Enterprise Plan

Execution Triggers

Planted shell commands and scripts that phone home when executed. Know instantly when an attacker runs code in your environment — proof of active compromise.

Create Execution Trigger See How It Works

The Highest Severity Signal

Execution triggers prove active compromise — not just reconnaissance, not credential theft, but actual code running in your environment.

1

Reconnaissance

Someone looked for a service. They know it exists.

Low Severity
2

Credential Theft

Someone stole and used credentials. They have access.

Medium Severity
3

Code Execution

Someone ran code. They are actively operating inside your environment.

Critical Severity

Trigger Types

Multiple formats to blend naturally into different environments.

Shell Commands

Bash, sh, zsh

One-liner curl or wget commands that blend into scripts. Silent, no output, instant alert.

# Add to any script
curl -s https://t.tripwires.io/abc123 &>/dev/null &
PY

Python Scripts

Python 2 & 3

Import-time or runtime triggers that report execution without affecting script behavior.

# Add near imports
import requests
requests.get("https://t.tripwires.io/abc123", timeout=1)
PS

PowerShell

Windows environments

Silent web requests that work in Windows automation and admin scripts.

# Add to .ps1 scripts
Invoke-WebRequest -Uri "https://t.tripwires.io/abc123" -UseBasicParsing | Out-Null

Container Entrypoints

Docker, Kubernetes

Add to entrypoint scripts to detect when containers are started by unauthorized parties.

# In entrypoint.sh
curl -sf https://t.tripwires.io/abc123 || true
exec "$@"

Where to Deploy

Admin & Operations Scripts

Scripts that attackers are likely to run when exploring a compromised system.

  • Database backup scripts
  • Deployment scripts
  • Secret rotation scripts
  • SSH key management

Decoy Files & Directories

Fake "interesting" files that attackers will naturally want to execute or read.

  • /opt/scripts/get-prod-secrets.sh
  • /home/admin/.aws-export.py
  • /var/www/admin-panel.php
  • /root/emergency-access.sh

Insider Threat Detection

Detect when employees access or run things they shouldn't.

  • HR data export scripts
  • Customer database tools
  • Financial reporting scripts
  • IP export utilities

Red Team / Purple Team

Test your detection capabilities during security exercises.

  • Measure time-to-detect
  • Validate SOC response
  • Test incident playbooks
  • Prove coverage gaps

What You'll See

When an execution trigger fires, you get full context on what happened.

CRITICAL: Execution Trigger Fired
Trigger: db-backup-script
Executed at: 2025-01-13 14:23:41 UTC
Source Host: prod-web-03 (10.0.1.42)
External IP: 203.0.113.xxx
User: www-data
Process: /bin/bash
Working Dir: /opt/scripts
Hostname: ip-10-0-1-42.ec2.internal

Detect Active Compromise

Execution triggers are available in Enterprise plan at £499/month.

Start Free Trial View Pricing