Deceive
Honeypot integrated in Guard daemon
packages/panguard-guard/src/bridges/trap-bridge.ts — 31 lines of integration glue, zero config for the user · Trap sessions automatically visible in Guard dashboard · Crystallized detections feed ATR auto-PR pipeline.
WHAT THIS LAYER DOES
L5 Deceive deploys decoy tools, decoy credentials, and decoy skills that appear legitimate to attackers. When an agent — compromised or not — reaches for them, we log the full session, extract the payload, and feed it back into the TC crystallization pipeline as new ATR rule candidates.
WHY YOU NEED IT
Passive defense is half the story. Honeypots convert the attacker's actions into your intelligence: tactics, tools, timing, infrastructure. You learn without leaking real data. The detections crystallize into rules that protect everyone on the TC network.
HOW IT WORKS
trap-bridge.ts in panguard-guard converts honeypot session events into SecurityEvent records via trapSessionToSecurityEvent(). No separate daemon — the honeypot is embedded inside the Guard event loop, which means zero additional footprint on the host and a single audit log. Detections flow into the crystallization pipeline (Threat Cloud → LLM reviewer → ATR auto-PR).
TRY IT NOW
Enabled by default in Guard when pga up runs. No separate setup.
pga upATTACKS THIS LAYER CATCHES
Concrete threats, concrete controls
Attacker recon
MEDIUMCompromised agent enumerates available tools and credentials — honeypot logs every probe.
Credential theft attempts
HIGHDecoy AWS keys, GitHub tokens, DB credentials — any attempted use is attacker confirmation.