Abstract

Modern networks are typically breached before an organization realizes an intrusion has occurred, leaving critical visibility gaps that attackers can exploit. Our project is Tripwyre, a deception-based intrusion detection suite designed to provide early warning of unauthorized activity in networks. The system integrated multiple honeypot and honeytoken technologies, including Cowrie and DCEPT, within a standardized Ubuntu Linux environment using containerized services. Tripwyre deployed decoy services, credentials, and documents to attract malicious actors and generate high-fidelity alerts when suspicious behavior occurred. Collected data was processed through a custom logging and forwarding pipeline using FastAPI and Fluent Bit to ensure compatibility with industry-standard SIEM platforms. The project demonstrates how lightweight, modular deception tools can enhance visibility into attacker behavior and reduce detection gaps left by traditional security controls.