🍯 Honeypots & deception
Canarytokens
Tripwire-style deception tokens that fire when an attacker touches them.
Why use it
Canarytokens are decoy resources — fake AWS keys, Word documents, DNS names, URL beacons — that alert you the moment anyone interacts with them. Place them in plausible locations and you have an early-warning system for breaches.
What you get
- 15+ token types: DNS, web bug, AWS keys, Office docs, SQL trip, more
- Email/webhook alerts on trigger
- Hosted free at canarytokens.org or self-host the OSS version
- Geolocation and useragent on alert
System requirements
| Cpu | minimal |
|---|---|
| Ram | 1 GB (self-hosted) |
| Disk | 5 GB (self-hosted) |
| Os | Linux for self-host |
| Docker | Yes |
Installation
Easiest: use the hosted version at canarytokens.org — generate tokens, place them, wait. Self-host: git clone github.com/thinkst/canarytokens-docker && docker compose up -d. Configure SMTP and a public DNS for full coverage.
Suggested configuration
Place a fake AWS key in ~/.aws/credentials on every dev box. Drop a tripwired Word doc named "passwords.docx" in obvious locations. Add a DNS canary in your internal zones — silence is good news. Set up a Slack/Discord webhook for instant pings.
Integration ideas
- Push alerts to TheHive as cases
- Forward to Slack/Discord for real-time visibility
- Combine with deception layers in Wazuh's active response
Alternatives
- Thinkst Canary (commercial) — Hardware/virtual deception devices; same vendor.
Cyentrix verdict
Astonishingly high signal-to-noise. Five minutes of setup gives you a real intrusion-detection capability with zero false positives.