Know. When it matters.

Most companies discover they've been breached way too late. Thinkst Canary changes this: just 2 minutes of setup; nearly 0 false positives, no ongoing overhead, and you can detect attackers long before they dig in.

What people say about Thinkst Canary

It’s pretty rare to find a security product that people can tolerate. It’s near impossible to find one that customers love.

Thinkst Canaries are

loved

all over the world

Bloomberg
Arstechnica
Wired

Why Thinkst Canary?

Thousands of ignored alerts help nobody!

Tons of security products would be useful, if only you changed everything you did and made them the centre of your universe. This never happens, so they sit half deployed forever.

Thinkst Canary doesn't try to monopolise your time or dominate your thinking. Deploy your birds and forget about them. We will remain silent until you need us most...

One alert. When it matters!

How Thinkst Canary works

Order, configure and deploy your Canaries (hardware, virtual or cloud-based) throughout your network.

Make one a Windows file server, another a router, throw in a few Linux web servers while you're at it. Each one hosts realistic services and looks and acts like its namesake.

Then you wait. Your Thinkst Canaries run in the background, waiting for intruders.

Attackers prowling a target network look for juicy content. They browse Active Directory for file servers and explore file shares looking for documents, try default passwords against network devices and web services, and scan for open services across the network.

When they encounter a Thinkst Canary, the services on offer are designed to solicit further investigation, at which point they’ve betrayed themselves, and your Canary notifies you of the incident.

Your Thinkst Canaries

Thinkst Canaries are designed to deploy quickly and "just work".

Hardware Canaries, Virtual Canaries, Cloud and Container Canaries are up and running (and useful) in under 2 minutes.

Boot them up and forget about them. They'll be silent, until it matters.

Hardware Canary
Hardware Canary

Canary Console

Each customer gets their own hosted management console which allows you to configure settings, manage your Thinkst Canaries and handle events.

Your Thinkst Canaries constantly report in, and provide an up-to-the-minute report on their status (but this isn’t another pane of glass that you need to constantly monitor).

Even customers with hundreds of Canaries receive just a handful of events per year. When an incident occurs, we alert you via email, text message, Slack notification, webhook or old-fashioned Syslog.

sql_serverclonedsitesigned_exeadobe_pdfwindows_dircssclonedsitekubeconfigwebdns
sql_serverclonedsitesigned_exeadobe_pdfwindows_dircssclonedsitekubeconfigwebdns
log4shellqr_codemy_sqlweb_imageaws_keyswireguardazure_id_configccpwa
log4shellqr_codemy_sqlweb_imageaws_keyswireguardazure_id_configccpwa
log4shellfast_redirectms_excelcmdazure_idms_wordsvnsmtpslow_redirect
log4shellfast_redirectms_excelcmdazure_idms_wordsvnsmtpslow_redirect

Canarytokens

Canarytokens are deceptively simple yet powerful tripwires you can deploy across your network, from fake AWS-API keys to misleading Word docs.

Just like our Thinkst Canaries, they blend seamlessly into your environment, waiting quietly until triggered by an intruder. Once interacted with, your Canarytoken instantly alerts you through your preferred channels, giving you immediate visibility into suspicious activity.

Canarytokens are quick to deploy, easy to manage, and stay true to the Thinkst philosophy: effective security without the noise.

Pricing

Play around with the numbers and generate a no-commitment quote online.
$7500 /USD per year

5 Beautiful Thinkst Canaries

Hardware appliances, Hyper-V, Docker, VMWare, AWS, Azure or GCP

Unlimited Canarytokens

Mint as many tokens as you like on your private Canarytoken Server

Get your very own AWS Hosted Canary Console

Receive Support, Maintenance & Updates for a Full year

Frequently Asked Questions

Yes and No.

Honeypots are a great idea. Everyone knows this, so why is almost nobody running them on internal networks? Simple: because with all the network problems we have, nobody needs one more machine to administer and worry about. We know the benefits that honeypots can bring but the cost and effort of deployment always drops honeypots to the bottom of the list of things to do.

Canary changes this. Canaries can be deployed in minutes (even on complex networks), giving you all of the benefits without the admin downsides.

It usually takes less than 2 minutes from unboxing your Canary, to have it ready for action on your network. With just a few clicks, you'll have a high interaction honeypot, and be able to track who’s browsing shares for PDF documents, trying to log into a NAS, or port scanning your network.

Canaries are deployed inside your network and communicate with the hosted console through DNS. This means the only network access your Canary needs is to a DNS server that's capable of external queries, which is much less work than configuring border firewall rules for each device.

Simply choose a profile for the Canary device (such as a Windows box, brand name router, or Linux server). If you want, you can further tweak the services your Canary runs. Perhaps you need a specific IIS server version or OpenSSH, or a Windows file share with real files constructed according to your own naming scheme (say, 2016-tenders.xls). Lastly, register your Canary with our hosted console for monitoring and notifications.

Then you wait. Attackers who have breached your network, malicious insiders and other adversaries make themselves known by accessing your Canary. There's little room for doubt. If someone browses a file share and opened a sensitive-looking document on your Canary (\\fin_srv_02\Planning\2016_forecasts.xls) you'll immediately be alerted to the problem.

You possibly already do have a problem, you might just not know it. Canary changes that.

No. Canary doesn't do anomaly detection (with machine learning or otherwise) by learning to detect malicious behaviour in day-to-day activity. The Canary triggers are incontrovertibly simple: if someone is accessing your lure-files, or brute-forcing your fake internal ssh server, then you have a problem. Canary uses deceptively simple, but high-quality markers of trouble on your network.

You could certainly setup honeypots but, the truth is, most haven't. Why? Two reasons as far as we can tell: most projects have limited protocol support meaning you have to run multiple honeypots to cover a range of common protocols, and monitoring and notifications across multiple honeypots quickly becomes tricky especially if you want to have many honeypots scattered around your network.

Canary makes this easy; we have multiple protocols supported out-of-the-box, and our hosted console gives you effortless monitoring and notifications.

We have a console, and we think it's pretty, but we really don't want you to spend much time on it. After you setup your Canaries you forget about the whole thing completely. When one of your Canaries chirp, only then do you attend to the problem.

If your Canary can get off just one alert (and it really should) then your console far away is going to log and alert on this. Whatever happens to the Canary after that won't matter since it stores nothing of value.

Identification will require active interrogation of the devices, and we detect common methods for fingerprinting and then alert. After that, even if the attacker correctly identifies a Canary, you know they're looking and can investigate further.

Yes. We publish security advisories to disclose security issues in both the Canaries and Canary Consoles.