The next generation of canary tokens — more types, richer alerts, protocol honeypots, cloud credentials, and a modern dashboard. Everything you love about canary tokens, supercharged.
[ALERT] Document accessed: board-minutes-2025.docx
Source: 203.0.113.42 | London, UK
[ALERT] SSH honeypot connection
Source: 198.51.100.7 | SSH brute force attempt
[ALERT] AWS credential token used!
Action: sts:GetCallerIdentity | us-east-1
3 alerts in 4.2 seconds
Monitoring 18+ token types...
Digital tripwires planted where attackers look. When touched, they alert you instantly. No agents, no network changes, no maintenance. The simplest and most reliable way to detect unauthorized access.
Plant tokens where attackers look — documents, config files, credential stores, network services. When touched, they fire. Every alert is a confirmed intrusion.
No agents to install, no network changes required, no software to update. Create a token, plant it, and forget about it until it fires. Truly set-and-forget security.
Sub-second notification with full context on every trigger — source IP, geolocation, user agent, request details. Delivered to Slack, email, or any webhook endpoint.
See how Tripwires stack up against traditional canary token services and having no detection at all.
| Feature | Tripwires | Traditional Canary Tokens | No Detection |
|---|---|---|---|
| Token Types | 18+ | ~10 | 0 |
| Protocol Honeypots | |||
| Cloud Credentials | Limited | ||
| Dashboard | Modern UI | Basic | N/A |
| Alerting | Multi-channel | Email only | N/A |
| Free Tier | N/A |
18+ token types covering every attack vector — from document access to network scanning to credential theft.
Hidden URL tracking pixels
Unique hostname lookups
Tripwired .docx files
Tripwired spreadsheets
Tracked PDF files
Execution-triggered alerts
Browser-triggered tokens
Honeytoken IAM keys
Service account keys
App registration secrets
Physical security tripwires
SSH, PostgreSQL, MySQL, Redis
Cloned website alerts
Full VM with session recording
Tracked configuration files
Tripwired database dumps
Monitored key pair usage
Integrate with any system
Every alert comes packed with context so you can understand the threat and respond immediately. No guesswork.
Know exactly where the attacker is connecting from, with city-level accuracy.
Identify the tool, browser, or script used to trigger the token.
Headers, parameters, timing — everything you need for incident response.
Tag tokens with custom labels to track which assets or locations are being targeted.
See all triggers in chronological order to understand attack patterns.
Slack, email, and webhooks — route alerts wherever your team works.
Modern canary tokens in three simple steps. Start detecting threats in minutes.
18+ types available for every scenario — documents, credentials, honeypots, scripts, QR codes, and more.
Drop tokens in file shares, config files, code repos, network segments, credential stores — anywhere valuable.
IP, user agent, geolocation, timing — every detail you need, delivered instantly to Slack, email, or webhook.
Start with the free plan and experience next-generation deception security. More types, richer alerts, better dashboard.