Greyline: Honeypot Builder

Defensive security tells you what to block. Counter-intelligence tells you who is attacking and how. This skill builds the second capability.

Greyline: Honeypot Builder deploys fake API endpoints on Cloudflare infrastructure you own. The endpoints look real. They respond like real services. They return realistic decoy data to keep probing clients engaged longer — so you collect more signal before they move on. Every request is logged in full: timestamp, IP, headers, body hash, CF Ray ID, user agent, and a behavioral classification drawn from six attacker categories.

Three honeypot templates ship with this skill: a Fake User API that surfaces scraping patterns and query manipulation attempts, a Fake Payment Endpoint that catches credential submission attempts and replay attacks, and a Fake Data API that detects bulk export attempts and path traversal probes. Each template is complete Cloudflare Worker code, ready to deploy with wrangler deploy.

This is the offensive complement to Greyline: Agent Security. Agent Security protects your agents from manipulation at runtime. Honeypot Builder exposes the actors attempting that manipulation — giving you documented, analyzable evidence of exactly what they tried to do and when. The same technique is used by enterprise threat intelligence teams. The infrastructure is yours, the logs are yours, and the data belongs to you.

The Greyline Threat Feed — cross-referencing actor IPs and behavioral patterns across a shared network of operators — is planned for v1.1. When it ships, threat reports from this skill will feed directly into it.

::Use Cases::

Surfacing attackers targeting your infrastructure. You suspect your production APIs are being probed. Deploy a honeypot at adjacent paths. Within 48 hours you have a log of probe patterns, IP ranges, and behavioral signatures you can use to tune your production WAF rules.

Threat intelligence collection: You want to understand who is attacking your class of service (payment APIs, user data APIs, admin endpoints). The honeypots collect structured, analyzable data that builds a picture of current attack tooling and techniques.

Pre-production attacker fingerprinting: Before a major launch, deploy honeypots at paths adjacent to your new endpoints. Any scanning activity in the pre-launch window is attacker reconnaissance. Log it, classify it, and have your WAF rules ready before real traffic arrives.

Incident response: After an attack on your production systems, deploy honeypots at the compromised path patterns to determine if the attacker returns. Returning activity confirms targeted behavior rather than opportunistic scanning.

Authorized penetration testing: If you run your own red team exercises, the honeypots serve as instrumented targets. The structured logs give you a detailed record of which techniques your testers used, in what order, and with what tooling.

::Who It's For::

Security-conscious operators who want visibility into attack patterns targeting their infrastructure, not just defensive blocking.

Developers running APIs in production who have seen unusual traffic patterns and want to understand what is probing them before it reaches their real endpoints.

Teams using Greyline: Agent Security. Honeypot Builder is the offensive complement. Agent Security stops attacks on your agents; Honeypot Builder exposes who is launching them.

Anyone running Cloudflare Workers already. The infrastructure fit is direct. You deploy Honeypot Builder Workers the same way you deploy any other Worker.

This skill requires a Cloudflare account and basic comfort with wrangler CLI. No security background required for deployment; the procedures are step-by-step. You do need to own the infrastructure you deploy on. See CORE RULES in SKILL.md.