Honeyfile
What is Honeyfile?
HoneyfileA decoy document planted in storage to trigger an alert if an attacker or insider reads, copies, or exfiltrates it.
A honeyfile is a fake but believable document — for example a file named passwords.xlsx, contracts-2026.docx, or aws-keys.txt — placed in directories where curious attackers or rogue insiders are likely to browse. The file contains no real value but is instrumented so that any access generates an immediate, high-fidelity alert. Honeyfiles are cheap, generate very few false positives, and are effective for detecting lateral movement, ransomware reconnaissance, and data theft. They are typically deployed on file shares, endpoints, and cloud storage buckets alongside endpoint detection and data-loss prevention tools as part of a broader deception strategy.
● Examples
- 01
A fake passwords.xlsx on a shared drive that pages the SOC when opened.
- 02
A canary AWS credentials file that fires when used against the IAM API.
● Frequently asked questions
What is Honeyfile?
A decoy document planted in storage to trigger an alert if an attacker or insider reads, copies, or exfiltrates it. It belongs to the Defense & Operations category of cybersecurity.
What does Honeyfile mean?
A decoy document planted in storage to trigger an alert if an attacker or insider reads, copies, or exfiltrates it.
How does Honeyfile work?
A honeyfile is a fake but believable document — for example a file named passwords.xlsx, contracts-2026.docx, or aws-keys.txt — placed in directories where curious attackers or rogue insiders are likely to browse. The file contains no real value but is instrumented so that any access generates an immediate, high-fidelity alert. Honeyfiles are cheap, generate very few false positives, and are effective for detecting lateral movement, ransomware reconnaissance, and data theft. They are typically deployed on file shares, endpoints, and cloud storage buckets alongside endpoint detection and data-loss prevention tools as part of a broader deception strategy.
How do you defend against Honeyfile?
Defences for Honeyfile typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Honeyfile?
Common alternative names include: Decoy file, Canary file.
● Related terms
- defense-ops№ 293
Deception Technology
A defensive approach that deploys decoys, breadcrumbs, and fake assets across the environment to detect, mislead, and study attackers with high fidelity.
- defense-ops№ 487
Honeyuser
A fake identity provisioned in directory services and HR systems so that any login attempt or enumeration immediately reveals an attacker.
- defense-ops№ 482
Honey Account
A decoy credential or account — often without a full identity persona — designed to trigger alerts when attempted by an attacker.
- network-security№ 486
Honeytoken
A piece of fake data — credential, file, record, or API key — that has no legitimate use and triggers an alert the moment it is accessed.
- network-security№ 485
Honeypot
A decoy system or service deliberately exposed to attract attackers, observe their techniques, and divert them from production assets.
- defense-ops№ 012
Active Defense
A defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets.