Know. When it Matters!

Most companies discover they've been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup; no ongoing overhead; nearly 0 false positives, and you can detect attackers long before they dig in. Check out why our Hardware, VM and Cloud-based Canaries are deployed and loved on all 7 continents...

Generate a quote online Schedule a Canary Demo

What people say about Thinkst Canary

It’s pretty rare to find a security product that people can tolerate. It’s near impossible to find one that customers love. You can find a selection of unsolicited tweets and emails on our Thinkst Canary here.

Complete list of enterprise security products I recommend (evergreen edition):

1) @ThinkstCanary

2) @duosec

3) @Yubico

ryan "huber"
@ryanhuber

Their on-prem canary is one of the only things that caught me right away in post-exploitation without my knowing I was burned. Solid concept and product.

Vlad Ionescu
@ucsenoi

I have to give a shout out to @ThinkstCanary for being awesome. They not only have a great product but also great people behind it. 🦅

Joe Parker
@joesparker

Don’t think, just get them ;). I was a former customer (changed roles). What will you get from them? The best support, easy interface, great price and the most accurate alert in your environment. #canarylove

Mickey P
@MickeyPerre

If you have networks, and you care about protecting them, go give @haroonmeer some coins for a bag of @ThinkstCanary. They’re ace.

Bea Hughes
@beajammingh

+1. We ❤️ our Canaries.

Jonathan Levine
@JonMLevine

Why Thinkst Canary?

Because thousands of ignored alerts help nobody!

Tons of security products would be useful, if only you changed everything you did and made them the centre of your universe. This never happens, so they sit half deployed forever. Thinkst Canary doesn’t try to monopolise your time or dominate your thinking. Deploy your birds and forget about them. We will remain silent until you need us most…

One alert. When it matters!

How it works

Your Thinkst Canaries

Order, configure and deploy your Canaries throughout your network. (These can be hardware, virtual or cloud-based birds!) Make one a Windows file server, another a router, throw in a few Linux webservers while you're at it. Each one hosts realistic services and looks and acts like its namesake.

Then you wait. Your Thinkst Canaries run in the background, waiting for intruders.

Attackers prowling a target network look for juicy content. They browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, and scan for open services across the network.

When they encounter a Thinkst Canary, the services on offer are designed to solicit further investigation, at which point they’ve betrayed themselves, and your Canary notifies you of the incident.

Your Console

Each customer gets their own hosted management console which allows you to configure settings, manage your Thinkst Canaries and handle events.

Your Thinkst Canaries constantly report in, and provide an up-to-the-minute report on their status (but this isn’t another pane of glass that you need to constantly monitor). Even customers with hundreds of Canaries receive just a handful of events per year. When an incident occurs, we alert you via email, text message, slack notification, webhook or old-fashioned syslog.

CanaryTokens

Last month an attacker compromised one of your users, and has been reading the company chat. Since then, she’s been searching for keywords and embarrassing data. Would you know?

Your lead developer was targeted and compromised at the local Starbucks. Would you notice?

You could, with Canarytokens. Drop our fake AWS-API keys on every enterprise laptop. Attackers compromising your users _have_ to use them, and when they do, they tip their hand…

Canarytokens are tiny tripwires that you can drop into hundreds of places. They follow our Thinkst Canary philosophy: trivial to deploy, with a ridiculously high quality of signal.

The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal. If the aim is to increase the time taken for attackers, canary tokens work well.

shubs
@infosec_au

Pricing

@ThinkstCanary Great products that work, easy and quick to install and provide real value.

Michael Freeman
@Exploitwriter

Canary pricing allows you to start immediately, with tiny upfront costs. An annual subscription of $7,500, gets you 5 Canaries, your dedicated hosted Console, your own Canarytokens server, as well as all our support, maintenance and upgrades. Transparent and simple pricing for a solution that just works.

Play around with the numbers and generate a no-commitment quote online.

Generate a quote online

FAQ

Isn't this just a honeypot?

Yes and No.

Honeypots are a great idea. Everyone knows this, so why is almost nobody running them on internal networks? Simple: because with all the network problems we have, nobody needs one more machine to administer and worry about. We know the benefits that honeypots can bring but the cost and effort of deployment always drops honeypots to the bottom of the list of things to do.

Canary changes this. Canaries can be deployed in minutes (even on complex networks), giving you all of the benefits without the admin downsides.
How easily can they be deployed?

It usually takes less than 5 minutes from unboxing your Canary, to have it ready for action on your network. With just a few clicks, you'll have a high interaction honeypot, and be able to track who’s browsing shares for PDF documents, trying to log into a NAS, or port scanning your network.
How do they communicate with the console?

Canaries are deployed inside your network and communicate with the hosted console through DNS. This means the only network access your Canary needs is to a DNS server that's capable of external queries, which is much less work than configuring border firewall rules for each device.
Ok. You have 2 minutes, how does this work?

Simply choose a profile for the Canary device (such as a Windows box, brand name router, or Linux server). If you want, you can further tweak the services your Canary runs. Perhaps you need a specific IIS server version or OpenSSH, or a Windows file share with real files constructed according to your own naming scheme (say, 2016-tenders.xls). Lastly, register your Canary with our hosted console for monitoring and notifications.

Then you wait. Attackers who have breached your network, malicious insiders and other adversaries make themselves known by accessing your Canary. There's little room for doubt. If someone browses a file share and opened a sensitive-looking document on your Canary (\\fin_srv_02\Planning\2016_forecasts.xls) you'll immediately be alerted to the problem.

You possibly already do have a problem, you might just not know it. Canary changes that.
So Canaries are sensors. Do you use them to do machine learning for anomaly detection?

No. Canary doesn't do anomaly detection (with machine learning or otherwise) by learning to detect malicious behaviour in day-to-day activity. The Canary triggers are incontrovertibly simple: if someone is accessing your lure-files, or brute-forcing your fake internal ssh server, then you have a problem. Canary uses deceptively simple, but high-quality markers of trouble on your network.
Can't I do this myself using Honeyd, Kippo, ?

You could certainly setup honeypots but, the truth is, most haven't. Why? Two reasons as far as we can tell: most projects have limited protocol support meaning you have to run multiple honeypots to cover a range of common protocols, and monitoring and notifications across multiple honeypots quickly becomes tricky especially if you want to have many honeypots scattered around your network.

Canary makes this easy; we have multiple protocols supported out-of-the-box, and our hosted console gives you effortless monitoring and notifications.
Does the console have pretty Web 2.0 coolness?

We have a console, and we think it's pretty, but we really don't want you to spend much time on it. After you setup your Canaries you forget about the whole thing completely. When one of your Canaries chirp, only then do you attend to the problem.
What if an attacker DoS'es the device or compromises it?

If your Canary can get off just one alert (and it really should) then your console far away is going to log and alert on this. Whatever happens to the Canary after that won't matter since it stores nothing of value.
What if an attacker identifies the device as a Canary? Won't they simply avoid it?

Identification will require active interrogation of the devices, and we detect common methods for fingerprinting then alert. After that, even if the attacker correctly identifies a Canary, you know they're looking and can investigate further.
Do you disclose security vulnerabilities related to your products?

Yes. We publish security advisories to disclose security issues in both the Canaries and Canary Consoles.