Dhruv Chopra

I build traps for attackers
and study what they do inside them.

Associate – Deception Technology
C3iHub, IIT Kanpur

Kanpur, India

GitHub · LinkedIn · Email

About

I study the question of how long you can keep a sophisticated attacker inside a deception environment before they recognize it as artificial. I work at C3iHub, IIT Kanpur, where I design, deploy, and operate live honeypot infrastructure against real attacker traffic, including industrial and ICS endpoints.

The problem that drives most of my thinking is credibility over time. Generic honeypots get identified within hours. But a high-fidelity environment that mirrors production infrastructure, with real services, real behavioral signatures, and induced vulnerabilities that match what an attacker expects, buys significantly more dwell time. I want to understand exactly what breaks that illusion, and how to build environments that survive active reconnaissance by sophisticated actors.

I'm currently applying to MS/PhD programs in Europe, primarily Germany, to work on this more rigorously. I'm interested in groups working on intrusion deception, adversarial simulation, or threat-informed defense.

Research

  • Honeypot detectability and environment longevity under active attacker reconnaissance
  • High-fidelity deception for IT/OT and industrial control systems
  • Attacker TTP profiling from live honeypot telemetry
  • APT behavioral patterns and adversarial simulation frameworks
  • Counter-honeypot techniques and detection evasion by advanced actors
  • Threat intelligence pipelines for operational deception environments

Work

Associate – Deception Technology, C3iHub IIT Kanpur

Jul 2025–Present

  • Engineered a high-fidelity HTTP honeypot mirroring SAIL BSP's production web infrastructure; induced targeted CVEs, deployed Cowrie & Dionaea across SSH/FTP/ICS endpoints; ~3× increase in attacker dwell time vs. generic deployments.
  • Orchestrated IT/OT honeypot infrastructure on Kubernetes: multi-node clusters, HPA, namespace isolation; 99.9% uptime across 6 concurrent deception endpoints.
  • Analyzed live attacker TTPs via HTTP fingerprinting and payload inspection; produced weekly threat intelligence reports.

Research Intern, C3iHub IIT Kanpur

May–Jul 2025

  • Transitioned from DevOps into security research; embedded within active honeypot deployments for live industrial client engagements.
  • Studied networking fundamentals, OWASP, and MITRE ATT&CK in the context of real adversarial traffic, not classroom exercises.

Projects

ADAPT Honeynet Replication

In progress, writing up

Physical-hardware replication of the ADAPT framework (Putrevu et al., ACM 2024) at C3iHub. Covered all three APT attack paths and the full Kafka/Elasticsearch threat intelligence pipeline. The evaluation surfaced something worth documenting: the CVE assumptions underpinning ADAPT have aged noticeably against current APT tradecraft. Writing this up as a technical critique.

Honeypot Log Analyser

Python tool for parsing Cowrie and Dionaea logs at scale; extracts attacker TTPs and surfaces botnet activity patterns from live honeypot sessions. Built to handle the volume coming off C3iHub's active deployments. GitHub

Kubernetes IT/OT Sensor Cluster

Multi-node Kubernetes cluster managing 6 concurrent deception endpoints for industrial client deployments. Namespace isolation, HPA, 99.9% uptime. Designed around the constraint that honeypot infrastructure must be operationally invisible to the client's production network.

CV

Full curriculum vitae including work history, projects, and references.

Curriculum Vitae PDF

Contact

dhruvc@iitk.ac.in

thisisdhruvchopra@gmail.com

Open to research conversations: deception technology, intrusion detection, MS/PhD advising, or collaborations in this space.

GitHub · LinkedIn