Skip to main content

Alerting

When a trap is triggered or a honeypot tool is called, Deadfall sends alerts through multiple channels.

Alert Channels

1. Console Logging

Structured logs are written to the terminal when running deadfall serve: 
ERROR Security Alert severity=critical title="Trap Triggered" file=.cursorrules trap_type=cursor-rules token=abc123...

2. File Logging

All alerts are written to deadfall_alerts.log: 
2026-01-05T14:32:15-05:00 [critical] [Trap Triggered]: AI agent read trapped file and followed instruction | file=.cursorrules | trap_type=cursor-rules | token=abc123...
Log rotation: When the log exceeds 10MB, it’s rotated to deadfall_alerts.log.bak.

3. Desktop Notifications

Cross-platform desktop notifications via system tray: 
🚨 Deadfall: Trap Triggered
AI agent read trapped file and followed instruction
Supported platforms:
  • macOS (native notifications)
  • Linux (libnotify)
  • Windows (toast notifications)

4. Webhook Delivery

Send alerts to external services (Slack, Discord, custom endpoints): 
// Configure programmatically
alerter.SetWebhookURL("https://hooks.slack.com/services/XXX")
Webhook payload: 
{
  "event": "deadfall_alert",
  "timestamp": "2026-01-05T14:32:15Z",
  "severity": "critical",
  "title": "Trap Triggered",
  "message": "AI agent read trapped file and followed instruction",
  "hostname": "developer-macbook",
  "context": {
    "token": "abc123def456...",
    "file": ".cursorrules",
    "trap_type": "cursor-rules",
    "created_at": "2026-01-05T10:00:00Z"
  }
}
Retry logic: Failed webhook deliveries are retried 3 times with exponential backoff (1s, 2s, 4s).

Severity Levels

SeverityDescriptionExample
criticalHigh-confidence compromise detectionTrap triggered, secret access attempt
warningSuspicious activityUnknown token, private file access
infoInformationalNormal system events

Rate Limiting

To prevent alert spam, Deadfall enforces a minimum interval between alerts (100ms). During rapid-fire triggers, some alerts may be suppressed.

Alert Context

Trap-triggered alerts include rich context for investigation:
FieldDescription
tokenUnique trap identifier
filePath to the file that was read
trap_typeType of trap (cursor-rules, claude-context, etc.)
created_atWhen the trap was deployed

Viewing Alert History

Check the log file for alert history: 
cat deadfall_alerts.log

# Or tail for real-time monitoring
tail -f deadfall_alerts.log