Docs · SecOps
Nexus Canary — Honeytokens & Deception
A canary is a decoy with no legitimate reason to be touched. Plant it where an intruder will find it; the moment it is accessed, you have a near-zero-false-positive signal that something is wrong. Detection is deterministic — no AI, no guesswork.
- Best-of
- Canary tokens · Honeypots (deception)
- Fidelity
- Deterministic — 100%, no AI
- Alert
NEXUS-CANARY-001 · level 14- Edition
- All tiers
What it does
You mint a token, deploy it somewhere an attacker would stumble across it, and wait. Because the token serves no real purpose, any interaction with it is almost certainly hostile — making it one of the cleanest breach signals you can get.
- credential — a fake username/password pair.
- aws_key — a decoy AWS access key.
- url — a tripwire link / web-bug.
- dns — a canary hostname.
- file — a bait document.
- env — a planted environment variable.
How to use it
nexus-cli canary-mint --type aws_key --label "ci-key"nexus-cli canary-list
nexus-cli canary-stats
nexus-cli canary-del --id <id>How detection works
Detection is deterministic — 100% fidelity, with no AI involved. There are two paths:
- Telemetry scan — the manager scans real ingested telemetry for the token's marker. If the decoy credential, key or hostname shows up in your logs, it fires.
- URL endpoint — a public
GET /c/<marker>endpoint. Deploy that URL anywhere as a link or web-bug; any access triggers it.
GET /c/<marker> # accessing this trips the canaryHow it feeds the pipeline
A trigger creates a level-14 CRITICAL alert (rule NEXUS-CANARY-001) that flows straight into the existing chain: alert → XDR → SOAR → notification. So a tripped canary can correlate into an incident, fire a playbook, and reach your team — automatically.
Tips
- Place tokens where legitimate users never go — there is no reason for a real workflow to touch them.
- Use the
urltype as a web-bug in documents and pages to catch exfiltration. - Give each token a clear
--labelso a trigger immediately tells you which decoy fired.