Maritime VSAT networks face escalating cyber threats, yet existing intrusion detection and defense mechanisms lack proactive, domain-specific capabilities for maritime environments. Method: This paper designs and deploys a purpose-built honeynet system for maritime scenarios, pioneering the application of active deception techniques in shipboard cybersecurity. The system employs high-fidelity emulation of real VSAT terminal environments and pre-injects representative vulnerabilities to deepen attacker engagement and enhance lure effectiveness. Its modular architecture integrates a web-based dashboard and CLI interface for real-time monitoring and response. Contribution/Results: During a 30-day public Internet exposure experiment, the system captured extensive scanning traffic and successfully lured a skilled adversary to complete initial penetration—demonstrating its reachability, operational authenticity, and threat-sensing capability. This work establishes a reusable technical paradigm and empirical foundation for proactive defense of maritime critical infrastructure.

Cyber threats against the maritime industry have increased notably in recent years, highlighting the need for innovative cybersecurity approaches. Ships, as critical assets, possess highly specialized and interconnected network infrastructures, where their legacy systems and operational constraints further exacerbate their vulnerability to cyberattacks. To better understand this evolving threat landscape, we propose the use of cyber-deception techniques and in particular honeynets, as a means to gather valuable insights into ongoing attack campaigns targeting the maritime sector. In this paper we present Salty Seagull, a honeynet conceived to simulate a VSAT system for ships. This environment mimics the operations of a functional VSAT system onboard and, at the same time, enables a user to interact with it through a Web dashboard and a CLI environment. Furthermore, based on existing vulnerabilities, we purposefully integrate them into our system to increase attacker engagement. We exposed our honeynet for 30 days to the Internet to assess its capability and measured the received interaction. Results show that while numerous generic attacks have been attempted, only one curious attacker with knowledge of the nature of the system and its vulnerabilities managed to access it, without however exploring its full potential.