Skip to content

Honeytokens Enterprise

Honeytokens are decoy assets you create in the Trapster dashboard. Each honeytoken is a unique URL, file, QR code, or JavaScript snippet. When someone opens or visits it, Trapster records the interaction and raises an incident in your dashboard.

Honeytokens are not created for a specific Trapster on your network. You create them in the dashboard, place them where you want, and monitor triggers from the Honeytokens page.

How honeytokens differ from breadcrumbs

Both honeytokens and breadcrumbs are deception tools, but they work differently:

HoneytokensBreadcrumbs
Requires a TrapsterNoYes - tied to a specific Trapster
What triggers itSomeone clicks, opens, or scans the decoyAn attacker uses the fake credential to attempt access
What it isStandalone decoy (URL, file, QR code, JS snippet)Fake credential or shortcut placed on a real machine
What you learnThat someone interacted with a decoy, and where it was placedThat a specific machine was compromised and is being used as a stepping stone
Where to createHoneytokens in the sidebarTrapsters → device → Services → Generate breadcrumb

Where to find honeytokens in the dashboard

  • Honeytokens in the main sidebar view, create, and manage all honeytokens
  • Create on the Incidents page - shortcut to open the honeytoken creation wizard
  • Triggered honeytokens also appear as incidents with the description "Honeytoken triggered"

Who can manage honeytokens

RolePermissions
AdministratorCreate, edit, delete, and view honeytokens
MemberCreate, edit, delete, and view honeytokens (within assigned namespaces)
AnalystView only
Read-onlyView only

See Roles and Permissions for full details.

Next steps