This document discusses hybrid honeypots for network security. A hybrid honeypot combines low-interaction honeypots that act as lightweight proxies with high-interaction honeypots that can be fully compromised. The low-interaction honeypots filter traffic and only forward requests to open ports on the high-interaction honeypots. This reduces the load on the high-interaction honeypots while still allowing them to collect in-depth attack data. Signatures can be generated from the attack data to detect similar future attacks. The hybrid approach achieves benefits like maintaining a small number of high-interaction honeypots and containing infections.