detection · deception · zero daemons

Know the moment your
AI agent is compromised

Snare plants convincing fake credentials in your agent's environment. If a hijacked agent tries to use them, you get an instant alert — before it does anything else.

$ curl -fsSL https://snare.sh/install | sh
View on GitHub →
🔑 AWS canary fired — agent-01
Token
agent-01-9193baef...
Time
2026-03-11 06:07:33 UTC
IP
34.121.8.92
Location
Council Bluffs, US
UA
Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0
⚠️ Likely AI agent — request from Amazon Technologies Inc (cloud infrastructure)
snare.sh · 2026-03-11 06:07:33 UTC
How it works

The credential itself phones home

Snare doesn't watch files. It embeds the callback URL as the service endpoint inside the credential — so any SDK call with that credential goes to snare.sh instead of AWS.

01 / PLANT

Fake credentials, real locations

snare plant --all places convincing fake AWS keys, GCP service accounts, and API keys exactly where real credentials live. The callback URL is embedded as endpoint_url, token_uri, or OPENAI_BASE_URL — not a comment.

02 / TRIGGER

Fires on use, not on read

A hijacked agent that finds and tries to use those credentials will redirect its SDK calls to snare.sh. You get the request's IP, ASN, and exact user agent string — Boto3/1.34.46 os/linux tells you it's an automated agent, not a human.

03 / ALERT

Instant webhook alert

Alerts arrive in Discord, Slack, or Telegram within a second of the canary firing. No polling. No lag. The Boto3 user agent, cloud ASN, and exact timestamp give you everything you need to respond.

04 / CLEAN

Surgical teardown

snare teardown finds the exact bytes it wrote — content-matched, not pattern-matched — and removes only those. Your real credentials are never touched.

Canary types

Six credential types, one command

High-reliability canaries redirect SDK calls directly. Medium-reliability canaries fire under more specific conditions but provide valuable coverage.

🔑 AWS
high
~/.aws/credentials
endpoint_url SDK redirect
☁️ GCP
high
~/.config/gcloud/sa-prod-backup.json
token_uri OAuth redirect
🤖 OpenAI
high
~/.env.local
OPENAI_BASE_URL SDK redirect
🟠 Anthropic
high
~/.env.local
ANTHROPIC_BASE_URL redirect
⬛ GitHub
medium
~/.config/gh/hosts.yml
api_endpoint gh CLI redirect
💳 Stripe
medium
~/.config/stripe/config.toml
verify URL + CLI config
Quickstart

Up and running in 3 minutes

Install the binary, run the guided setup, plant your canaries.

terminal
curl -fsSL https://snare.sh/install | sh
✓ Installed to /usr/local/bin/snare
snare init
Welcome to Snare — compromise detection for AI agents. Where would you like to receive alerts? 1. Discord 2. Slack 3. Telegram 4. Custom Choice [1]: 1 Paste your Discord webhook URL: https://discord.com/... ✓ snare is ready.
snare plant --all
✓ planted at ~/.aws/credentials ✓ planted at ~/.config/gcloud/sa-prod-backup.json ✓ planted at ~/.env.local (openai) ✓ planted at ~/.env.local (anthropic)
snare status
Active canaries (4) — all high reliability
Comparison

How Snare differs

Snare Canarytokens inotify / audit
Fires on credential use (not just read) ✓ (AWS only)
No daemon required
Sub-second alerts ✗ (CloudTrail lag)
SDK user agent in alert
Multiple credential types AWS, GCP, OpenAI, Anthropic, GitHub, Stripe AWS only (for use-based)
No external infrastructure ✓ (self-host the worker) Thinkst-hosted
🛡️

Rampart blocks. Snare catches.

Snare pairs naturally with Rampart, an OS-level policy engine for AI agents. Rampart enforces what agents are allowed to do. Snare detects when something slips through. Neither requires the other — both are stronger together.