Frequently Asked Questions
General
What is Trapster? Trapster is an internal deception platform. It deploys honeypots on your network that emulate real services. Any interaction with them - a port scan, a login attempt, a credential from a breadcrumb - triggers an alert.
Is Trapster a SIEM? No. Trapster generates signals; your SIEM consumes them. Use Trapster's built-in integrations (Splunk, Sentinel, Wazuh, syslog, webhook) to forward events to your existing security stack.
Does Trapster require agents on endpoints? No agents are required. Breadcrumbs are deployed as files or registry keys - they are passive artifacts, not software.
Will Trapster affect legitimate network traffic? No. Trapster only listens - it never initiates connections. If a legitimate system connects to a Trapster port, that is a misconfiguration worth investigating. Use whitelist_ips to exclude known internal scanners and monitoring tools.
Community Edition
What is the difference between Community and Enterprise? See Community vs Enterprise for a full comparison.
Can I use Community Edition in production? Yes. Community Edition is production-ready. It lacks the dashboard, breadcrumbs and native SIEM integrations of Enterprise, but it runs reliably and captures credentials on all supported services.
How do I forward Community Edition events to my SIEM? Use the APILogger to POST events to any HTTP endpoint, or FileLogger to write JSON logs that a SIEM agent can tail. See API Events and Syslog & File Logging.
Detection
What gets captured on each service? At minimum: source IP, port, timestamp. For services with authentication: username and password. For HTTP: full request including path, headers and POST body. See each service's documentation for details.
Can attackers detect that Trapster is a honeypot? Trapster emulates services realistically enough to fool most automated tools. To make it harder to fingerprint: use version strings that match real servers in your environment, and consider enabling AI-powered HTTP responses.
What is the latency between an incident and a notification? For Enterprise, incidents appear on the Incidents page within seconds. Outbound notifications (email, webhooks, syslog) follow your Settings > Integrations configuration. For Community Edition, latency depends on your logger configuration. JSON stdout is immediate; API output adds the HTTP round-trip.
Breadcrumbs
How many breadcrumbs should I deploy? Start with one breadcrumb per endpoint type (one Windows, one Linux, one document drop). Too many identical breadcrumbs on the same machine reduces realism.
Can an attacker avoid triggering a breadcrumb incident? If an attacker reads the credential file but never uses the credential, no incident fires. This is why breadcrumbs work best when combined with real honeypot services, the attacker has to connect to trigger the trap.
Honeytokens
What is a honeytoken? A honeytoken is a standalone decoy (URL, file, QR code, or JavaScript snippet) that raises an incident when someone accesses it. Unlike breadcrumbs, honeytokens do not require a Trapster on your network. See Honeytokens overview.
How do honeytokens differ from breadcrumbs? Honeytokens tell you someone accessed your decoy. Breadcrumbs tell you which real machine was compromised because they are tied to a specific Trapster. See the comparison table in Honeytokens overview.
Where do I create honeytokens? Open Honeytokens in the sidebar, or use the Create shortcut on the Incidents page. See Creation.
Do honeytoken triggers appear as incidents? Yes. When a honeytoken fires, an incident appears on the Incidents page with a description like "Honeytoken triggered (docx)". See Monitor honeytoken triggers.
Support
Where do I get help for Community Edition?
Where do I get help for Enterprise Edition? Contact support@trapster.cloud.
