City of Hats - Exposure Intelligence Platform
Secure Drop
Anonymous · Encrypted · No login required
Your message is sealed and anonymous. We cannot identify you. No account or login is needed.
Your message
Max 3 files, 10 MB each
Powered by City of Hats · Get your own Secure Drop
Secure Channel
Anonymous · Bidirectional · Encrypted
Start an anonymous conversation. You'll receive a thread code to check for replies later.
Your message
Max 3 files, 10 MB each
Thread Code
Enter your thread code above to check for replies.
Powered by City of Hats · Get your own Secure Channel
🐤 Intelligence API

Canary Intelligence API

Real-Time Early-Stage Attack Telemetry

The Canary Intelligence API delivers live attacker telemetry sourced from our distributed honeypot network — giving your security teams visibility into credential validation, account probing, and fraud testing activity before attacks escalate.

Instead of:

Detecting compromise after damage occurs

You're alerted:

At the first sign of hostile intent

City of Hats isn't watching breaches happen — we're watching attackers while they attack.

Traditional honeypots sit and wait. Our canaries are designed to be discovered — and send real-time intelligence when attackers engage.

Example Signals:
✔ Credential reuse attempts ✔ Privileged access testing ✔ Canary asset discovery
View API Documentation Get API Key
Detection

What This API Provides

The API streams anonymized attack event signals from the City of Hats Honeypot Network and partner deception infrastructure.

Attack Signals Detected

  • 🔐 Credential test attempts
  • 🤖 Automation fingerprinting
  • 🌐 Attacker infrastructure clues
  • 📱 SIM-swap reconnaissance
  • 🔁 Replay & credential stuffing prep
  • Account validation probes
  • 💳 Fake checkout & fraud testing signals
🛡️

Privacy-First Telemetry

  • No PII
  • No personal user activity
  • Just attacker behavior

This is external adversary intelligence — not surveillance.

Strategic Value

Why This Matters

Most systems only see attack activity when it reaches them.

City of Hats sees: the attacker practicing — before the real attempt.

This enables:

🛡️ Proactive fraud defense
🔐 Intelligence-driven MFA policies
⚠️ Early credential risk escalation
📊 SOC readiness & enrichment
🆔 Identity risk confirmation
Example

Example Canary Signal

Canary Event LIVE SIGNAL 
{
  "event_type": "credential_testing",
  "timestamp": "2026-01-03T04:12:11Z",
  "source_country": "RU",
  "infrastructure": "residential-proxy",
  "attack_confidence": "high",
  "related_domain": "example-company.com",
  "threat_stage": "TESTING",
  "recommended_action": "monitor_or_step_up_auth"
}

Signal Breakdown

event_type Type of attack behavior detected
infrastructure Attacker's proxy/network type
attack_confidence How certain this is malicious
threat_stage Position in attack funnel
Integration

Relationship to Risk Scoring

Canary telemetry is a high-value signal into the Risk Engine — especially when:

🧪 Credentials were previously exposed
⚠️ Account testing trends increase
🔁 Automation fingerprints match
🕵️ Funnel activity advances

Together, they answer:

"Is this identity being prepared for attack?"

Applications

Example Use Cases

🏦

Fraud & FinCrime

Detect synthetic identity test runs before loan or account abuse attempts.

🏬

E-Commerce Trust

Detect credential-stuffing prep before bots reach checkout.

🏢

Workforce Security

Identify hostile reconnaissance before corporate account compromise.

📱

Telecom & Carrier Defense

Detect SIM-swap reconnaissance activity before takeover events.

Developer

API Reference

GET /v1/canary/signals
cURL 
curl -X GET "https://api.cityofhats.com/v1/canary/signals?limit=50&threat_only=true&since_hours=24" \
  -H "Authorization: Bearer YOUR_API_KEY"
Response 200 OK 
{
  "signals": [
    {
      "id": "sig_82933",
      "event_type": "credential_testing",
      "confidence": "high",
      "source_region": "EU",
      "proxy_type": "residential",
      "threat_stage": "TESTING",
      "related_domain": "example.com",
      "timestamp": "2026-01-03T04:12:11Z",
      "recommended_action": "monitor_or_step_up"
    }
  ],
  "total_count": 142,
  "time_range": "24h"
}
GET /v1/canary/threat-feed

High-confidence threat signals only

GET /v1/canary/campaigns

Grouped attack campaigns

GET /v1/canary/stats

Network statistics & trends

Response Field Reference

Field Type Description
event_type string credential_testing | account_probe | sim_recon | fraud_test
confidence string low | medium | high — signal confidence
source_region string Geographic origin of attack (ISO region)
proxy_type string datacenter | residential | mobile | tor
threat_stage string TESTING | ATTACK — position in funnel
related_domain string Target brand/domain being tested
recommended_action string monitor | step_up | block | alert_soc
Attack Lifecycle

Threat Funnel Alignment

Canary signals typically appear at these critical stages:

TEST CANARY DETECTS
  • Credential rehearsal
  • Account validation
  • Bot testing runs
ATTACK CANARY DETECTS
  • Live credential abuse
  • Session hijacking
  • SIM takeover

Which means: Customers detect threats before monetization ever begins.

Workflow

Example Automation Triggers

IF:

  • Canary confidence = high
  • AND Credential exposure = true
THEN →

ACTIONS:

  • 🔐 Enforce step-up auth
  • 📊 Monitor transaction behavior
  • 🚨 Alert SOC

No human approval needed. Intelligence-driven automation at machine speed.

Outputs To

Where It Plugs In

Canary signals flow seamlessly into your existing security and fraud infrastructure.

📊

SIEM

Real-time event ingestion for Splunk, Sentinel, Chronicle

⚙️

SOAR

Automated playbooks and response orchestration

🎯

Threat Intel

Enrichment feeds for TIP platforms

🛡️

Fraud Engines

Risk signals for decisioning systems

Also integrates with:

🛂 Risk-based authentication
🔐 IAM policies
🔔 Security alerting
📈 Data science models

🔐 Privacy & Controls

Adversary intelligence — not surveillance.

  • No user monitoring
  • No behavioral fingerprinting
  • No data resale
  • Fully anonymized telemetry
  • Enterprise governance controls
  • SOC 2 Type II compliant

⚡ Performance & Delivery

Built for real-time security operations.

  • Real-time streaming or polling
  • Global honeypot coverage
  • Built for SIEM / SOAR ingestion
  • Low-latency enrichment
  • 99.9% uptime SLA
  • Enterprise throughput
🏆

Why Enterprises Choose Canary Intelligence

Threat feeds tell you what already happened. Canary tells you what attackers are planning.

First-party
Signal-dense
Deception-driven
Attacker-centric

Integrated natively into the City of Hats Exposure Platform.

The Canary Intelligence API gives your organization a strategic early-warning system — detecting attacker behavior before credentials are weaponized and accounts are compromised.

Start Using Canary Intelligence API

Detect attackers while they practice. Get early-warning telemetry before credentials are weaponized.

Get API Key — Free View Full API Docs
First-Party Intel Real-Time Privacy-Safe Enterprise SLA