Honeytokens Enterprise
Honeytokens are decoy assets you create in the Trapster dashboard. Each honeytoken is a unique URL, file, QR code, or JavaScript snippet. When someone opens or visits it, Trapster records the interaction and raises an incident in your dashboard.
Honeytokens are not created for a specific Trapster on your network. You create them in the dashboard, place them where you want, and monitor triggers from the Honeytokens page.
How honeytokens differ from breadcrumbs
Both honeytokens and breadcrumbs are deception tools, but they work differently:
| Honeytokens | Breadcrumbs | |
|---|---|---|
| Requires a Trapster | No | Yes - tied to a specific Trapster |
| What triggers it | Someone clicks, opens, or scans the decoy | An attacker uses the fake credential to attempt access |
| What it is | Standalone decoy (URL, file, QR code, JS snippet) | Fake credential or shortcut placed on a real machine |
| What you learn | That someone interacted with a decoy, and where it was placed | That a specific machine was compromised and is being used as a stepping stone |
| Where to create | Honeytokens in the sidebar | Trapsters → device → Services → Generate breadcrumb |
Where to find honeytokens in the dashboard
- Honeytokens in the main sidebar view, create, and manage all honeytokens
- Create on the Incidents page - shortcut to open the honeytoken creation wizard
- Triggered honeytokens also appear as incidents with the description "Honeytoken triggered"
Who can manage honeytokens
| Role | Permissions |
|---|---|
| Administrator | Create, edit, delete, and view honeytokens |
| Member | Create, edit, delete, and view honeytokens (within assigned namespaces) |
| Analyst | View only |
| Read-only | View only |
See Roles and Permissions for full details.
Next steps
- Creation : step-by-step wizard walkthrough
- Monitor triggers - track activity, view event logs, and analyze source IPs
