An open-source honeypot designed to detect and study autonomous AI agent attacks
Project description
Sundew
A carnivorous honeypot for AI agents
Sundew deploys realistic-looking services that attract autonomous AI agents, then fingerprints and classifies their behavior. Each deployment is unique -- powered by a persona engine that generates coherent identities, making every instance indistinguishable from a real service.
Named after the sundew plant -- a carnivorous plant with sticky tentacles that glisten like dewdrops. Insects are attracted, land, and cannot escape. Beautiful, patient, effective.
Every deployment looks different. Every agent gets caught.
Why Sundew?
Autonomous AI agents are the next frontier in offensive security. They browse the web, call APIs, connect to MCP servers, and execute multi-step attack chains -- all without human guidance. Thirty years of honeypot research has focused on human attackers. Almost nothing exists for AI agents.
Sundew fills that gap. It exposes the surfaces AI agents actually interact with -- MCP servers, OpenAPI specs, AI plugin manifests -- and uses behavioral fingerprinting to classify whether visitors are human, automated scanners, AI-assisted tools, or fully autonomous agents.
The core innovation is the persona engine. When an AI agent learns what one honeypot looks like, it can avoid all identical deployments. Sundew solves this by generating a unique identity for every instance -- different company names, API structures, response formats, timing profiles, and data themes. An agent that has seen one Sundew deployment gains zero advantage against any other.
Quick Start
Docker (recommended):
docker compose up
pip:
pip install sundew
sundew serve
From source:
git clone https://github.com/sundew-sh/sundew.git
cd sundew && make run
Sundew is now running on http://localhost:8080 with a randomly generated persona. Open another terminal and watch what happens.
What You'll See
When an AI agent discovers your Sundew deployment, the logs tell the story:
$ sundew serve
INFO Sundew v0.1.0 starting...
INFO Persona loaded: Northvane Analytics (fintech)
INFO Endpoints: /api/v2/transactions, /api/v2/accounts, /api/v2/customers
INFO MCP server active: query_transactions, get_customer_profile, read_config
INFO Listening on 0.0.0.0:8080
12:04:31 GET /.well-known/ai-plugin.json src=83.21.4.17 signal=ai_discovery
12:04:31 GET /openapi.json src=83.21.4.17 signal=api_enum
12:04:32 GET /api/v2/transactions?limit=100 src=83.21.4.17 signal=data_access
12:04:32 GET /api/v2/customers src=83.21.4.17 signal=data_access
12:04:33 POST /api/v2/auth/login src=83.21.4.17 signal=auth_attempt
12:04:33 MCP initialize src=83.21.4.17 signal=mcp_connect
12:04:34 MCP tools/call: read_config src=83.21.4.17 signal=sensitive_access
SESSION CLASSIFIED: ai_agent (confidence: 0.91)
Timing: 0.85 (consistent 200-800ms intervals)
Enumeration: 0.92 (systematic path discovery)
Headers: 0.78 (missing Referer, bot-like UA)
MCP: 1.00 (connected via MCP protocol)
Prompt leak: 0.88 ("As an AI assistant" in POST body)
Query captured sessions with the CLI:
sundew query --last-session
sundew query --type ai_agent --last 24h
sundew stats
Or use Sundew as an MCP server to query your honeypot data from Claude:
{
"mcpServers": {
"sundew": {
"command": "sundew",
"args": ["mcp-client"]
}
}
}
How It Works
Incoming Request
|
+----------+-----------+
| |
MCP Protocol HTTP Request
| |
+-------+-------+ +---------+---------+
| MCP Trap | | REST API Trap |
| Fake tools | | Fake endpoints |
| per persona | | per persona |
+-------+-------+ +---------+---------+
| |
+----------+-----------+
|
+---------+---------+
| Fingerprinter |
| 5 signal scores |
| 0.0-1.0 each |
+---------+---------+
|
+---------+---------+
| Classifier |
| human | automated |
| ai_assisted | |
| ai_agent |
+---------+---------+
|
+---------+---------+
| Storage |
| SQLite + JSONL |
| Structured logs |
+-------------------+
The Persona Engine shapes everything above:
endpoint paths, response bodies, headers,
timing, error formats, tool names, data themes.
Every deployment is unique.
The Persona Engine
On first run, Sundew generates a deployment persona -- a coherent identity that shapes every aspect of the honeypot:
# Auto-generated, stored in ./data/persona.yaml
persona:
company_name: "Northvane Analytics"
industry: "fintech"
api_style: "rest"
framework_fingerprint: "express"
auth_scheme: "bearer_jwt"
data_theme: "financial"
response_latency_ms: [80, 350]
server_header: "nginx/1.24.0"
endpoint_prefix: "/api/v2"
The persona is generated using an LLM (local via Ollama or cloud API) at deploy time. Responses are pre-generated, cached, and served deterministically at runtime -- zero LLM latency during operation.
No LLM? Sundew ships with pre-built persona packs for common industries.
Trap Surfaces
| Trap | What it does |
|---|---|
| MCP Server | Fully protocol-compliant MCP server with persona-appropriate tools |
| REST API | Adaptive endpoints with Swagger docs, auth, realistic responses |
| AI Discovery | /.well-known/ai-plugin.json, /.well-known/mcp.json, robots.txt, sitemap.xml |
Fingerprinting Signals
| Signal | What it measures | Weight |
|---|---|---|
| Timing consistency | Regular inter-request intervals | 0.0-1.0 |
| Path enumeration | Systematic vs random discovery | 0.0-1.0 |
| Header anomalies | Missing Referer, bot UA, unusual Accept | 0.0-1.0 |
| Prompt leakage | LLM artifacts in request bodies | 0.0-1.0 |
| MCP behavior | MCP protocol connection | 0.0-1.0 |
Composite score maps to classification: human (<0.3), automated (0.3-0.6), ai_assisted (0.6-0.8), ai_agent (>0.8).
Configuration
All configuration lives in sundew.yaml:
traps:
mcp_server: true
rest_api: true
ai_discovery: true
persona: auto # or path to custom persona.yaml
llm:
provider: ollama # ollama, anthropic, openai, none
model: llama3
server:
host: 0.0.0.0
port: 8080
storage:
database: ./data/sundew.db
log_file: ./data/events.jsonl
See the configuration guide for all options.
Roadmap
See ROADMAP.md for the full plan.
| Version | Codename | Focus |
|---|---|---|
| v0.1 | First Catch | Persona engine, MCP/REST/discovery traps, fingerprinting, CLI |
| v0.2 | Deeper Roots | RAG traps, canary tracking, PostgreSQL, plugin system |
| v0.3 | Wider Net | Terraform modules, STIX/TAXII export, dashboard, multi-instance |
| v1.0 | Research Platform | Public datasets, academic paper, community trap library |
Documentation
Full documentation is available at docs.sundew.sh:
- Quickstart -- 5 minutes to your first catch
- Concepts -- how Sundew works under the hood
- Guides -- build custom personas, deploy to production, analyze data
- Research -- what we've learned about AI agent behavior
Contributing
Sundew is open source under the Apache 2.0 license. We welcome contributions of all kinds.
See CONTRIBUTING.md for development setup, code style, and how to submit pull requests.
Key areas where we'd love help:
- Persona packs -- new industry themes (e-commerce, IoT, gaming, government)
- Trap types -- GraphQL, gRPC, WebSocket, SSH
- Fingerprinting signals -- new detection heuristics
- Research -- deploy Sundew and share anonymized findings
Acknowledgments
Sundew builds on decades of honeypot research while addressing the new reality of AI-powered offensive tools.
License
Apache License 2.0. See LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sundewsh-0.1.0.tar.gz.
File metadata
- Download URL: sundewsh-0.1.0.tar.gz
- Upload date:
- Size: 139.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
85a8f4b1c4c8ff5e15b530cc839ce3628eabac1563f240c40c4122391e5e5864
|
|
| MD5 |
7bc61a2b1f4d2ed8496f12b0c4322a6f
|
|
| BLAKE2b-256 |
f4710e16beca256a292c00e0bc6a58605942e47db53247d05c144a7251b224c3
|
File details
Details for the file sundewsh-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sundewsh-0.1.0-py3-none-any.whl
- Upload date:
- Size: 59.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6f26760a19114329572c9489e6ea36441ba3b0e0dd3bff8a1ab82570cdf5366a
|
|
| MD5 |
dcc94de71d746b833613254e83aa70d7
|
|
| BLAKE2b-256 |
e643a01047481590353127c3c2677b125a3156a03d20b1b90cb802869a716213
|
