top of page
  • markderijk

What is a canary in the field of cyber security

What is a Canary?

Other than obviously being a bird, back in the day, a canary would be a prized possession for miners around the world.

In a mine, the level of methane and carbon monoxide could lead to the death of miners.

Humans don't have as much sensitivity to methane and carbon monoxide as canaries. The canaries can lose consciousness when certain levels of gases are present.

That's why miners would take a canary with them into the mine as a guardian to alert them regarding the possible presence of these gases in the air.

What's a modern-day version of a Canary?

A Canary in Cyber security

That same concept applied to modern IT is to place so-called canaries inside files and/or networks to alert their owners of something being up. That can be through incorporating a canary inside a file or through dedicated devices implemented in an organisation's network.

A Canary in software development

For software development purposes canaries are used to test new features by sending a subset of users to a new version of the software or service thereby facilitating a test of that feature. If something goes wrong it can be pointed back at the specific feature/canary token.

How does a Canary help me?

A modern-day canary token can help alert you to early indicators of an attack taking place on your network when it comes to cybersecurity.

Strategically placed canaries can reduce the likelihood of a breach taking place with insurers recognising this by offering more competitive premiums for organisations that have deployed these.

With attackers looking for interesting content a canary can prove to be enticing for an attacker to touch therefore leading to it signalling you through a different means of communication so the attacker is made none the wiser.

Due to its nature, the chance of false positives occurring is actually small as you would hand-pick which files or mechanisms to modify.

How a Canary Trap can look like

A canary token can be a physical device such as being sold by vendors like ThinkSt Canary or Red Canary which both can be found at or respectively.

It can also come in the form of a "soft" canary token such as:

- URL Token (to signal you when a specific URL is visited)

- DNS Token (When a specific DNS hostname is requested)

- Unique email address (When a specific email address is emailed)

- Image token (When a specific image is viewed)

- Word document (When a word document is opened)

- PDF document (When a PDF document is opened)

- Windows Folder ( When a particular Windows folder is viewed)

You can set up your own FREE token at:

Uses for a Canary token

-Intellectual property

The canaries might be placed inside files that are mock files pretending to hold sensitive data.

- Personal Identifiable Information

You can place canary tokens in databases so you can be notified when someone is trying to extract the database contents.

You can even place a canary token inside DNS r other mechanisms.


Research is still ongoing with both companies and universities looking for better ways to build a Canary Trap.

One such study explores the use of auto-generated "fake" documents.

You can find out more at: Dartmouth

The cyber security team at Banco Santander publishes their own excellent guidance as well.

That can be found at Banco Santander


To summarize

Canary tokens or traps can be an excellent security ally to help you defend your organisation against cyber threats and various types of attacks. With complex networks being the norm even in smaller organisations it is no surprise that network services can be better protected by the means of a canary device to improve your threat detection capabilities. So ask your neighbourhood security experts how it can help you and if not you know where you can find us to help you reduce your attack surface.

981 views0 comments

Recent Posts

See All


bottom of page