Skip to content

Email Alerts Enterprise

Enterprise email alerting has two layers:

LayerLocationWho receives mail
User notificationsSettings > NotificationsYour Trapster account
Distribution emailsSettings > Integrations > EmailsShared addresses (for example soc@company.com)

User notifications

Each user chooses how much email they want:

LevelWhat you receive
All notificationsEvery incident in your accessible namespaces
Only login attemptsCredential submissions, breadcrumb triggers, and honeytoken hits
No notificationsNothing

Administrators can set a default level when inviting someone. Users can change their own preference afterward.

Distribution emails

Add org-wide recipients that are not tied to a Trapster user account:

  1. Go to Settings > Integrations > Emails
  2. Enter an email address and choose namespace scope (all namespaces or selected namespaces)
  3. Click Add

Distribution addresses receive all incidents in scope. There is no per-type filter on this page.

Alert content

Incident emails include event type, source IP, target service, credentials when applicable, breadcrumb placement notes, timestamp, and a link to the incident in the dashboard.

Frequency

Trapster sends one email per incident for honeypot activity, not one per event. Rapid follow-up activity on the same incident is folded into that single message where possible.

Honeytoken incidents are emailed immediately.

Severity escalation and email

Incidents can escalate over time: a connection that starts as Low may become High when credentials are submitted, or Critical when a breadcrumb fires.

Email behaves differently from webhooks and syslog:

ChannelOn escalation (same incident gets a more severe event)
Webhooks / syslogSent again when severity increases
EmailNot sent again for the same incident

The email reflects the incident's severity at send time. If several events arrive in quick succession before the email goes out, the message uses the highest severity reached.

Practical guidance

For alerts on every severity change, route Settings > Integrations webhooks or syslog to your SIEM or ticketing system. Those channels notify again when an incident escalates.