A canary token is a planted digital artifact designed to trigger an alert when someone accesses, moves, or uses it unexpectedly. It matters because simple tripwires can reveal attacker activity that might otherwise stay quiet for too long.
What is a Canary Token?
Canary tokens may look like credentials, URLs, files, documents, API keys, DNS references, or other artifacts that should never be touched during normal operations. If they are accessed, defenders receive a signal that something suspicious may be happening.
What Canary Tokens Commonly Detect
Common detection cases include unauthorized browsing of shares, credential theft attempts, unexpected outbound lookups, lateral movement curiosity, and misuse of planted cloud or document artifacts.
Canary Token vs. Honeypot
A canary token is usually a lightweight alerting trap. A honeypot is a more substantial decoy environment or service designed to attract and study attacker behavior.
Frequently Asked Questions
Why are canary tokens useful?
Because they can produce high-signal alerts with relatively low complexity when placed thoughtfully.
Do canary tokens stop attackers?
No. They are a detection aid, not a standalone prevention control.
Related Cybersecurity Terms
