.' '. __
. . . (__\_
. . . -{{_(|8)
' . . ' ' . . ' (__/
Open-source MCP honeypot with fake tools, canary credentials, session replay, and alerting.
wasphole impersonates a believable MCP server so you can observe how AI agents behave when they discover tools, read resources, probe files, retry errors, or exfiltrate planted credentials.
- Prompt-injection labs — watch an injected agent enumerate tools, read resources, and hunt for secrets.
- Agent security evaluation — compare how different models or agent frameworks behave against the same MCP surface.
- MCP deception — expose believable fake tools, files, databases, processes, logs, registry keys, and business workflows.
- Canary monitoring — plant fake credentials only where secrets naturally belong and alert when they are used.
- Red-team telemetry — record complete MCP sessions as JSONL for replay, research, and detection tuning.
go install github.com/riza/wasphole/cmd/wasphole@latest
wasphole setup
wasphole serverThe MCP server starts on port 8080. Point your agent or MCP client at http://localhost:8080.
| Topic | Description |
|---|---|
| Configuration | Full YAML reference for all config sections |
| Transports | stdio, HTTP, TLS with custom cert or Let's Encrypt |
| Detection | Alert patterns, levels, and sink configuration |
| Canary tokens | How canaries are planted, attributed, and delivered |
| Deployment | Production checklist, TLS, reverse proxy setup |
| Development | Build, test, project layout, extending wasphole |
- X: @rizasabuncu
- Support: buy me a coffee
Apache-2.0