Introduction to Trapster
Trapster is an internal deception platform designed for your company's network. It acts as a decoy system with no real operational value: any interaction with it is suspicious by definition.
How Trapster works
The core principle is simple: nothing should ever communicate with a Trapster. Every connection attempt, whether it's a port scan, a login attempt, or a credential replay, is a signal worth investigating.
Trapster:
- Emulates real services across 15+ protocols (HTTP, SSH, FTP, RDP, LDAP, MSSQL, MySQL, and more)
- Captures credentials used in brute-force or credential-stuffing attacks
- Generates incidents in the dashboard, or alerts via email, webhook, syslog, or API
- Supports breadcrumbs: fake credentials planted on endpoints that lead attackers to your traps
- Supports honeytokens: standalone decoy URLs, files, and QR codes that alert when accessed
Two editions
Trapster Community is a low-interaction honeypot for internal networks, configurable through trapster.conf, with logs to terminal, file, API, or Redis. Trapster Enterprise adds a managed dashboard, SIEM integrations, breadcrumbs, and honeytokens.
| Feature | Community | Enterprise |
|---|---|---|
| Deployment | Docker / Python / systemd | VM, Docker, Kubernetes, cloud |
| Services | 15+ protocols | 15+ protocols (including Kerberos, SMB, Modbus, etc) |
| Management | Config file | Web dashboard |
| Alerting | File / API / Redis logger | Dashboard, email, webhook, SIEM |
| Breadcrumbs | - | Windows, Linux, macOS |
| Honeytokens | - | URLs, files, QR codes, JS Clone |
| Threat Graph | - | Visual attack path analysis |
| Namespaces & SSO | - | Multi-tenant organization support |
| Plugins | - | LLMNR, Portscan detection |
| API | - | REST API |
See Community vs Enterprise for a full comparison.
Enterprise dashboard
Dashboard: monitor incidents, manage Trapsters, create honeytokens, and configure settings. See Using the Dashboard for a guided tour.
Key use cases
Trapster helps you:
- Spot attackers moving laterally inside your network
- Catch stolen or guessed credentials before they hit production systems
- Get notified within seconds of suspicious contact with a decoy
- See which services and credentials attackers try first
- Learn which endpoint was compromised when a breadcrumb fires
- Detect access to planted files, links, or QR codes via honeytokens
