Welcome to Thinkst Canary!

We are so glad to have you on board! We work really hard to make sure that setting up Canaries is quick and running them is painless. (If any of this isn't true, please let us know!)

Setting up your Canaries should be dead simple. Here's what you need to do.


Log into your Canary Console


You will notice a bird (or multiple birds) tagged as "in-flight"

Clicking on that tile will give you in-flight tracking details

Clicking on that tile will give you in-flight tracking details


Unbox your Canary and plug it in

No tokens created
Add a new Canarytoken
No Canaries registered
No Canaries Configured
Add your first Canary Add a Canary
Canary in-flight!
Track Canary
New Bird - Shipping
Last seen
23 seconds ago
2 minutes
Windows Server 2016

That's it! Seriously... 😀

Your Canary LED will turn green, and the "in-flight" designation will change to let you know you have a new bird on your network.

(The bird is already useful and is acting like a Windows Server with RDP and a file share, but if you want to give it another personality, simply )

    More Information

  • Halp! My Canary's LED is RED!

    A Red status light indicates that the Canary can't reach the Console. Let's eliminate them one by one.

    Did the Red status show directly after saving your settings and rebooting your new Canary? If so, you might have forgotten to approve the registration in the Console. Log in to your Console and approve the outstanding registration.

    If the registration was approved in the Console, and the status light is still Red, this suggests a network issue. Your Canary needs a valid IP address and a valid DNS server that can make external DNS queries. Check that the Canary is plugged into the correct network and that the status LEDs around the network jack have lit up.

    If the status light showed Green previously but now only shows Red, this likely indicates a network issue.

    If you need further assistance, please contact us at support@canary.tools, and we will jump on it.

  • I want to reconfigure a Canary

    Your Canary can be reconfigured from your console, using the remote configuration editor or over Bluetooth. To configure your Canary over Bluetooth, the device needs to be in Bluetooth configuration mode. A brand new, pristine Canary boots automatically into config mode (which can be determined by the pretty blue LED). If the device has already been configured, it boots to live mode (where the LED will turn green or red).

    To re-enter config mode, disconnect the power supply and then reconnect it. While the device is booting hold down the button (LED) on top of the device until the status LED lights up. After a short while, the LED will go blue, at which point the config interface on http://setup.canary.tools will be accessible again.

  • What configuration options are supported?

    Canary Settings

    Device Name

    A name for the device which can contain only alphanumeric characters. Use this to provide a unique identifier for your Canary.


    Remind yourself where the Canary is deployed (or use it as a more general descriptor field).

    Device personality

    A device personality combines an OS personality with services you'd expect to find on that OS. This will select services on your behalf.

    OS IP stack personality

    Tell the Canary's IP stack to imitate a different OS.

    Portscan detection

    Enable or disable portscan detection on this Canary.

    Network Settings


    Enable or disable DHCP networking on your Canary.

    Canary IP Address

    IP Address for deployed Canary.


    Netmask for deployed Canary.


    IP Address of the default gateway. Your Canary does not require direct Internet access, but without a default route it will only be accessible to attackers on the local network segment.

    DNS Server 1

    IP Address of a DNS server reachable from the deployed network address. The DNS server is required, and must be able to resolve external queries otherwise your Canary will not be able to communicate with the console.

    DNS Server 2

    Provide a second DNS server for redundancy. If only one is is available, enter the same IP address in this field.

    Windows File Share

    File Share enabled

    Check to enable the File Share module, uncheck to disable.


    Select between "Workgroup" for a standalone file share server, or "Domain member" to join an Active Directory domain.


    In "Workgroup" mode, provide a name for the Windows Workgroup (e.g. "OFFICE").

    Fully Qualified Active Directory Domain Name

    In "Domain Member" mode, provide the full Active Directory domain name (e.g. "corp.example.com").

    NetBIOS Name

    Configure the NetBIOS Name advertised to the network.

    Server String

    Set the comment shown next to servers in the server listing.

    Share Name

    Name the share exposed on the Canary.

    Share Comment

    Set the comment shown next to share in the share listing.

    Files in the Share

    Add new files to the share by clicking the + button. Give the files a name, and choose their type.


    HTTP enabled

    Check to enable the HTTP module, uncheck to disable.


    The port number on which to listen for HTTP connections.

    HTTP Page Skin

    Select the Login page you want to serve to attackers.


    SSH enabled

    Check to enable the SSH module, uncheck to disable.


    Choose the port on which to run the SSH service.

    Version string

    Provide an SSH version string.


    FTP enabled

    Check to enable the FTP module, uncheck to disable.


    Choose the port on which to run the FTP service.


    Provide an FTP banner.

  • Bluetooth pairing on a Windows Machine

    Bluetooth connections are handled a bit differently on Windows platforms and the following steps seem to work best:

  • I can't surf to http://setup.canary.tools

    If you're successfully connected to the Bluetooth network, then this error means that your browser doesn't also have an Internet connection. This isn't a train smash, you can still browse to the configuration site over Bluetooth using

    If your Bluetooth network is not connected, ensure that your OS is set up to support Bluetooth network connections. For example, on Mac OS you might have to first add a "Bluetooth PAN" interface in your Network Preferences.

    In the event that you cannot connect to Bluetooth and your Ethernet network supports DHCP, your Canary will advertise its Ethernet IP in its Bluetooth name. You can browse to this IP from a machine on the same Ethernet network.

  • What are the detection modules?

    Your Canary ships with six types of detection modules:

    Host port scan

    Detects whether a Canary was subjected to a port scan from a single originator.

    Network port scan

    Detects when an attacker scans across your network for a particular port. This requires multiple Canaries on your network.

    HTTP brute-force

    Exposes a web-based login page, and reports when login attempts are made.

    Windows shared files

    Provides a fully functional Windows file share complete with actual files named by you. Alerts whenever someone tries to open the files. Includes the ability to join Active Directories.


    Provides an authentication-only SSH daemon. All login attempts are recorded.


    Provides an authentication-only FTP daemon. All login attempts are recorded.

  • I want to join a Windows Active Directory

    Good choice! Joining your Canary to AD means it is easier for snoopers to find since it'll show up in the AD tree, and you'll have authentication information.

    Before we start, you will need valid Active Directory credentials for a user who is allowed to join machines to the AD. This user is often a domain administrator but doesn't have to be (see Resolution→Method 2 on this Microsoft page).

    Secondly, if you want your Canary to be placed in a specific OU, then you'll need to pre-create the Computer account in the right OU, before joining the AD. (See Resolution→Method 1 on the same page). The Canary's NetBIOS name must match the AD's Computer account name.

    Lastly, the Canary must be on a network segment that can reach domain controllers. When the Canary enters config mode, in addition to the address it also tries to obtain a second address via DHCP. This address, if present, is used to join the domain. If no DHCP address was obtained, domain join will fail.


    • Under your Canary's Windows File Share configuration section, enable File Share and fill in the computer and share details.
    • Ensure "Mode" is set to "Domain member".
    • Ensure that the full qualified name of the AD is entered correctly.
    • Click Save.
    • You are shown a preparation screen that describes what is about to happen.
    • Click Join Domain. The Canary will perform sanity checks, including looking up domain details. If any of these fail, you will be notified and the join process will halt. Resolve the failures before trying again.
    • If the tests pass, then you will be prompted for the credentials of a user who is allowed to join machines to the domain. Enter the credentials then click Join domain.
    • After successfully joining the domain, Continue.
  • What are HTTP skins?

    The HTTP module reports login attempts on a website hosted by the Canary. To make the login appear legitimate, we let you pick from a range of fake websites that might be found on internal networks. The skin only holds the login page.

  • Offline registration

    In some cases, the Canary's automatic registration can fail. Typically this occurs when the user configuring the Canary is not also logged into their hosted console, perhaps because the user does not have external web access at that time.

    Canaries support an offline or manual registration flow too. This process requires you to copy data from the Canary's config interface to the hosted console, and vice versa. Here are the steps:

    • After trying the Canary's automatic registration, you see this error: Failure message
    • Copy the blob of data from the text field. Copy blob of data
    • Log in to your Canary Console, and click + located in your Canaries section. Click + icon to add
    • Click Add hardware Canary located in the Add New Canary pop up. Click Add hardware Canary
    • Paste the blob copied from the Canary into the text area and click Import. This will pair the Canary with your console. Paste blob into text area
    • Copy the data blob shown in your Canary Console. Paste blob into text area
    • Then switch back to your Canary's config screen and paste the Console blob into the text field and click Submit:
    • Paste blob into text area
    • On your Canary Console, you can find your new Canary by looking for the New! annotation. Success message
    • Your Canary is now paired; you can unplug it and move it to its production location.
  • I want to configure notifications

    Your hosted console supports two types of notifications, SMS and email, and you can configure one, both or neither. Browse the Setup link to configure your hosted console.

    To enable email notifications, click the On button, and in the text field that appears enter the email address that will receive alerts. You can include multiple addresses, simply separate them with a comma.

    To enable SMS notifications, click the On button, and in the text field that appears enter the phone numbers that will receive alerts. Numbers must start with "+" and, apart from the "+", only consist of digits. You can include multiple numbers, simply separate them with a comma.

  • I want to enable 2FA on my console

    Your hosted console supports Google Authenticator's time-based OTPs:

    • To enable 2FA, click the On button.
    • A configuration QR-code is shown. Open your Google Authenticator app, tap Settings then tap Scan a barcode.
    • Alternatively, if you don't want to scan the barcode then manually enter the key. Tap Enter provided key and input the key string shown under the QR-code along with an account name. Ensure that Time based is selected, then tap Add.
    • To use your 2FA, on the login select I use a second factor.
  • What do the LED colours mean?

    The status LED provides feedback about the Canary's current state, using colour and flashing.


    Canary software has not run, power is likely off.


    Booting into config mode.


    Config mode is running.


    Booting into live mode.


    Canary is running in live mode, in contact with the server.


    Canary is running in live mode, but cannot contact the server.

    Flashing Red

    Canary software has exited. Reboot your Canary.

  • What counts as an incident?

    Your console doesn't simply report on every trigger, it bundles events together to form incidents if they are related. For example, if an attacker launches a brute-force attempt against your FTP server, you want to receive a single alert about the attack, not one per username tried.

    Incidents are defined as duplicated events from the same source against the same target service within a time period.

    Of course, we still record every event and when you open up an incident, you will be provided with the data about each event that makes up the incident.