Skip to content

Incidents and Threat Graph Enterprise

Incidents shows every alert from your Trapsters, breadcrumbs, and honeytokens in one place.

Incident table

The main view is a searchable, filterable table of incidents.

Tabs

TabShows
NewUnacknowledged incidents requiring attention
AcknowledgedIncidents you have reviewed
AllEvery incident regardless of status

Working with incidents

  • Search to filter incidents by keyword
  • Click a row to open the incident detail dialog
  • Acknowledge incidents individually or in bulk when you have reviewed them
  • Delete incidents you no longer need (requires the right permissions)
  • Export selected incidents to CSV (includes severity, acknowledged status, source IP, and other fields)

Acknowledging incidents

Acknowledging an incident moves it from the New tab to the Acknowledged. It tells your team the incident has been reviewed. It does not:

  • Stop email, webhook, or syslog alerts if the same incident receives new activity
  • Block future incidents from the same source IP
  • Hide the incident from exports or reporting

If an existing incident gets new events (for example, the attacker tries another login), Trapster marks it unacknowledged again so it reappears on the New tab.

Severity

Severity is assigned automatically by Trapster. You cannot change it manually in the dashboard.

Levels

LevelTypical meaning
InfoLow-priority activity (for example, a Trapster exposed to the internet with notifications disabled)
LowA connection was made but no meaningful interaction yet
MediumData was sent, a Trapster went offline, or an HTTP query was detected
HighA login attempt, port scan, honeytoken trigger, or service query
CriticalA breadcrumb credential was used, or sustained brute-force activity

Severity can escalate as an incident grows. A connection that starts as Low may become High if the attacker later submits credentials, or Critical if a breadcrumb fires.

Incident details

Click an incident to open the detail dialog. It shows the timeline, severity, source IP, related events, and (where applicable) credential information.

Credentials tested

The Passwords tab appears only for incidents where someone submitted a username or password: login attempts on Trapster services and breadcrumb incidents (when the attacker used the fake credential from your breadcrumb).

When shown, the tab lists each username and password pair captured during the incident. You can copy values directly from the table. Individual events in the timeline also show username and password fields when present.

For breadcrumb incidents, the detail includes the placement note you wrote when creating the breadcrumb. This helps you identify which machine was compromised.

For honeytoken incidents, the description indicates the honeytoken type (for example, "Honeytoken triggered (docx)").

Threat Graph

Switch to the Threat Graph tab on the Incidents page to see which attackers touched multiple Trapsters.

What the graph shows

The graph is a left-to-right layout:

  • Attacker nodes (left): one per source IP, with reverse DNS if available and a count of related incidents
  • Trapster nodes (right): one per honeypot the attacker interacted with
  • Connections (edges): lines from an attacker to each Trapster they reached, color-coded by the highest severity seen on that path

Along each connection, numbered markers show the sequence of incidents in time (for example, SSH then SMB). Each marker is labeled with the service channel (SSH, HTTP, SMB, etc.).

Interacting with the graph

ActionResult
Click an attacker or Trapster nodeFilters the graph search to that IP or device name
Click a numbered marker on a connectionOpens the full incident detail dialog for that step
Hover a markerShows service, category, port, and event count
Search boxFilter by attacker IP, reverse DNS, or Trapster name
Time filterLast 7, 30, or 90 days

What to take away

The most useful insight from a connected path is lateral movement: the same source IP probing or authenticating against multiple Trapsters or services. That pattern suggests an attacker (or scanner) is exploring your network rather than hitting a single decoy by chance.

Use the numbered steps to open each incident and see what credentials or services were involved at each stage.

Notifications

Incidents can trigger outbound alerts through the integrations configured in Settings:

Acknowledging an incident does not turn off these channels. Configure which event types generate notifications from Settings > Notifications.

Next steps

  • Trapsters: Deploy honeypots that generate incidents
  • Honeytokens: Create standalone decoys that appear as incidents
  • Alerting: Configure notification channels