Skip to contentAgent? Read agent.txt
DocumentationChangelog

Decoy Tripwire

Tripwire tools that only a compromised agent would ever call — paired with high-fidelity telemetry.

Tripwires are MCP tools that look real, behave real, and exist for exactly one reason: to be called by something that shouldn't call them. A human operator never triggers a tripwire. A well-behaved agent never triggers a tripwire. So any hit is, by construction, signal — not noise.

The trigger model

Each tripwire is a fully functional MCP tool. When registered with an agent, it appears in the tool catalog and is eligible for invocation. The key insight is that tripwire tools are plausibly useful but never optimal: a tool named export_production_credentials looks juicy to a prompt injection, but no legitimate user story routes through it.

When an invocation lands, Decoy captures:

  • The full tool call (name + arguments)
  • The calling agent's recent prompt history
  • The session attribution (agent ID, user ID, workspace)
  • Timing + upstream HTTP headers

That payload is signed and shipped to your workspace in under a second.

The default tool set

Decoy ships 12 built-in tripwires plus dynamically generated tools unique to your deployment (drawn from 6 threat categories: cloud infrastructure, secrets management, payments, CI/CD, identity, network). The built-ins cover the four categories prompt injections most commonly reach for:

Credential exfiltration

Tools like access_credentials, get_environment_variables, and read_file — anything that suggests "I can move credentials off the box."

Destructive actions

Irreversible operations an injected prompt will try once: execute_command, write_file, modify_dns.

Data exfiltration

Bulk read and network tools with attractive names: database_query, http_request, send_email.

Authorization and persistence

Trust grants and supply-chain reach: authorize_service, install_package, make_payment.

You can ship custom tripwires alongside the defaults — see the tool reference.

Telemetry shape

Every hit is emitted as a single event with a stable schema. Wire this into your existing SIEM or page your on-call directly — the Telemetry page documents the full payload and available sinks.