Architecture
Core concept
Trapster emulates real network services, waits for connections, logs every interaction, and sends alerts. It never initiates connections and has no legitimate use on your network, any traffic it receives is suspicious.
Service emulation
Each configured service listens on a network port and emulates a real protocol just far enough to:
- Accept connections
- Challenge for credentials (triggering login attempts)
- Record the username, password, and source IP
- Close the session without granting access
The goal is a convincing facade, not a fully functional service.
How alerts reach you
When someone interacts with a Trapster, the interaction is logged and forwarded to your chosen alert channel:
| Edition | Alert channels |
|---|---|
| Enterprise | Dashboard incidents, email, webhooks, syslog, SIEM connectors |
| Community | JSON file, stdout, API endpoint, Redis queue, syslog |
In Enterprise, Trapsters connect to your dashboard over HTTPS. Incidents appear on the Incidents page in real time. You can also configure outbound notifications from Settings > Integrations.
Enterprise Edition
Dashboard (yourorg.trapster.cloud)
├── Incident management & Threat Graph
├── Trapster provisioning & config sync
├── Honeytoken & breadcrumb management
└── Alert routing (email, webhook, SIEM)
Trapster (your network)
├── Protocol services (same as Community)
└── Plugins (LLMNR, Portscan)Trapsters are managed from the dashboard. Deploy a VM or container, accept its registration, and configure services from the Trapsters page. See Using the Dashboard for details.
Community Edition
trapster.conf
│
▼
Trapster daemon
├── HTTP/HTTPS, SSH, FTP, RDP, LDAP, ...
└── Logger (file / API / Redis / syslog)Configuration is file-based. See Detection Modules for the full reference.
Detection coverage
| Signal | How Trapster detects it |
|---|---|
| Port scan | Port scan plugin (Enterprise) or connection log |
| Credential brute force | Login attempt capture on any service |
| Credential stuffing | Breadcrumb alerts, stolen creds used against traps |
| LLMNR poisoning | LLMNR plugin (Enterprise) |
| Lateral movement | Any service connection from internal hosts |
| Decoy access | Honeytoken triggers (Enterprise) |
Deception assets
Enterprise provides three layers of deception:
- Trapsters: honeypot devices that emulate services on your network
- Breadcrumbs: fake credentials placed on real machines, tied to a specific Trapster
- Honeytokens: standalone decoy URLs, files, and QR codes that alert when accessed
See Breadcrumbs and Honeytokens for details.
