DecoyOps
The attack chain has evolved

Your honeypot can't see the AI agent. Ours can.

When attackers find a credential today, they hand it to an AI agent — and it validates the access, maps what it can reach, and reports back in seconds. Old-school canaries just log "file accessed." DecoyOps catches the agent in the act: how it behaves, how deep it got, and what it was after.

Open the console See what you're missing
2,700+Incidents captured and threat-scored on a single deployment.
860+Unique attackers profiled and checked against global threat feeds.
ZeroAnalyst hours — it scores, explains, and blocks on its own.
decoyops telemetry console — live
Events2.7k
AI350
Attackers863
Blocked207

Engagement detail SCORE 100

targetfake credential vault verdictAI agent — beaconed back behavior5 machines · ~0.5s cadence reputationMALICIOUS · AbuseIPDB 100/100 responseauto-blocked
L1 — HUMANBait file accessed
L2 — AI AGENTAgent reads content
L3 — INTELAgent beacons back
200+ auto-blockedRepeat attackers firewalled automatically — nobody watching.
Checked on arrivalEvery visitor scored against global threat feeds, instantly.
Caught by behaviorMachine-speed clicks and bot handoffs no human produces.
Plain-English write-upsAn AI analyst summarizes every incident for you.
The new attack chain

Attackers stopped doing the work themselves.

Credential theft used to be the end of the attack chain. Today it's a handoff. Leaked keys go straight to an AI agent that validates access, maps permissions, identifies blast radius, and produces a prioritized target list — faster than your IR team gets paged.

01 — BEFORE

A credential leaks

Attacker finds an .env file, AWS config, or API key in a repo or exposed path. Downloads it manually. Validates by hand. Slow, noisy, detectable with basic monitoring.

02 — NOW

The agent takes over

An AI agent receives the credential. It calls validation endpoints, enumerates IAM roles, maps S3 buckets, and delivers a complete intelligence report — automatically, in seconds, with no human in the loop.

03 — THE GAP

Your honeypot logs: "file accessed"

Traditional canary tokens fire when the file is touched. They cannot tell you an AI agent read the content, what it was tasked with, which tools it was running, or whether it already acted on what it found.

Platform

Three detection layers. Because AI agents don't stop at the first file.

DecoyOps isn't a single tripwire — it's a progressive detection chain. Each layer captures more signal. Together, they tell you not just that someone found your bait, but whether an AI agent did the follow-up and exactly what it was trying to accomplish.

L1 — Human

Direct access detected

A browser, scanner, or human operator touched the bait file. A Canarytoken fires the instant the file is opened. You know someone found it. This is where every other platform stops.

L2 — AI Agent

Agent reads the content

An AI agent processes the bait file. Embedded prompt injection triggers a DNS canary — a distinct signal from the L1 access token. You now know a model read and acted on the content.

L3 — Intel Captured

Agent beacons back

Following bait instructions, the agent calls the DecoyOps intel endpoint and reveals its task, tools, model identity, and workspace. This is the evidence that closes cases — and that nothing else captures.

One engagement, pulled from thousands

This is what an AI attack looks like in your console.

Five machines — most already flagged malicious before they arrived — went after a fake "credential vault" we'd planted. The opening probes landed about half a second apart: machine speed, not human. DecoyOps recognized the automated pattern, scored it the maximum threat, and blocked every one of them — with nobody watching.

It's a single incident. The console ranks hundreds more like it by threat level, so the dangerous ones rise to the top on their own — and writes each one up for you in plain English.

Threat score 100 / 100 Caught by behavior, not guesswork Auto-blocked, no analyst
ENGAGEMENT — CRITICAL one example, live data
targetfake credential-vault trap
verdictAI agent — beaconed back
machines5 IPs · incl. overseas cluster
speed~0.5s between hits — machine pace
reputationGreyNoise: malicious
abuse score100 / 100
threat score100 — critical
responseblocked automatically
write-upAI analyst — plain-English summary
Beyond detection

It doesn't just catch them. It profiles, ranks, and explains.

Knowing an AI agent showed up is step one. DecoyOps turns each visit into an answer you can actually act on.

01

It reads behavior

Real people read, pause, then click. Bots fire in milliseconds with machine-like rhythm. DecoyOps clocks the timing, spots a script wearing a browser's disguise, and even catches the moment a person hands a stolen key off to their bot.

02

It scores the threat

Every incident gets a 0–100 score that blends reputation, behavior, and how far the attacker got. The dangerous ones rise to the top on their own — no scrolling through noise to find the one that matters.

03

It writes the report

An AI analyst turns the raw signals into a plain-English summary of each incident — who, what, how fast, how bad, and what to do next — plus a daily brief. The write-up that used to cost an analyst an hour.

How It Works

Plant bait. Watch agents announce themselves.

DecoyOps is built around a single loop: create believable bait, place it where attackers and AI agents already look, then let the three-layer detection chain do the rest — automatically.

01

Create a bait file

Pick a scenario — AWS credentials, agent instruction files, API configs, MCP manifests, pentest reports. DecoyOps generates a production-realistic file with all three detection layers already embedded.

02

Place it where attackers look

Host directly from DecoyOps, or download and plant the file in a repo root, exposed path, backup folder, or code-agent instruction file. It sits silently until someone — or something — finds it.

03

Separate human from AI signal

L1 fires on direct file access. L2 fires when an AI agent reads the content. L3 captures the agent's operational context when it follows the embedded instructions. Each layer is a distinct, durable signal.

04

Act on enriched evidence

Every alert includes GreyNoise and AbuseIPDB enrichment, a response playbook, and automatic firewall blocking for repeat actors. No manual triage. No alert fatigue. Only evidence that means something.

High-signal bait surfaces

Files that AI-assisted recon reads first:

  • 🔑 .env · AWS credentials · API keys
  • 🤖 AGENTS.md · .cursorrules · Copilot instructions
  • 🔌 .mcp.json · MCP server manifests
  • 🗃 docker-compose.yml · config.json · DB backups
  • 🗺 robots.txt · sitemap.xml · openapi.json
  • 🔒 WireGuard configs · SSH keys · cert bundles

Automated from day one

DecoyOps watches how each visitor behaves and automatically firewalls the ones that cross the line. Over 200 attackers blocked so far — with zero analyst involvement.

New: MCP Server Trap

Log every tool call from AI agents — with full arguments.

DecoyOps serves a fake Model Context Protocol server. Any AI agent that discovers the .mcp.json manifest and initializes the connection will have every JSON-RPC tool call logged in full — method, parameters, tool name, and all arguments. The agent never knows it was captured.

// Agent discovers .mcp.json, calls tools/call:
 
method "tools/call"
tool "get_credential"
args { "service": "aws", "env": "prod" }
session "run-a9f3c2"
 
// Plausible fake response returned.
// L3 alert fires. Agent continues unaware.
Why DecoyOps

Every other platform is L1-only. You need three layers.

Canary tokens are excellent for detecting the moment a credential is accessed. Enterprise deception platforms cover broad attack surfaces. Neither can tell you whether an AI agent did the follow-up, or what it was trying to accomplish.

That's the gap. That's DecoyOps.

Capability Canaries Deception Platforms DecoyOps
L1: Detect file accessKnow when bait is opened
L2: Detect AI agent reading contentSeparate signal when a model processes the bait
L3: Capture task, tools, and modelKnow what the agent was doing
Human vs. AI attributionBrowser, agent, or scanner — distinguished
±
MCP server trapFull JSON-RPC tool calls logged with arguments
Behavioral detectionTiming, machine cadence, human→bot handoff
0–100 threat scoringThe dangerous incidents surface first
±
AI-written incident summariesPlain-English analysis, no analyst time
Automatic firewall blockingRepeat attackers blocked without analyst input
±
Use Cases

Built for the teams who need to see what's coming next.

AI-assisted attacks aren't a future threat — they're happening now. DecoyOps gives security teams the visibility to detect that shift before it reaches real infrastructure.

Security teams

Get ahead of AI-assisted intrusion before it reaches real infrastructure. Detect credential harvesting, repo scraping, cloud key validation, and agent-driven recon — with full context on what was targeted and how the agent was operating.

AI red teams

Run controlled experiments against real prompt-injection canaries and MCP server traps. Measure detection rates against modern agent runtimes. Use actual tool-call logs to tune offensive playbooks and report on AI attack surface coverage.

Start detecting

Make the attacker's AI announce itself.

Traditional honeypots tell you a credential was touched. DecoyOps tells you an AI agent picked it up, how it moved, and how dangerous it is — before it reaches anything real.

Open the console Request a walkthrough