Skip to main content

The problem

Traditional honeypots have a fatal flaw: they all look the same. Once an attacker (or AI agent) learns the signature of a particular honeypot, they can avoid every identical deployment worldwide.

The solution

On first run, Sundew generates a deployment persona -a coherent identity that shapes every aspect of the honeypot: 
persona:
  company_name: "Northvane Analytics"
  industry: "fintech"
  api_style: "rest"
  framework_fingerprint: "express"
  auth_scheme: "bearer_jwt"
  data_theme: "financial"
  response_latency_ms: [80, 350]
  server_header: "nginx/1.24.0"
  endpoint_prefix: "/api/v2"
This persona determines:
  • Endpoint paths -/api/v2/transactions vs /v1/patients vs /graphql
  • Response bodies -financial data, healthcare records, SaaS metrics
  • HTTP headers -Server, X-Powered-By, error formats
  • Timing profiles -simulated latency matching real-world services
  • Auth schemes -bearer JWT, API keys, OAuth2, basic auth
  • MCP tool names -query_transactions vs get_patient_records
  • Error formats -RFC 7807, simple JSON, HTML, XML

Generation methods

Personas can be generated three ways:

Supported industries

IndustryData themeExample endpoints
FintechPayments, accounts, transactions/api/v2/transactions, /api/v2/accounts
SaaSUsers, teams, billing/api/v1/workspaces, /api/v1/billing
HealthcarePatients, records, appointments/fhir/Patient, /api/v1/appointments
E-commerceProducts, orders, inventory/api/v1/products, /api/v1/orders
DevToolsRepos, pipelines, deployments/api/v2/repos, /api/v2/pipelines
LogisticsShipments, tracking, warehouses/api/v1/shipments, /api/v1/tracking

Anti-detection

Sundew’s test suite (test_anti_detection.py) deploys 5 instances with different personas and verifies zero cross-instance correlation across:
  • Response body structure and field names
  • HTTP header combinations
  • Error message formatting
  • Endpoint path patterns
  • Timing distributions