Canarytokens: Zero-Cost Tripwires That All Blue Teams Should Be Using

What if I told you about a free tool, that was immediately available to use, took minutes to set up, and could alert you to a possible attacker in your environment via email, Slack, SMS, or almost any other form of communication you use with your Blue Team?  Yeah, you’d either say “sign me up” or “how am I only hearing about this tripwire now?”

Well, I have some good news for you because I’m going to let you in on a best-kept secret that’s been frustrating red teamers, penetration testers, and attackers alike since about 2015 — Canarytokens.  

Canarytokens, as described by its creator, Thinkst Canary, is “a free-to-use honeypot solution” that is quick to set up and can provide early detection for a variety of scenarios including DNS scanning, binary execution, folder or file access, Windows event code logging, and many more.  Simply stated, canarytokens are tripwires a Blue Team can scatter throughout their network, regardless of their existing IDS/IPS capabilities, and feel confident that there’s a baseline, early-warning trigger that is capable of detecting even the stealthiest of attackers. Your imagination is literally the only obstacle in the number of ways you could create and deploy canarytokens within your organization.  

As an ethical hacker, I can personally attest to the efficacy of canarytokens. NetWorks Group’s clients often have some of the most mature and fine-tuned detection capabilities available; this makes it challenging for our red teamers to remain stealthy and undetected as we move carefully through our client’s network during an engagement.  Despite our exceptional talent to avoid detection from the most common and big-name SIEM and IDS/IPS providers, we trigger canarytokens as quickly as anyone else.  Canarytokens are just that difficult to recognize, even compared to routine honeypots, which often have a few tell-tale signs that tip us off to their presence. Canarytokens, when properly named and placed, are nearly impossible for us, as ethical hackers, to recognize during the course of an engagement; if we can’t find them, it’s just as unlikely a real attacker would either.

To find out more about canarytokens, check out or watch a recent YouTube video that @IppSec created demonstrating how to configure and deploy a canarytoken to trigger on a Windows event code.

If you’ve already deployed some canarytokens, and want to verify their configurations by letting us take a stroll through your network, please reach out!  Our goal is to leave your environment more secure than we found it and it would be our privilege to help you deploy such a great, free resource as canarytokens.


Published By: Chris Neuwirth, Senior Penetration Tester, NetWorks Group

Publish Date:  December 8, 2022

Subscribe to get new content! Never miss a security update from the team.

Security news, tips, webinars, and more straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.