/claim #6403

[PrinceNicco]

Summary

This PR introduces a lightweight honeypot detection heuristic to reduce false positives during scans.

Some internet-exposed hosts intentionally respond in a way that matches a large number of unrelated templates, flooding scan output and making results unreliable. The feature tracks match density per host and warns when behavior strongly suggests a honeypot.

What it does

• Tracks number of unique templates matched per host
• Warns when matches exceed a configurable threshold
• Disabled by default (no behavior change)
• Warn-only (never hides results unless user explicitly chooses to)

Why this matters

When scanning large ranges, certain hosts are designed to appear vulnerable to everything.
This wastes analyst time and hides real vulnerabilities in noise.

This change provides visibility without breaking existing workflows.

Usage

nuclei -u target -hpt 30

If threshold is exceeded:

[WARN] target likely honeypot — abnormal template match density detected

Performance impact

None when disabled.

Documentation included

• technical analysis
• reproduction steps
• suggested mitigation

Compatibility

Fully backward compatible.
No default behavior changes.

[PrinceNicco]

Implementation completed and PR submitted.
The feature is warn-only and does not change default behavior.
Happy to adjust threshold logic if maintainers prefer a different heuristic.