Deploy fake credential files and private keys as honeytokens. Catch attackers the moment they touch your bait — with real-time alerts, process identification, and webhook delivery.
Honeytokens turn attackers' own techniques against them — the moment they touch the bait, you know.
Realistic-looking fake credentials — AWS keys, GitHub tokens, DB passwords — are placed where attackers expect to find real secrets.
Watchdog observes every filesystem event. Access, modification, deletion, or movement of a decoy file triggers an instant alert.
psutil captures the PID, process name, username, and full command line of the process that touched the honeytoken.
Structured JSON alerts are POSTed to any HTTP endpoint — Slack, PagerDuty, SIEM, or your own incident response platform.
Decoys are deployed in backup/, scripts/, and private/ subdirectories to maximize the probability that a scanning attacker encounters them.
Events are classified CRITICAL / HIGH / MEDIUM / LOW. Configure a minimum alert level to reduce noise while catching genuine threats.