Snare is intentionally small: a CLI plants credential and tool-use tripwires, callbacks produce alert metadata, and the operator can prove and remove the tripwires. This guide is for security engineers who need to evaluate Snare safely before using it in a lab, developer fleet, CI environment, or AI-agent pilot.
Snare detects active use of planted fake credentials and tool configurations. It is not a prompt-injection firewall, EDR, DLP tool, or policy enforcement engine.
Snare is useful when you want to know whether an agent, scanner, script, or human attacker tried to use a sensitive-looking local capability such as an AWS profile, SSH host, kube context, package registry, or SDK endpoint override.
Start with the default precision canaries (awsproc, ssh, k8s). They are designed to stay quiet during normal work and fire only when the planted fake profile, host, or context is actively used.
# 1. Preview local file changes without writing canaries.
snare arm --dry-run
# 2. Arm precision-mode canaries and send alerts to an existing destination.
snare arm --webhook https://example.com/snare-webhook
# 3. Confirm local state and expected quiet state.
snare status
snare scan
snare doctor
# 4. Run an end-to-end test callback and verify event readability.
snare doctor --test
# 5. Safely trigger precision canaries and write a redacted proof artifact.
snare prove --run --report --redact --format json --output proof.json
# 6. Review recent callback evidence.
snare events
# 7. Remove canaries and local Snare config when the pilot is done.
snare disarm --purgeA fresh canary showing never fired can be healthy. Use snare scan, snare doctor, and snare prove to distinguish a healthy quiet canary from a registration or readability problem.
snare arm defaults to precision mode and only plants awsproc, ssh, and k8s canaries. snare arm --all expands to every canary type.
| Scope | Examples | Notes |
|---|---|---|
| Local Snare state | ~/.snare/config.json, ~/.snare/manifest.json |
Created with restrictive permissions. Manifest records exact bytes written for safe teardown. |
| Precision canaries | ~/.aws/config, ~/.ssh/config, ~/.kube/<name>.yaml |
Default mode. Designed to fire on active use, not passive reads. |
| Package/tool canaries | ~/.npmrc, ~/.config/pip/pip.conf, ~/.gitconfig, ~/.terraformrc, ~/.docker/config.json |
Use selectively. Some package-manager canaries may fire during normal developer workflows. |
| SDK/app canaries | dotenv files and vendor config files for OpenAI, Anthropic, GCP, Azure, GitHub, Stripe, Hugging Face, MCP, and generic endpoints | These depend on how the target agent or tool consumes local config. |
Teardown is content-matched: Snare removes the exact bytes it wrote and does not rewrite unrelated credentials in the same file. Use snare teardown --dry-run, snare disarm, or snare disarm --purge during evaluation cleanup.
- The CLI creates a local device secret and registers token metadata with
snare.sh. - A planted canary contains a callback URL such as
https://snare.sh/c/<token>. - If the fake credential/tool path is used, the SDK or tool requests the callback URL.
- The callback service stores metadata and optionally forwards an alert to your webhook destination.
- The CLI reads recent events with the local device secret.
| Flow | Data |
|---|---|
| Registration API | Token ID, device ID, canary type, label, webhook routing metadata. |
| Events API | Token ID in the URL and bearer device secret for authenticated reads. |
| Canary callback | Token ID, request path, method, IP, user agent, Cloudflare-derived geography/ASN/bot metadata when using the managed worker. |
| Webhook delivery | Alert payload containing event metadata. No request body is included. |
Callback handlers intentionally do not read, store, or forward request bodies. This matters because some SDK callbacks can include credential material in HTTP bodies. The application-level privacy guarantee does not mean Cloudflare or other network infrastructure never handles the encrypted network request; self-host if you need full network-layer control.
Use proof reports as the shareable evaluation artifact:
snare prove --run --report --redact --format json --output proof.jsonA useful proof artifact should show:
- which precision canaries were armed;
- which trigger commands were executed;
- whether callbacks were visible through the events API;
- observed callback timestamps and latency where available;
- cleanup commands;
- what the proof demonstrates;
- what the proof does not demonstrate.
Use --redact before sharing outside the evaluating machine. Redaction removes raw device IDs, token IDs, labels, cleanup-token values, and local absolute paths.
Snare can post alerts to Discord, Slack, Telegram, or generic JSON webhook endpoints. For SIEMs that require custom headers, signed requests, or vendor-specific envelope formats, put a small relay in front of the SIEM and have Snare post to the relay.
See:
Use managed snare.sh for a quick lab. Self-host when you need one or more of the following:
- all callback traffic to stay inside your network or cloud account;
- a custom callback domain;
- control over log retention, backup, and alert routing;
- custom webhook signing or relay behavior;
- evaluation in a restricted enterprise lab.
See Self-hosting.
For production-like pilots, verify the release before installing broadly:
cosign verify-blob --bundle checksums.txt.bundle checksums.txt
sha256sum -c checksums.txtThen smoke-test the binary in a temporary install directory before deploying to endpoints:
snare --version
snare arm --help
snare doctor --help
snare prove --help- Snare detects use of planted tripwires; it does not prevent compromise.
~/.snare/manifest.jsonrecords canary locations so Snare can safely remove them. A local attacker who reads it can identify bait.- Public callback domains can be fingerprinted. Use self-hosting or a custom callback domain when that matters.
- Some canary types are intentionally noisier than the precision defaults and should be selected deliberately.
- Managed mode depends on the availability and policy of the hosted callback service and its network provider.
- Webhook URLs are secrets and should be handled like credentials.
-
snare arm --dry-runoutput reviewed by a security engineer. - Default precision-mode canaries tested before
--all. -
snare doctor --testpasses in the target network. -
snare prove --run --report --redact --format json --output proof.jsonproduces a share-safe artifact. - Alert destination tested and owned by the evaluating team.
- Cleanup command verified with
snare disarm --purgeon a pilot host. - SIEM relay or direct integration documented, including secret handling.
- Self-hosting decision recorded for callback privacy and custom domain requirements.