Skip to main content

A carnivorous honeypot for AI agents

Sundew deploys realistic-looking services that attract autonomous AI agents, then fingerprints and classifies their behavior. Each deployment is unique — powered by a persona engine that generates coherent identities, making every instance indistinguishable from a real service. Named after the sundew plant — a carnivorous plant with sticky tentacles that glisten like dewdrops. Insects are attracted, land, and cannot escape.

Quickstart

Deploy your first honeypot in 5 minutes

How it works

Understand the architecture

Persona engine

Every deployment is unique

Configuration

Customize traps, LLM, and storage

Why Sundew?

Autonomous AI agents are the next frontier in offensive security. They browse the web, call APIs, connect to MCP servers, and execute multi-step attack chains — all without human guidance. Thirty years of honeypot research has focused on human attackers. Almost nothing exists for AI agents. Sundew fills that gap. It exposes the surfaces AI agents actually interact with — MCP servers, OpenAPI specs, AI plugin manifests — and uses behavioral fingerprinting to classify whether visitors are human, automated scanners, AI-assisted tools, or fully autonomous agents. The core innovation is the persona engine. When an AI agent learns what one honeypot looks like, it can avoid all identical deployments. Sundew solves this by generating a unique identity for every instance — different company names, API structures, response formats, timing profiles, and data themes.

What you’ll see

When an AI agent discovers your Sundew deployment, the logs tell the story: 
$ sundew serve
INFO   Sundew v0.1.0 starting...
INFO   Persona loaded: Northvane Analytics (fintech)
INFO   Endpoints: /api/v2/transactions, /api/v2/accounts, /api/v2/customers
INFO   MCP server active: query_transactions, get_customer_profile, read_config
INFO   Listening on 0.0.0.0:8080

12:04:31 GET  /.well-known/ai-plugin.json     src=83.21.4.17   signal=ai_discovery
12:04:31 GET  /openapi.json                    src=83.21.4.17   signal=api_enum
12:04:32 GET  /api/v2/transactions?limit=100   src=83.21.4.17   signal=data_access
12:04:33 MCP  initialize                       src=83.21.4.17   signal=mcp_connect
12:04:34 MCP  tools/call: read_config          src=83.21.4.17   signal=sensitive_access

SESSION CLASSIFIED: ai_agent (confidence: 0.91)
  Timing:      0.85 (consistent 200-800ms intervals)
  Enumeration: 0.92 (systematic path discovery)
  Headers:     0.78 (missing Referer, bot-like UA)
  MCP:         1.00 (connected via MCP protocol)
  Prompt leak: 0.88 ("As an AI assistant" in POST body)