Vulnerability scanners, for example. Nessus, nmap, xspider/maxpatrol, IBM Rational appscan, Acunetics and so on.
I would do this: organize several "victims" intentionally with vulnerabilities (honeypot, for example, a vulnerable web application, a vulnerable desktop / server, a vulnerable DBMS, etc.), scan all these targets with a couple of scanners, first without IPS, to remove " cast", then put ipesks in turn, comparing the result from the scanners. Which of the IPs will show the best result (there will be fewer vulnerabilities during scanning), which one is more efficient.
The most difficult thing is to organize this very honeypot correctly.

For example, here is the metasploit manual, in particular the chapter on choosing the victim of experiments.

need obviously leaky things? maybe there is here