Legitimate users never touch tripwire files. When an insider accesses a decoy document — salary data, credentials, customer lists — you get an instant alert with their IP and user agent. Zero false positives.
[ALERT] salary-review-2026.xlsx opened!
IP: 10.0.14.203 (Internal)
User Agent: Chrome/120 (Windows 11)
Time: 2026-03-22 09:41:17 UTC
[ALERT] admin-passwords.docx accessed!
IP: 10.0.8.55 (Internal)
User Agent: Firefox/121 (macOS)
Time: 2026-03-22 11:03:52 UTC
Monitoring decoy documents...
Nobody has a legitimate reason to open a fake salary spreadsheet or credentials file. Every alert is real.
System admins, database admins, C-suite — deception catches anyone who snoops where they shouldn't.
No software to install on endpoints. Just plant the document and wait. Works across any platform.
Whether it's idle curiosity or deliberate theft, the tripwire fires the same. Intent doesn't matter — access does.
salary-review-2026.xlsx, bonus-structure.xlsx — files nobody can resist opening.
admin-passwords.docx, api-keys.txt — irresistible to anyone with malicious intent.
client-list.csv, customer-export.xlsx — detect data theft before it leaves.
production.env, database.yml — planted in repos and shared drives.
stripe-keys.json, aws-credentials.csv — catch credential harvesting.
board-minutes-2026.docx, restructuring-plan.pdf — detect executive-level snooping.
Where to plant for maximum coverage.
The most common place insiders browse. Plant salary and credentials files in department shares.
Documentation sites and wikis are prime targets. Embed tripwire links in sensitive-looking pages.
Drop .env files, config templates, or credential files into repos that insiders might clone or browse.
S3 buckets, GCS, Azure Blob — plant decoy files alongside real data for maximum believability.
Backup directories are gold mines for insiders. Plant tripwire SQL dumps and export files.
Restricted folders that only authorised personnel should access. Perfect for catching privilege abuse.
What happens when a tripwire is triggered.
Email, Slack, or webhook — your choice. Get alerted the moment a tripwire fires.
IP address, user agent, referrer URL, exact timing — everything you need to investigate.
See all trips in one place with filtering and search. Track patterns across time.
Feed alerts into your existing IR process via webhooks, email, or Slack integration.
Choose from templates or upload custom files. Name them something irresistible — salary data, admin passwords, client lists.
Place tripwire documents on shared drives, in repos, on internal sites — anywhere an insider might browse.
Know who accessed what, when, and from where. Full forensic details delivered to your inbox or Slack.
Document tripwires are free on all plans. Start planting decoy files in minutes.