Skip to content

Architecture

Core concept

Trapster emulates real network services, waits for connections, logs every interaction, and sends alerts. It never initiates connections and has no legitimate use on your network, any traffic it receives is suspicious.

Service emulation

Each configured service listens on a network port and emulates a real protocol just far enough to:

  • Accept connections
  • Challenge for credentials (triggering login attempts)
  • Record the username, password, and source IP
  • Close the session without granting access

The goal is a convincing facade, not a fully functional service.

How alerts reach you

When someone interacts with a Trapster, the interaction is logged and forwarded to your chosen alert channel:

EditionAlert channels
EnterpriseDashboard incidents, email, webhooks, syslog, SIEM connectors
CommunityJSON file, stdout, API endpoint, Redis queue, syslog

In Enterprise, Trapsters connect to your dashboard over HTTPS. Incidents appear on the Incidents page in real time. You can also configure outbound notifications from Settings > Integrations.

Enterprise Edition

Dashboard (yourorg.trapster.cloud)
 ├── Incident management & Threat Graph
 ├── Trapster provisioning & config sync
 ├── Honeytoken & breadcrumb management
 └── Alert routing (email, webhook, SIEM)

Trapster (your network)
 ├── Protocol services (same as Community)
 └── Plugins (LLMNR, Portscan)

Trapsters are managed from the dashboard. Deploy a VM or container, accept its registration, and configure services from the Trapsters page. See Using the Dashboard for details.

Community Edition

trapster.conf


Trapster daemon
 ├── HTTP/HTTPS, SSH, FTP, RDP, LDAP, ...
 └── Logger (file / API / Redis / syslog)

Configuration is file-based. See Detection Modules for the full reference.

Detection coverage

SignalHow Trapster detects it
Port scanPort scan plugin (Enterprise) or connection log
Credential brute forceLogin attempt capture on any service
Credential stuffingBreadcrumb alerts, stolen creds used against traps
LLMNR poisoningLLMNR plugin (Enterprise)
Lateral movementAny service connection from internal hosts
Decoy accessHoneytoken triggers (Enterprise)

Deception assets

Enterprise provides three layers of deception:

  1. Trapsters: honeypot devices that emulate services on your network
  2. Breadcrumbs: fake credentials placed on real machines, tied to a specific Trapster
  3. Honeytokens: standalone decoy URLs, files, and QR codes that alert when accessed

See Breadcrumbs and Honeytokens for details.