Honeytoken
What is Honeytoken?
HoneytokenA piece of fake data — credential, file, record, or API key — that has no legitimate use and triggers an alert the moment it is accessed.
A honeytoken is a deception artifact embedded inside real systems so that any use of it is, by design, malicious or anomalous. Examples include planted user accounts, fake database rows, decoy AWS access keys, watermarked documents, or DNS records that beacon back when resolved. Because honeytokens are inert and never used by legitimate processes, they generate near-zero false positives and provide high-fidelity, early signal of credential theft, data staging, or insider misuse. They complement traditional detection by extending visibility into places where logs are sparse, such as third-party SaaS, source-code repositories, and backups.
● Examples
- 01
An AWS access key planted in a Git repository that alerts when used.
- 02
A fake "executive_salaries.xlsx" file on a file share whose open is logged.
● Frequently asked questions
What is Honeytoken?
A piece of fake data — credential, file, record, or API key — that has no legitimate use and triggers an alert the moment it is accessed. It belongs to the Network Security category of cybersecurity.
What does Honeytoken mean?
A piece of fake data — credential, file, record, or API key — that has no legitimate use and triggers an alert the moment it is accessed.
How do you defend against Honeytoken?
Defences for Honeytoken typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Honeytoken?
Common alternative names include: Decoy credential, Lure data.