Skip to content

Introduction to Trapster

Trapster is an internal deception platform designed for your company's network. It acts as a decoy system with no real operational value: any interaction with it is suspicious by definition.

How Trapster works

The core principle is simple: nothing should ever communicate with a Trapster. Every connection attempt, whether it's a port scan, a login attempt, or a credential replay, is a signal worth investigating.

Trapster:

  • Emulates real services across 15+ protocols (HTTP, SSH, FTP, RDP, LDAP, MSSQL, MySQL, and more)
  • Captures credentials used in brute-force or credential-stuffing attacks
  • Generates incidents in the dashboard, or alerts via email, webhook, syslog, or API
  • Supports breadcrumbs: fake credentials planted on endpoints that lead attackers to your traps
  • Supports honeytokens: standalone decoy URLs, files, and QR codes that alert when accessed

Two editions

Trapster Community is a low-interaction honeypot for internal networks, configurable through trapster.conf, with logs to terminal, file, API, or Redis. Trapster Enterprise adds a managed dashboard, SIEM integrations, breadcrumbs, and honeytokens.

FeatureCommunityEnterprise
DeploymentDocker / Python / systemdVM, Docker, Kubernetes, cloud
Services15+ protocols15+ protocols (including Kerberos, SMB, Modbus, etc)
ManagementConfig fileWeb dashboard
AlertingFile / API / Redis loggerDashboard, email, webhook, SIEM
Breadcrumbs-Windows, Linux, macOS
Honeytokens-URLs, files, QR codes, JS Clone
Threat Graph-Visual attack path analysis
Namespaces & SSO-Multi-tenant organization support
Plugins-LLMNR, Portscan detection
API-REST API

See Community vs Enterprise for a full comparison.

Enterprise dashboard

Dashboard: monitor incidents, manage Trapsters, create honeytokens, and configure settings. See Using the Dashboard for a guided tour.

Key use cases

Trapster helps you:

  • Spot attackers moving laterally inside your network
  • Catch stolen or guessed credentials before they hit production systems
  • Get notified within seconds of suspicious contact with a decoy
  • See which services and credentials attackers try first
  • Learn which endpoint was compromised when a breadcrumb fires
  • Detect access to planted files, links, or QR codes via honeytokens

Resources