AI Agent Compromise Detection

Know before the first API call.

Snare plants believable fake credentials where coding agents, CLIs, and SDKs already look. Healthy workflows leave them quiet. Compromised agents try to use them — triggering an alert before they reach the real API.

18 canary types 3 precision defaults Redacted proof reports Apache 2.0
Install and arm Snare No daemon. No traffic proxy. No policy changes.
install
$ curl -fsSL https://snare.sh/install | sh
$ snare arm --webhook https://...
✓ 3 canaries armed. (awsproc, ssh, k8s)
! awsproc fired — agent-01 — before API call live
Profile prod-admin (credential_process)
Token agent-01-9193baef7f3b0d2c
IP 34.145.201.71
ASN Google Cloud
User-Agent Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0
Signal during credential resolution, before API call
Use is the signal Snare does not need to watch every file read. It waits for high-confidence credential-use paths: SDK resolution, SSH connection, kubeconfig traffic, MCP probes, and other tool behaviors that should never touch bait.
01 arm

Plant reversible precision canaries with one command.

02 prove

Run a safe trigger and save a redacted proof report.

03 observe

Receive Discord, Slack, or generic webhook evidence when bait is used.

Fires at credential resolution. CloudTrail doesn't.

The alert arrives before the agent knows the credentials don't work.

An agent runs: aws s3 ls --profile prod-admin
T+0.00s
aws s3 ls --profile prod-admin
T+0.01s
AWS SDK begins credential resolution
T+0.01s
credential_process executes - alert in your webhook
T+0.02s
SDK receives fake JSON credentials
T+0.03s
SDK attempts ListBuckets() - fails
T+0.03s
Agent: "credentials may be invalid"
# ~/.aws/config
[profile prod-admin]
role_arn       = arn:aws:iam::123456789012:role/OrganizationAccountAccessRole
source_profile = prod-admin-source

[profile prod-admin-source]
credential_process = sh -c 'curl -sf https://snare.sh/c/agent-01-9193baef... >/dev/null 2>&1; echo "{\"Version\":1,\"AccessKeyId\":\"AKIAW2U59X...\",\"SecretAccessKey\":\"...\"}"'

CloudTrail never sees this. You do.

18 canaries. Three precision defaults.

Snare starts with the canaries least likely to make noise: AWS credential process, SSH config, and kubeconfig. They use existing SDK and OS plumbing, so a quiet canary is healthy until something tries to use it.

18 total types 3 precision defaults 15 additional with --all

awsproc

Fires inside AWS SDK credential resolution, before CloudTrail or a real API call can see anything.

ssh

Uses a believable host entry and ProxyCommand so connection attempts produce high-signal evidence.

k8s

Plants kubeconfig bait that phones home if kubectl, an SDK, or an agent follows the fake cluster.

Type Tier Path Trigger
awsproc precision ~/.aws/config credential_process fires before any AWS API call.
ssh precision ~/.ssh/config Fake host entry uses ProxyCommand to phone home on connection attempt.
k8s precision ~/.kube/snare-prod.yaml Kubeconfig server URL redirects kubectl or SDK traffic.
aws high ~/.aws/credentials AWS credential bait with endpoint_url redirect inside the profile.
gcp high ~/.config/gcloud/sa-prod-backup.json Service account JSON redirects the OAuth token exchange via fake token_uri.
npm high ~/.npmrc Scoped registry callback catches installs against the fake registry.
git high ~/.gitconfig credential.helper callback fires during credential lookup for a fake host.
pypi high ~/.config/pip/pip.conf extra-index-url catches pip or uv package resolution.
openai medium ~/.env Fake OpenAI credentials plus OPENAI_BASE_URL redirect.
anthropic medium ~/.env.local Anthropic bait with ANTHROPIC_BASE_URL for SDK-backed use.
azure medium ~/.azure/service-principal-credentials.json Azure SDK token fetch redirects through the fake tokenEndpoint.
mcp medium ~/.config/mcp-servers*.json Fake MCP server definitions fire on connection attempt.
github medium ~/.config/gh/hosts.yml GitHub CLI bait redirects API endpoint use without file-read telemetry.
stripe medium ~/.config/stripe/config.toml Stripe CLI config bait fires when a fake endpoint is used.
huggingface medium ~/.env.hf HF Hub SDK calls redirect through HF_ENDPOINT.
docker medium ~/.docker/config.json Registry bait fires on docker pull or login attempts.
terraform medium ~/.terraformrc terraform init follows a provider namespace to the fake registry.
generic medium ~/.env.production Generic API bait for tools that honor base URL environment variables.

Install. Arm. Prove it works.

The first ten minutes should end with confidence: canaries armed, webhook tested, proof report saved, and cleanup obvious. Use snare prove --pack all when you want one redacted artifact that covers every active proof pack.

Webhook URLs are secrets; keep them out of repos, screenshots, and shared logs. Running in a sensitive environment? Point canaries at your own callback server or controlled webhook/SIEM intake. Self-hosting docs → Alert fields →

quickstart
$ curl -fsSL https://snare.sh/install | sh
$ snare arm --webhook https://discord.com/api/webhooks/...

  Precision mode: planting highest-signal canaries only (awsproc, ssh, k8s)
    ✓ awsproc      ~/.aws/config
    ✓ ssh          ~/.ssh/config
    ✓ k8s          ~/.kube/staging-deploy.yaml
    ✓ webhook test delivered

$ snare prove --pack all --run --report --redact --output snare-proof.json
  redacted proof report written. New callback observed in events.

  Quiet is healthy. Use `snare events` to review callback evidence and `snare disarm` to clean up.

Rampart blocks.
Snare catches.

Prevention and detection are different jobs. Rampart enforces what agents are allowed to do; Snare gives you evidence when something still reaches for credentials. Each works alone, and together they tell a stronger story. rampart.sh

Prevention

Rampart

OS-level policy engine for AI agents. Blocks exfiltration, command execution, and unauthorized network access in real time.

Detection

Snare

Deception-based compromise detection. Plants credential canaries that fire the instant an agent tries to use stolen credentials.