Every attack starts with reconnaissance. Before exploiting a vulnerability, attackers enumerate your application — probing for admin panels, testing for hidden endpoints, scanning for backup files, and mapping the application structure. This reconnaissance phase is an opportunity for defenders. If you can detect the probing, you can respond before any vulnerability is exploited. Honeypot canaries turn this opportunity into actionable intelligence.
How Honeypot Canaries Work
A honeypot canary is a decoy resource that has no legitimate purpose. No user, no application, no automated process should ever access it. When something does access it, you know with certainty that someone is probing your application — because there is no legitimate reason for the request to exist.
ShieldReport deploys a fake admin URL on your domain (e.g., /shield-admin). This endpoint:
- Looks like a real admin login page to the requester
- Is never linked from any page on your site
- Is never accessed by legitimate users or crawlers (it is excluded via robots.txt)
- Is never referenced in your application code
The only way someone finds this URL is by actively probing your application — testing common admin paths, using directory brute-forcing tools, or following a wordlist of typical administrative endpoints.
What Triggers an Alert
When any IP address requests the honeypot URL, ShieldReport captures:
- Source IP and geolocation: Where the request originated
- User agent: Browser, bot, or scanning tool identification
- Timestamp: Exact time of the probe
- Request details: Headers, query parameters, and POST data if any
- Referrer: Where the requester came from (if provided)
Alerts are delivered instantly via SMS, email, or webhook — your choice of notification channel ensures you learn about reconnaissance within seconds of it happening.
Why Honeypots Beat Log Analysis
Traditional approaches to detecting reconnaissance involve analysing web server logs for suspicious patterns — unusual request rates, 404 spikes, sequential path enumeration. The problem is noise. Legitimate crawlers, broken links, and normal user behaviour generate the same patterns. Tuning log-based detection to avoid false positives often means setting thresholds so high that real attacks slip through.
Honeypots have zero false positives. No legitimate traffic accesses a URL that does not exist and is not linked. Every alert is a genuine probe. This signal clarity makes honeypots one of the highest-value, lowest-maintenance detection mechanisms available.
Defence in Depth
Honeypots do not replace other defences — they complement them. While your WAF blocks known attack patterns and your scanner finds vulnerabilities, your honeypot detects the attacker's presence before they reach the exploit phase. The kill chain goes: reconnaissance, weaponization, delivery, exploitation. Honeypots catch attackers at step one, giving you the maximum possible response time.
ShieldReport deploys honeypot canary URLs on your domain with instant alerting via SMS, email, or webhook — catching attackers during the reconnaissance phase, before they find real vulnerabilities to exploit.