Skip to main content

Overview

Sundew is a passive honeypot. It serves fabricated data, logs inbound requests, and never executes attacker-supplied code. The system has four layers:
  1. Trap surfaces receive incoming requests (MCP, REST API, AI discovery endpoints)
  2. Fingerprinter analyzes each request across 5 behavioral signals
  3. Classifier maps composite scores to attack categories
  4. Storage persists events to SQLite and streaming JSONL logs
The persona engine shapes everything above -endpoint paths, response bodies, headers, timing, error formats, tool names, and data themes. Every deployment is unique.

Request flow

                     Incoming Request
                           |
                +----------+-----------+
                |                      |
          MCP Protocol           HTTP Request
                |                      |
        +-------+-------+    +---------+---------+
        | MCP Trap      |    | REST API Trap     |
        | Fake tools    |    | Fake endpoints    |
        | per persona   |    | per persona       |
        +-------+-------+    +---------+---------+
                |                      |
                +----------+-----------+
                           |
                 +---------+---------+
                 | Fingerprinter     |
                 | 5 signal scores   |
                 | 0.0-1.0 each      |
                 +---------+---------+
                           |
                 +---------+---------+
                 | Classifier        |
                 | human | automated |
                 | ai_assisted |     |
                 | ai_agent         |
                 +---------+---------+
                           |
                 +---------+---------+
                 | Storage           |
                 | SQLite + JSONL    |
                 +-------------------+

Classification

The fingerprinter produces a composite score from 0.0 to 1.0. The classifier maps this to four categories:
Score rangeClassificationDescription
< 0.3humanNormal browser traffic
0.3 – 0.6automatedScripted scanners, bots
0.6 – 0.8ai_assistedHuman using AI tools
> 0.8ai_agentFully autonomous AI agent
Sessions are grouped by source IP and temporal proximity. Classification is updated as more requests arrive and the composite score stabilizes.

Data storage

Events are persisted in two formats:
  • SQLite (./data/sundew.db) -structured storage for queries, sessions, and aggregated fingerprints
  • JSONL (./data/events.jsonl) -append-only streaming log for real-time processing and export
Both are queryable via the CLI (sundew query) or the MCP server (sundew mcp-client).