Incidents and Threat Graph Enterprise
Incidents shows every alert from your Trapsters, breadcrumbs, and honeytokens in one place.
Incident table
The main view is a searchable, filterable table of incidents.
Tabs
| Tab | Shows |
|---|---|
| New | Unacknowledged incidents requiring attention |
| Acknowledged | Incidents you have reviewed |
| All | Every incident regardless of status |
Working with incidents
- Search to filter incidents by keyword
- Click a row to open the incident detail dialog
- Acknowledge incidents individually or in bulk when you have reviewed them
- Delete incidents you no longer need (requires the right permissions)
- Export selected incidents to CSV (includes severity, acknowledged status, source IP, and other fields)
Acknowledging incidents
Acknowledging an incident moves it from the New tab to the Acknowledged. It tells your team the incident has been reviewed. It does not:
- Stop email, webhook, or syslog alerts if the same incident receives new activity
- Block future incidents from the same source IP
- Hide the incident from exports or reporting
If an existing incident gets new events (for example, the attacker tries another login), Trapster marks it unacknowledged again so it reappears on the New tab.
Severity
Severity is assigned automatically by Trapster. You cannot change it manually in the dashboard.
Levels
| Level | Typical meaning |
|---|---|
| Info | Low-priority activity (for example, a Trapster exposed to the internet with notifications disabled) |
| Low | A connection was made but no meaningful interaction yet |
| Medium | Data was sent, a Trapster went offline, or an HTTP query was detected |
| High | A login attempt, port scan, honeytoken trigger, or service query |
| Critical | A breadcrumb credential was used, or sustained brute-force activity |
Severity can escalate as an incident grows. A connection that starts as Low may become High if the attacker later submits credentials, or Critical if a breadcrumb fires.
Incident details
Click an incident to open the detail dialog. It shows the timeline, severity, source IP, related events, and (where applicable) credential information.
Credentials tested
The Passwords tab appears only for incidents where someone submitted a username or password: login attempts on Trapster services and breadcrumb incidents (when the attacker used the fake credential from your breadcrumb).
When shown, the tab lists each username and password pair captured during the incident. You can copy values directly from the table. Individual events in the timeline also show username and password fields when present.
Breadcrumb and honeytoken incidents
For breadcrumb incidents, the detail includes the placement note you wrote when creating the breadcrumb. This helps you identify which machine was compromised.
For honeytoken incidents, the description indicates the honeytoken type (for example, "Honeytoken triggered (docx)").
Threat Graph
Switch to the Threat Graph tab on the Incidents page to see which attackers touched multiple Trapsters.
What the graph shows
The graph is a left-to-right layout:
- Attacker nodes (left): one per source IP, with reverse DNS if available and a count of related incidents
- Trapster nodes (right): one per honeypot the attacker interacted with
- Connections (edges): lines from an attacker to each Trapster they reached, color-coded by the highest severity seen on that path
Along each connection, numbered markers show the sequence of incidents in time (for example, SSH then SMB). Each marker is labeled with the service channel (SSH, HTTP, SMB, etc.).
Interacting with the graph
| Action | Result |
|---|---|
| Click an attacker or Trapster node | Filters the graph search to that IP or device name |
| Click a numbered marker on a connection | Opens the full incident detail dialog for that step |
| Hover a marker | Shows service, category, port, and event count |
| Search box | Filter by attacker IP, reverse DNS, or Trapster name |
| Time filter | Last 7, 30, or 90 days |
What to take away
The most useful insight from a connected path is lateral movement: the same source IP probing or authenticating against multiple Trapsters or services. That pattern suggests an attacker (or scanner) is exploring your network rather than hitting a single decoy by chance.
Use the numbered steps to open each incident and see what credentials or services were involved at each stage.
Notifications
Incidents can trigger outbound alerts through the integrations configured in Settings:
- Webhooks (Teams, Slack, and more)
- Syslog
- SIEM connectors (Splunk, Microsoft Sentinel, Wazuh, Sekoia)
Acknowledging an incident does not turn off these channels. Configure which event types generate notifications from Settings > Notifications.
Next steps
- Trapsters: Deploy honeypots that generate incidents
- Honeytokens: Create standalone decoys that appear as incidents
- Alerting: Configure notification channels
