Honeytoken
Definition
A synthetic credential, document, or data record placed in a monitored location. Any attempt to use or access the honeytoken is an unambiguous signal of unauthorised activity, because legitimate users have no reason to touch it.
Related terms
- Baseline comparison
- Comparison of a recovered system's current state, including running processes, network connections, scheduled tasks, and file hashes, against a known-good reference state...
- Extended monitoring window
- A defined period of heightened detection sensitivity following recovery, during which security operations maintain increased logging, alert thresholds, and analyst attention. Ends...
- Recovery validation
- The verification process that confirms a restored system is clean, correctly configured, and free from residual attacker access. Distinct from eradication, which...
- Recurrence
- Re-establishment of attacker access or re-execution of the same attack vector after the prior incident has been eradicated. Recurrence triggers the incident...
- Tripwire
- A deliberately placed artefact or detection rule designed to fire only if an attacker returns or residual malware reactivates. Examples include canary...
Explained in
- Validating Recovery and Monitoring for RecurrenceA synthetic credential, document, or data record placed in a monitored location. Any attempt to use or access the honeytoken is an unambiguous signal of unauth...