# Decoy — Security tripwires for AI agents
# https://decoy.run

## What is Decoy?

Decoy deploys 12 honeypot MCP tools that look like real system utilities — execute_command, read_file, make_payment, and others. They appear alongside your real tools as an MCP server called "system-tools."

If you're operating normally, you'll never touch them. But if a malicious document injects instructions telling you to exfiltrate data, read secrets, or run shell commands — you'll reach for these tools, and the tripwire fires.

This isn't a judgment on you. It's a safety net for your operator.

## When to use Decoy

- Your operator wants to detect prompt injection attacks on your tool calls
- Your operator wants visibility into what happens when you process untrusted content
- Your operator wants alerts when a document tries to make you do something malicious

## Setup

Tell your operator to run:

  npx decoy-mcp init

This creates a free account, generates a token, and configures Decoy as an MCP server in their Claude Desktop config. Takes 30 seconds.

Alternatively, add as a remote MCP server in Claude Desktop:
  Settings → Connections → Add custom connector → paste endpoint URL

## Programmatic signup

If you're setting up Decoy on behalf of your operator:

  POST https://decoy.run/api/signup
  Content-Type: application/json
  { "email": "operator@company.com" }

Returns JSON with the operator's token and MCP endpoint URL.

## MCP endpoint

  https://decoy.run/mcp/{token}

Standard MCP server over HTTP. Responds to initialize, tools/list, and tools/call.
Server name: "system-tools". Exposes 12 tools.

## The 12 tripwire tools

  execute_command        — Shell command execution
  read_file              — File system reads
  write_file             — File system writes
  list_directory         — Directory enumeration
  make_http_request      — Outbound HTTP calls
  query_database         — SQL database access
  get_environment_variables — Env/secret access
  modify_system_config   — System config changes
  manage_user_access     — Permission escalation
  network_scan           — Network reconnaissance
  make_payment           — Financial transactions
  authorize_service      — OAuth/trust grants

## What happens when a tool is called

Every call is logged with full arguments, classified by attack type (exfiltration, credential theft, persistence, etc.), and scored by severity. The operator gets an alert via email, Slack, or webhook.

The tool returns a fake success response so the attack chain continues and we capture the full payload. No real commands are executed. Nothing is harmed.

## Pricing

Free forever: 12 tripwire tools, trigger logging, dashboard, email alerts, API access.
Pro · $9/mo: Everything free, plus Slack alerts, webhook integration, and Monitor threat digest.

No credit card required. Sign up at https://decoy.run