same concepts on a Pi in Berlin and a VPS in Sydney is the same campaign. Concept tags travel between deployments.

FORENSIC FINGERPRINT

Hash uniquely identifies the attacker payload across the fleet. Dedupe campaigns, cluster bots, attribute waves — without storing the payload itself.

CONCEPT-GRID HONEYPOT

NOVAHONEY

Decoy firmware that pretends to be a server, then logs the attacker’s intent on the same concept grid that powers the rest of our stack. Recon, exploit, credential probe, remote-code-execution — already labelled by the time it hits disk.

The Decoy

Looks Like a Server. Actually a Sensor.

NovaHoneybinds a port and answers like the kind of host attackers love to find — an exposed SSH banner, an open admin endpoint, a forgotten dev VPS. It accepts the connection, reads what the attacker sends, and records the encounter. It never holds a real session, never returns real data, never offers real shell. The whole point is to be exactly as interesting as the attacker hopes it will be, for exactly long enough to fingerprint them.

Port-bound decoy — SSH-style banner today; HTTP, telnet, and FTP-style listeners in development.
No real session — nothing on the device for an attacker to escalate into.
Single binary — no interpreter, no daemon, no auto-update channel.

Intent Classification

Concepts, Not Packets.

Generic firewalls and packet captures hand a security team raw bytes and ask them to figure out what happened. NovaHoney does the labelling at the source. Every connection is matched against the same concept gridthat drives the rest of our compiler stack — recon scans, credential probes, exploit attempts, remote code execution— and each match writes a small concept record. The log isn't a packet capture. It's a stream of attacker intent, already named.

Recon — HTTP scans, banner grabs, protocol probes.
Credential probe — admin/root/password noise on the wire.
Exploit attempt — path traversal, SQL injection, known CVE shapes.
Remote code execution — loader patterns and reverse-shell signatures.

// Sample concept record
{
  "ts": 1777416448,
  "concept": "ENABLE",
  "trigger": "wget",
  "hash": "8e96ff3b..."
}

Payload-Safe Logs

Fingerprint. Not Forensic Evidence.

The log records the SHA-256of the attacker's payload and the concepts it fired. The raw payload itself never lands on disk. That means a NovaHoney log is safe to forward across teams, archive in cheap storage, and ship between deployments without becoming an exfil risk in its own right. The hash still uniquely identifies the campaign — the same attacker hitting a Pi in Berlin and a VPS in Sydney shows up as the same fingerprint on both.

No payload storage — logs hold concept names and fingerprints, not exploit strings.
Cross-deployment dedupe — identical payloads collide on hash across the fleet.
Concept clustering — campaigns that fire the same concept profile cluster naturally.

Drop Anywhere

One File. No Runtime.

NovaHoney compiles from a single source file to an ultra-compact native binary. There's no interpreter, no virtual machine, and no auto-update channel sitting on the device for an attacker to abuse. Drop it on a Pi, a router, an edge VM, or a throwaway VPS, point a disused port at it, and walk away. The same binary runs on the same instruction set everywhere — no per-host configuration to drift.

Native compile — no interpreter on the host.
Zero runtime deps — libc and a network stack, that's it.
Quiet on the wire — no telemetryTelemetryAutomated data sent from software back to a vendor's servers — usage stats, crash reports, diagnostics. NovaHoney sends nothing. Every byte it generates stays on your network. calling home, no auto-update endpoint.

Where It Sits

NovaHoney vs. The Usual Stack.

Concern	NovaHoney	Generic firewall / packet log
Output	Labelled attacker intent	Raw packets / pcap
Payload storage	Hash only — safe to forward	Full payload — exfil risk in its own right
Triage cost	Concepts already named at capture time	Analyst rebuilds intent from byte streams
Footprint	Single ultra-compact native binary	Daemon, agent, ruleset, log forwarder
Cross-deployment correlation	Hash + concept profile, by design	Manual SIEM correlation

Concept set, deployment guide, and forwarder details available under NDA.

RUN A DECOY.

Want NovaHoney on your edge VMs, your developer fleet, or as a tripwire on disused ports? Send me an email and I'll work out a build and a forwarder shape that fits your environment.

EMAIL ZAC

robertpage@vertexpaceorganization.com

STATUS: ACTIVE R&D · CORE DECOY PROVEN IN INTERNAL BUILDS.
CONCEPT SET AND FORWARDER UNDER DEVELOPMENT · ARCHITECTURE UNDER NDA.
© 2026 VERTEXPACE · NOVAHONEY · ALL RIGHTS RESERVED · PROPRIETARY TECHNOLOGY
UNAUTHORIZED REPRODUCTION, REDISTRIBUTION, OR DERIVATIVE USE IS PROHIBITED