TomeSpell
Loading...
TomeSpell
TS / Entrap™TomeSpell
Canary & Honeypot Solution

Track Documents.
Trap Intruders.

Deploy invisible tracking in documents and executables. Monitor your infrastructure with honeypots and agents. Know when your files are accessed, from where, and by whom.

Get Started
100%
Self-Hosted
10+
Honeypot Types
Realtime
Alerts
Scroll to explore
The Problem

Security Blind Spots Are Everywhere

Without proper visibility, threats go unnoticed until it's too late.

Data Leaks Go Unnoticed
Sensitive documents leave your organization daily. You have no visibility into who opened them or where.
Intruders Stay Hidden
Attackers probe your network for months before detection. By then, the damage is done.
Compliance Gaps
Audit requirements demand file access tracking. Manual logs are incomplete and unreliable.
Slow Incident Response
When a breach occurs, tracing the source takes days or weeks of forensic work.
The Solution

TS/Entrap gives you
eyes everywhere.

A complete tracking and monitoring infrastructure that deploys in minutes and alerts you instantly when something happens.

Trackable Documents
Filesystem Agents
Honeypot Services
Port Scan Detection
Real-time Alerts
Features

Comprehensive Security Monitoring

Five powerful capabilities working together to give you complete visibility.

Document Tracking

Trackable Documents

Generate PDFs with embedded tracking that silently reports back when opened. Know exactly who accessed your documents, when, and from where.

  • Invisible tracking embedded in PDFs
  • Captures IP address, geolocation, and user agent
  • Works with most PDF readers including Adobe
  • Multiple tracking methods for reliability
JavaScript + Link tracking for Adobe Reader compatibility
confidential-report.pdf
Generated with tracking
14:32:17Document opened
IP: 185.234.xx.xx
Location: Moscow, Russia
Reader: Adobe Acrobat
File Monitoring

Filesystem Monitoring Agents

Deploy lightweight Go agents on any system to monitor file access, modification, and deletion events in real-time.

  • Lightweight binary with minimal footprint
  • Monitor specific files or entire directories
  • Real-time event reporting to controller
  • Works online and offline with event buffering
inotify/fanotify on Linux, cross-platform support
prod-server-01
Linux x86_64
Online
Monitored Paths
/etc/passwd
/var/log/auth.log
/home/admin/.ssh/
File Access Detected
/etc/passwd read by uid 0
2 seconds ago
Intrusion Detection

Honeypot Services

Run fake SSH, HTTP, and TCP services that look real to attackers. Every connection attempt is logged and triggers instant alerts.

  • SSH honeypot captures credentials and commands
  • HTTP honeypot logs all requests and payloads
  • TCP honeypot monitors arbitrary port connections
  • Configurable responses and banners
SSH, HTTP, TCP protocols
SSH
:2222
HTTP
:8888
TCP
:9999
SSH Honeypot Alert
Source:45.33.xx.xx
Username:root
Password:admin123
47
Attempts Today
12
Unique IPs
3
Active Traps
Network Security

Port Scan Detection

Detect reconnaissance attempts before attackers find your real services. Configure trap ports and get alerted to scanning activity.

  • Configure trap ports that should never receive traffic
  • Threshold-based detection to reduce false positives
  • Detailed logging of scan patterns and sources
  • Instant alerts when scans are detected
libpcap-based detection
Port Scan Detected
Source:92.118.xx.xx
Ports Hit:12 in 3 seconds
Pattern:Sequential
Trap Ports
:21 :23 :25 :445 :1433 :3389 :5432 :6379
Physical Security

Hardware Security Devices

Deploy physical devices in your office environment. Network scanners detect internal reconnaissance while USB and SD card traps catch unauthorized access attempts.

  • Network scanners for internal honeypot deployment
  • USB flash drives with autorun traps and decoy files
  • SD cards with honeypot documents for physical access detection
  • Centralized monitoring of all hardware sensors
USB autorun
Intrusion Detection Scenario
LIVE DEMO
1
Insider ThreatPlugs in USB
2
Trap TriggeredFile accessed
3
Alert SentInstant notify
4
Threat LoggedFull forensics
Detection Time
<1s
Data Captured
12 fields
Alert Channels
3 active
How It Works

From Setup to Detection in Minutes

A simple workflow that gets you monitoring quickly.

Step 1

Deploy

Install the controller on your server and set up the dashboard.

Step 2

Generate

Create trackable PDFs or generate enrollment tokens for agents.

Step 3

Distribute

Share documents with targets or deploy agents to systems.

Step 4

Detect

Receive instant notifications when files are accessed or intruders probe.

Step 5

Respond

Review detailed logs with IP, location, and timing data.

Use Cases

Built for Security Professionals

Whether you're defending your organization or testing its defenses, TomeSpell has you covered.

Security Teams

Detect data exfiltration and insider threats before they become breaches.

  • Track sensitive documents across the organization
  • Set up canary files to detect unauthorized access
  • Monitor critical system files for tampering

Red Teams

Enhance your penetration testing and phishing assessments with tracking.

  • Embed tracking in phishing assessment documents
  • Monitor C2 decoy file access
  • Track lateral movement with honeypots

Compliance Officers

Maintain audit trails and demonstrate due diligence for regulations.

  • Log all access to sensitive documents
  • Generate compliance reports automatically
  • Prove chain of custody for legal holds

Incident Response

Deploy rapid detection during active investigations.

  • Set up honeypots to track attacker movement
  • Monitor compromised systems for further access
  • Collect evidence of unauthorized activity
FAQ

Frequently Asked Questions

Everything you need to know about TomeSpell.

Currently, TomeSpell supports PDF tracking with embedded JavaScript and link-based callbacks. Both methods work together to maximize detection across different PDF readers. DOCX support with pixel tracking and macros is planned for future releases.
Agents communicate via HTTPS to the controller API. They send heartbeats every 30 seconds and report events in real-time. When offline, agents buffer events in memory and flush them when connectivity is restored. All communication is authenticated using agent-specific tokens.
The tracking mechanisms in documents are passive and use standard PDF features, making them difficult to detect. Agents are compiled Go binaries without malicious payloads, so they typically don't trigger antivirus. However, some EDR solutions may flag the file monitoring behavior.
Yes! Agents are written in Go and compile to native binaries for all major platforms. Linux agents use inotify/fanotify for file monitoring, while Windows and macOS use their respective native APIs. Port scan detection requires libpcap on Linux.
TomeSpell supports multiple notification channels including email (SMTP), Slack webhooks, and generic HTTP webhooks. You can configure different channels for different event types and set up notification rules based on severity or event source.
TomeSpell is deployed on your own infrastructure, giving you full control over your data. There are no external dependencies or telemetry. You own your data completely.
Agents are designed to be resilient. When the controller is unreachable, agents buffer events in memory (configurable size limit) and continue monitoring. Once connectivity is restored, all buffered events are sent to the controller with their original timestamps.

Ready to track your infrastucture
and catch intruders early?

Deploy TomeSpell today and gain complete visibility into your documents and infrastructure.

Get Started Now