CustomersPricingResearchAboutCareersContact
Company
  • About
  • Careers
  • Contact
Book a demo
Book a demo

Book a demo

See how canaries can enhance your security

Photo of Andy Smith

Andy Smith

CEO, Tracebit

Photo of Sam Cox

Sam Cox

CTO, Tracebit

Schedule a 45 minute personalised demo of Tracebit with one of our co-founders to:

  • Discuss your specific security challenges
  • Cover the range of canaries Tracebit can deploy for your use case
  • Walk through a simple Tracebit deployment

One of our co-founders will reply to you directly as soon as they see your request. No bots here! So please be patient if it takes us a few hours to get back to you.

Thank you for contacting us; a member of our team will be in touch shortly.
Oops! Something went wrong while submitting the form.
All posts
Research

The Security Canary Maturity Model

Rami McCarthy
September 7, 2024
January 18, 2025
•
5
min read
I am the text that will be copied.

Honeypots have been around a long time1. Nowadays, canaries are a standard component of a mature security program. This was highlighted recently by the NCSC guidance around mitigating SVR threat actors.

We’ve previously shared our thoughts on Honeypots for Intrusion Detection and our vision for Canary Infrastructure. We wanted to build on this vision, and have asked our friend Rami McCarthy to develop the industry’s first Maturity Model for Security Canaries.

The Why and How of a Maturity Model

What is the point of a maturity model?

I’m a big fan of maturity models. Security is a relatively immature industry, built on top of rapid technological change. As an industry, we are prolific in distributing information publicly, but often informally. In the forty year history of honeypots, there have been books and blog posts, write ups in newsgroups and email distros, conference talks and research papers.

A maturity model is a way of systematizing existing knowledge, and creating a centralized source to operationalize a program in this category.

How can I use this maturity model?

From an education perspective, this maturity model offers you a map of the landscape around canaries. Read through it, search everything you don’t know, and a hundred browser tabs later you’ll have a good baseline understanding of what a canary deployment looks like across various levels of sophistication.

On the corporate side, there are a few ways to apply a maturity model to your security program.

  1. Removing unknown-unknowns: The maturity model offers a cheat sheet across the universe of canary capabilities. At a minimum, it allows you to survey the landscape and ensure you’re aware of your options for reducing risk, whether or not you choose to align to the model overall.
  2. Benchmarking/Diagnostics: If you choose to align to the model, you can use it to assess your current maturity. This is an opportunity to consider whether your current use of canaries matches your desired level of security maturity.
  3. Roadmapping: When navigating the planning process, this model offers a view on “what could we do next,” in an iterative and compounding structure.

Overall, I’d encourage you to view this maturity model as a spider chart, and not a checklist. You don’t need to be doing everything listed to crest into a maturity level, nor should you limit your investments to meet all “Managed” criteria if it better suits to spike into “Optimize” across certain categories.

The Security Canary Maturity Model

In developing this model, I crystallized on four categories (Coverage, Management, Impact, and Program) that form a MECE set of relevant capabilities, controls, and practices. Maturity is then measured across these categories, rolling up into three maturity levels: Defined, Managed, and Optimized.

Coverage

Coverage considers the idea of detection coverage as applied to canaries. In our case, Coverage is a matter of Diversity and Distribution. Diverse canaries provide more opportunities for detecting a variety of attacks, avoiding honeypot identification by attackers, and introducing sludge.

Defined Managed Optimized
  • A few static honeytokens (a.k.a canary credentials) are present
  • Many unique honeytokens are distributed, with meaningful correlation of their locations with attack paths
  • Initial non-honeytoken canary infrastructure is in place
  • Canaries cover a majority of the CDM Technologies (Devices, Applications, Networks, Data, Users) in production
  • Canaries have realistic metadata (i.e., believable names, tags, resource types)
  • Broad and diverse canary infrastructure is deployed
  • Environmental architecture and nudges lead attackers towards interacting with canary infrastructure
  • Canary data is introduced to new resources by default
  • Canaries are present not only in production, but across other high leverage areas like Source Code, CI/CD, and Staging
  • Canaries have environment-specific, camouflaging metadata

Impact

Maturing your canary deployments means increasing the impact of both in general and for each canary asset. Generally, there are two vectors for canary impact. First, you generate signal on attackers, which may be a simple alert in the base case. Second, you can impose additional cost on attackers. Your ceiling for impact can be coupled to the interactivity of your canaries. The higher the interaction, the more data attackers generate from which you can discern useful signals.

Defined Managed Optimized
  • Low interactivity
  • A basic log of interaction (such as an alert) is generated
  • Medium interactivity
  • A rich audit log of interaction is generated, including an IP address but also session, user, role, user agent and more
  • Canary alerting has varied severity, with higher signal the more manual the discovery technique
  • High interactivity, designed to generate additional useful intelligence on attackers
  • Canaries designed to waste attacker time, such as through tarpitting2
  • Canaries leverage backstopping for detection - such as the use of the IAM Credential Report
  • An automated process is in place to reduce false positives caused by security and other internal scanning tools

Management

Low maturity canary programs often fail due to a lack on ongoing management of the infrastructure. A honeytoken, in place for two years, is challenging to investigate once leaked due to the long exposure window. The same is true of a piece of canary infrastructure that has multiple attack paths that could compromise it. Management is focused on both Deployment of canaries, and also its ongoing maintenance.

Defined Managed Optimized
  • Manual deployment
  • No rotation
  • Automated deployment
  • Periodic manual rotation
  • Short lived and/or frequently rotated canaries
  • Simulated traffic and burn-in to ensure canaries remain indistinguishable from authentic infrastructure

Program

The final category of our security canary maturity model looks at the program and policies that surround the technical implementation. This involves elements of Discoverability, Publicity, and Response Planning. Discoverability is related to improving the odds attackers stumble on canaries in their normal process. Publicity dissects the approach you use in communicating your program internally and externally. Response planning ensures you’re prepared when a canary does go off.

Defined Managed Optimized
  • Security team aware of canaries
  • Basic response playbook in place
  • Internal awareness of canaries and procedure
  • Canaries are periodically tested
  • Response playbook has been tested, and supporting tooling is established
  • External awareness of use of canaries
  • Canaries are tested automatically on an ongoing basis
  • Tabletop response is conducted periodically, under a variety of scenarios
  • Response process includes attempts to out tools and attackers, imposing cost by burning infrastructure

Adding Canaries to your Security Program

No matter the maturity level of your overall program, there is room for canaries.


Ready to invest in your canary infrastructure?

Book a demo with our founders, and we’d be happy to talk with you about your current maturity and how you can easily Optimize your program using Tracebit

If you’re just starting out, a Defined program can be an early, easy win - offering trip wires for high impact compromise before you have a broader threat detection program in place. Once your program is established and scaling, maturing to a Managed state can paper over gaps in your other detection infrastructure, at an affordable cost. Already at scale? Optimized, your canaries can be customized to offer threat intelligence, defense in depth, and higher signal than other controls.

Footnotes

[1] Cliff Stoll is credited with creating the first honeypot back in 1986, as described in The Cuckoo's Egg. In the late nineties, products like The Deception Toolkit started to build a market around honeypots.

[2]Recent research has started to explore the potential to leverage LLMs to construct generative tarpits.

‍

Table of contents
Subscribe to newsletter

Subscribe to receive the latest research and product updates to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to newsletter

Subscribe to receive the latest research and product updates to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
AboutBlogContactCareersStatusTrust & Security
Subscribe for research and product updates
By subscribing you agree to our Privacy Policy
Thank you! Check your inbox for your first edition
Oops! Something went wrong while submitting the form.
Subscribe
By subscribing you agree to our Privacy Policy
Thank you! Check your inbox for your first edition
Oops! Something went wrong while submitting the form.
© 2025 Tracebit. All rights reserved.
Privacy PolicyTerms of Service
AWS Qualified SoftwareSOC 2 Type 2