Thinkst Canary
@ThinkstCanary
Followers
12,610
Following
10,300
Media
593
Statuses
2,380
Most companies only realise they are breached when informed by a 3rd party. This is a stupid problem! Thinkst Canary. Know. When it Matters.
Loved on all 7 Continents
Joined May 2015
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Eminem
• 258122 Tweets
River
• 210849 Tweets
Celtics
• 162883 Tweets
LeBron
• 159861 Tweets
#ซีรีส์หยดฝนกลิ่นสนิม
• 151386 Tweets
Lakers
• 137651 Tweets
#PetrichorTheSeries
• 134371 Tweets
Fernando Valenzuela
• 114787 Tweets
Deyverson
• 84901 Tweets
Gallardo
• 54595 Tweets
政党助成金2000万円
• 53868 Tweets
非公認議員
• 50413 Tweets
प्रियंका गांधी
• 27766 Tweets
支部の活動費
• 26387 Tweets
非公認の候補者
• 25587 Tweets
Daisuke
• 22747 Tweets
DONNY 4everAKapamilya
• 22087 Tweets
Anthony Davis
• 19992 Tweets
東京メトロ
• 18945 Tweets
Randle
• 15748 Tweets
PRABOWO-GIBRAN KerjaFOKUS
• 13658 Tweets
SiapBEKERJA UntukRAKYAT
• 13440 Tweets
党勢拡大のため
• 13091 Tweets
#わたしの推し牛
• 12333 Tweets
気圧のせい
• 11478 Tweets
FRANCINE KAPAMILYA FOREVER
• 10941 Tweets
キューティーハニー
• 10721 Tweets
Pinned Tweet
This year we crossed $11M in ARR.
This is pretty unusual for a bootstrapped company, so we wrote down some thoughts on it:
43
98
550
You can use a point & click canarytoken from to help test for the
#log4j
/
#Log4Shell
issue.
1) visit ;
2) choose the Log4shell token;
3) enter the email address you wish to be notified at;
4) copy/use the returned string...
17
504
1K
Jacob Torrey on stage at
@shmoocon
just released our new Credit Card Canarytoken.
1) Visit to create ur own legit credit-card;
2) Place it in a data-store of your choice;
3) Get an alert when an attacker runs that card!
Read more:
13
254
628
*shrug* I’m not completely convinced that storing AWS keys in Slack is a bad idea 🤷♂️
6
91
619
Some commands are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users in regular usage).
Our
@subtee
has just released a new (free) Canarytoken to make monitoring these commands trivial.
Read more about it -
15
196
593
1) Guy leaves token'd doc on WebServer (not in document root)
2) Token is hit from Russian IP Address
Seriously use
5
227
367
Keeping up with security research is near impossible.
Vendor pitches & bombastic claims add to the noise.
ThinkstScapes fixes this.
Grab quarterly reviews¹ by sec researchers with decades in the field. (PDF or audio)
__
¹ Free. Not even reg. needed
11
139
338
Easily drop fake AD credentials on your network and detect when they are used.
(Our) Roberto took a pass at automating
@ippsec
's awesome work¹ combining fake AD accounts and Canarytokens.
Check out our blog post at :
__
¹
3
87
305
Tired: Die Hard is a Christmas movie.
Wired: Home Alone is a hacker/blue-team movie.
9
57
295
Would you know if your mobile phone was hacked?
Our new WireGuard token deploys in seconds to give you a VPN config on your device.
An attacker who compromises the phone has to try accessing it, and you get that one alert. When it matters.
9
89
268
Years ago, when we created , we needed icons for each token. We used the MS Word icon for Word tokens, and Amazons logo for AWS tokens.
For DNS tokens, we've always used a headshot of
@dakami
Always such an icon. R.I.P
0
41
238
Our Cloned Website Canarytoken¹ has caught attackers all over the world.
Jacobs new CSS Canarytoken² allows this to work when all u can control is ur sites CSS. (It also works a treat to detect AitM phishing on Azure login portals)
__
¹ Free
² Also Free
3
69
205
Ok.. Sample run looks good.
We have our new Customer Gift…
16
5
169
We just had a customer deploy multiple Canaries to Antarctica.
This officially means that we have Canaries on all 7 Continents!
#BirdPower
7
29
157
Canarytokens force attackers to doubt anything they find on ur servers.
Today, thanks to
@dev0x01
- we ask:
What happens when an attacker finds a Kubeconfig file on ur server?
A: They use it, and u get a reliable alert!
Our new (free) Kubeconfig token:
1
48
154
Whoop! Whoop! 🎉🎉🎉
To celebrate our 7k follower mark, for the next week, you can create Canarytokens free at ¹
__
¹ Normal price on : $0.00
3
21
136
Two weeks ago we scrambled to beef up the free server to handle the log4j load.
Rushed config changes then & a reboot today killed the in-memory db powering that server.
Tokens created on the free server in the past 2 weeks are gone & shld be recreated.
7
50
132
Some users wanted a nicer way to store / stack small flocks of Canaries.
(Hardware) Birds will now ship with "stackers"
5
15
124
"In the first 24-ish hours – this Canary did its job".
It's kinda crazy, but it's a rare week that goes by without us getting news of a Canary somewhere earning its keep.
We absolutely 💚 the feedback.
2
8
119
HackerNews discovered Canarytokens (again).
“Within 1 year I found a breach on a developers box and another on a frontend server”
“A dozen canary tokens will probably get your security detection program alot further than your first $2M of splunk license”
1
18
100
@cyb3rops
Thanks!
@marcoslaviero
has just pushed it live:
You can use a point & click canarytoken from to help test for the
#log4j
/
#Log4Shell
issue.
1) visit ;
2) choose the Log4shell token;
3) enter the email address you wish to be notified at;
4) copy/use the returned string...
17
504
1K
6
38
95
We can’t decide:
Thinkst Canary: Nothing is what it seems.
Or
Thinkst Canary: Making detection a piece of Cake!
13
12
98
We’ve revamped
A new interface, new functionality, and the results of our latest security assessment¹
You can read more at:
__
¹ Still completely free
2
29
99
Using DFIR reports to examine where Canaries & Canarytokens cld be placed to help defenders win.
This post covers the latest release by the folks at
@TheDFIRReport
¹ - A Bird’s-eye view: IceID to Dagon Locker.
__
¹ We love their work!
1
27
98
What would an attacker do if they found credentials to an arbitrary REST API on your network? (We think most would try them).
Our
@subTee
wrote a quick blogpost on how to use existing Canaries (&& Canarytokens) to detect enterprising attackers like this.
5
37
98
*David Attenborough Voice*
Observe the lesser spotted Rack-Mounted Canaries in their natural habitat...
5
9
91
Our
@HeyJayza
just built a Slack-API Canarytoken.
- Drop one on a file-server;
- Drop some on developer laptops;
- Drop some in your code repos.
Attackers think they are getting access to your Slack (they are just announcing their presence).
Cost: $0.00
Result: Priceless!
2
24
96
Before he joined us in Labs, Casey Smith (
@subtee
) was a customer who deployed Canaries && Canarytokens in his org.
In a new blog series, discussing customer deployments, he talks us through how they used "Canaries as Network Motion Sensors".
0
26
93
Seriously: It just works...
"have caught the red team twice"
2
11
91
Stolen AWS API keys are a nightmare. U can now seed AWS keys as Canarytokens & receive notifications when they are used (Inspired by
@dagrz
)
0
49
85
Last month
@cyb3rops
and
@markus_neis
' chatted about a cool cmdkey technique to point attackers (running Mimikatz) to a Canary/Honeypot.
Riaan and
@nickrohrbs
put out a quick blogpost on how you can use this to lead attackers to your birds.
2
21
86
Thanks to
@nickrohrbs
(and initial work from
@jas502n
) the Canarytoken will now also fetch the vulnerable servers hostname.
(This has the ancillary benefit of the test being less prone to resolution false positives).
Simply use as before.
1
22
85
We are repeating last years crazy Black Friday Offer:
Create as many Canarytokens as you want, completely free¹ at .
At this price, you’d be crazy not to sprinkle some around your network.
__
¹ Tokens only free till heat death of Universe;
0
61
79
With all this talk on QR Codes, it’s worth noting that you can turn ‘em into detection tripwires too.
Attackers follow QR codes too.
Create free QR Code Canarytokens for physical objects at (as of last month paid allows you to bounce to another server)
0
20
81
We had the smart folks at
@NCCGroupInfosec
do a security audit on Canary (to add to our customers peace of mind)
“Overall, Thinkst have done a good job and shown that they are invested in producing not only a security product but also a secure product”
2
29
76
Having a paying Canary customer in Antarctica allowed us to say that we had customers on all 7 continents. (We loved it & used to lord this over
@duosec
when fighting them for "most loved company in infosec").
We no longer have just one customer there...
We now have two ✊💚🐧
1
11
78
Feeling cute, might delete later¹
__
¹ 14 Racks of birds just took flight for a US-based customer
5
9
76
Q: What does an attacker do if she finds a mysql-dump file on one of ur servers?
A: She loads it into a tmp-db to go through it
Q: Can we get an alert if that happens?
A: Absolutely!
@JacobTorrey
writes about building our new/free MySQL Canarytoken:
1
27
76
We just added a new sticker¹ to
IYKYK 💪💚
__
¹ Yup. We will ship these to you completely on our own dime.
4
14
78
“I wanted to let you know that during the demo we detected real attack on our client network!” (sic)
3
12
76
The cool thing about Canaries and Canarytokens is that they flip the traditional script.
Attackers just have to mess up once… Defenders can get lucky…
Sent a couple of canary tokens to a threat actor phishing for Metamask account phrases 🦊🪙🪙
The actor used ProtonVPN out of the Netherlands 🇳🇱
Until they forgot...
🇳🇬197.211.52.13
12
42
272
1
17
73
Two weeks ago,
@ollieatnowhere
mentioned¹ being able to generate DNS/HTTP requests when viewing QT & MP4 files.
Our Gerrie Crafford took a swing at building it into a reliable Canarytoken & wrote about the process²
__
¹
² currently not a Canarytoken
A fun little canary for you all in cyber defence to help detect breaches/data theft.
QT & MP4 files can reference external urls via 'rdrf' sections. These can be URLs and thus you can get a DNS resolution and/or HTTP request on open.
Have an MP4 working example in VLC...
6
42
160
1
19
72
A few months ago we released our WireGuard Canarytoken.
Today,
@azhrdesai
released a blogpost on how it works under the hood.
It’s worth checking out to learn how it’s built (and to see him fawn over
@WireGuardVPN
)
1
32
76
"You made a pentester very VERY sad and we appreciate it very very much hahaha."
Thinkst Canary - Making attackers sad on all 7 continents...
0
6
73
It turns out this “Canary cufflink” idea really has taken off.
Drop us a DM if you’d like a set of Canary cufflinks¹
__
¹ for people who don’t wear cufflinks, we totally believed they were pins/badges till our recent re-education
6
11
71
"Frankly it’s a reason enterprise software is often so terrible; tons of options you barely understand or know about, and are configured according to tutorials/examples rather than understanding."
A quick post by our own PaulG, on the use of examples:
1
17
71
Our (free) AWS Canarytokens have always been popular.
Today, we released the Azure alternative on our server¹
Attackers who find ‘em have to use ‘em (and reveal their presence).
Check out Pieter’s blog post at:
__
¹ also free
0
24
69
Everybody wants to be your “single pane of glass”.
Everybody wants to be a platform.
We don’t.
We want to be awesome at what we do & then want to get out of ur way.
If u use
@RumbleDiscovery
u can now lookup IPs in Rumble from ur
@ThinkstCanary
console
3
17
68
If you are running OpenCanary, you should upgrade to 0.6.1
@nvangijzen
discovered two-bytes that let you distinguish our fake MySQL server from a real one.
This allows you to tell if OpenCanary is running on a host (if it's running the MySQL module).
pip upgrade for the fix
2
24
69
@brownglock
@haroonmeer
@halvarflake
Headcount is meaningless because it creates the perverse incentive of wanting to build big teams instead of wanting to build great products.
It's also really discriminatory¹.
__
¹ If we employed hydras or Cerberus or other creatures with multiple heads do they count as 1 or 3?
5
8
69
Its Defcon...
Time to talk Burners & QR Codes...
🧵 1/86
2
11
68
This month is 8 years since we shipped our first Canaries to customers.
We 💚 that we've never had to raise our prices;
We 💚 that most of our customers from year-1 are still on-board;
We 💚 being able to do this.
Here's to 8 more! ✊💚
2
10
68
AWS Canarytokens are a low-effort, high-fidelity method to detect attackers.
Enterprising attackers could have used gaps in CloudTrail logging to try to identify those “spiked” AWS creds.
Our
@HeyJayza
&
@marcoslaviero
built “Safety Net” to fix this.
1
25
67
“This is ⬛️⬛️⬛️⬛️⬛️⬛️¹ doing a pen test for us and as usual the Canary caught them on the first day³”
__
¹ Name of popular pen test house removed.
² “as usual Canary caught them on the first day”
³ Just an average day
1
9
66
During December, Quinn snuck "breadcrumbs" into our Canary Consoles.
Empirically, attackers find Canaries and trip over them without much help - but now you can trivially drop breadcrumbs to lead them there too.
2
18
65
Tell me you grew up in the 80's without telling me you grew up in the 80's.
(also: coming soon)
14
2
64
We agree.
I think that deception tech (traps, decoys, lures, canaries) is still highly underrated and will become much more important in the coming years
I like it because it plays out it’s strength when your established protection measures and detection logic have already failed
8
65
275
1
3
63
Whoop! Whoop!
GCP Canaries are now ready to roll...
Much like their hardware, AWS and VM brethren, they will install in minutes and require 0 on going admin overhead.
Drop us a note and it will automagically show up on your console!
1
32
62
We ship a bunch of Canary gifts around the world and wanted to cut down on the extra plastic.
Thanks to our friends at the Sparrow Society () future canary-gifts will arrive in sustainable, ethically && locally made bags.
♻️✊💚
9
5
63
A few months ago we released¹ our WireGuard Canarytoken.
Thanks to
@azhrdesai
that token is now available on our free Canarytoken server (at )
$0.00 && Super Useful!
__
¹
0
18
61
Pen-testers after getting caught by Canaries on day-1 of the assessment:
2
3
61
Our own
@shifttymike
wrote a blog post on how we use the Linux Audit System (LAS) and ELK to detect "badness" on customer consoles. It's worth a quick read:
3
28
62
If you want some light(ish) reading (that doesn't mention Log4J at all)
@JacobTorrey
has released our Q4-Research-Roundup at
It's free, non-paywalled, covers over 300 confs and is a great read/listen.
You can also (finally) subscribe to future releases.
0
24
59
Ok.. Wordle is cool¹
🟩🟩🟩🟩🟩🟩🟩🟩🟥🟥
🟩🟩🟩🟩🟩🟩🟩🟩🟥🟥
🟩🟩🟩🟩⬜️⬜️⬜️🟩🟩🟩
🟩🟩🟩🟩⬜️⬜️⬜️⬜️🟩🟩
🟩🟩🟩⬜️⬜️⬜️⬜️🟩🟩🟩
🟩🟩⬜️⬜️⬜️⬜️⬜️🟩🟩🟩
🟩⬜️⬜️⬜️⬜️⬜️⬜️🟩🟩🟩
⬜️⬜️⬜️⬜️⬜️⬜️⬜️🟩🟩🟩
⬜️⬜️⬜️⬜️⬜️⬜️🟩🟩🟩🟩
⬜️⬜️⬜️⬜️⬜️🟩🟩🟩🟩🟩
__
¹ not actual Wordle result…
0
3
59
The recording of our webinar:
"Enterprise Breach Detection in 15-minutes (from the comfort of your couch)" is now available.
You get:
- Bad Jokes/Accents;
- To see us deploy hardware, .vmx, .ova & AWS Canaries (+ dozens of tokens) in under 10 minutes.
0
28
61
We grew up as part of the hacker community.
Being able to sponsor an institution like
@SummerC0n
is a genuine privilege.
✊️💚
1
2
60
SolarWinds¹ "the perpetrators spent months inside the company’s software development labs honing their attack"
This is common. Attackers land & spend months/years before the big hit.
Take 30 mins today & deploy 20 Canaries.
Know when it matters.
__
¹
2
26
58
On the nVidia blog:
“Defending AI Model Files from Unauthorized Access with Canaries”
💪💚✊️
2
22
60
A what? A Canary¹ in your Tailnet²?
Totally.. (Now in beta)
__
¹
@ThinkstCanary
²
@Tailscale
1
14
59
Know. When it matters.
"having the canary on my network, was the single key signal that I needed"
"I don't know how many of your customers go from, turning on a canary, to finding someone bad in their network but I only got mine going 11/25 & on 12/22 it save my company." (sic)
0
14
58
Great marketing dilemmas:
a) Thinkst Canary: Just do it!
b) Thinkst Canary: Be Sneaky!
Like for (a), RT for… nah.. j/k!
11
7
57
The CreditCard Canarytoken is super popular && is getting hit really hard.
We know lots of people are getting API-rate-limited.
Sorry.
This is an upstream limitation with our current credit card issuer && We are working to onboard other providers to overcome this.
2
8
57
Today we took ownership of our first ThinkstCanary-HQ. The place needs more green before we move in, but we are stoked!
8
1
56
It’s been too easy for too long.
Make attackers work for it! ✊️💚
When you see domadmins-lastpass.xlsx and you’re convinced it’s
@ThinkstCanary
but that temptation is biting hard
0
1
14
2
11
56
For the first time since we started, we might need to get in a corporate PR team...
Our secret is out 😱
2
7
55
Our
@wleightond
just pushed out a brand new Canarytoken.
1) Visit ;
2) Create a fake app¹;
3) Download it to your home-screen;
4) Get an alert when anyone else opens it!
Read more about it at
__
¹ Still completely free
6
19
56
We are going to be taking the public server down for a few moments to bump it up a bit.
Will post the all clear here when it's back.
1
2
54
We aren't sure if the backing track should be "New York, New York" or "Paint the town Green"
💚💪🗽
4
9
53
Whoop! We just crossed 10k followers!
Time to swap out Canarytokens for a token/ICO¹
But seriously: Thanks! 💚✊
__
¹ No
1
3
53
Sure you've heard of Elf on the Shelf, but¹ what about..
__
¹ If you are a fan of 90's movies
9
6
51
Some birds help, and some birds just want to see the whole world burn...
8
8
50
Birds of a Feather... We are super pleased to welcome
@sawaba
to Team-Canary.
💚 💚 💚
From next week, he will be making us smarter, and customers happier as he spreads the Tao of the Canary.
We are stoked!
5
3
52
A quick blog post by
@subT3e
on how our canarytokens are used to detect when your websites are cloned (and how this defense¹ holds up against new-style reverse-proxy attacks).
__
¹ This token is also available free at
0
24
49
What’s it called when Canaries catch pen-testers ?
Thursday¹
__
¹ [Monday|Tuesday|Wednesday|Friday|Saturday|Sunday]
0
8
48
We use rigorous development practices deeply rooted in science and reason.
Also us:
1
7
50