AI Attack Sensing Edge

Your AI attacker found the admin panel. It's a decoy.

Luremetry plants proxy-level breadcrumbs that normal users and normal AI ignore — but autonomous hacking agents follow them into an isolated decoy edge. Their reconnaissance becomes a high-confidence attack signal.

No application code changes. CNAME or Cloudflare Worker Fail-open · kill switch
0 / 42
Normal-AI assistant sessions that entered the decoy edge
32 / 63
Hacking-intent agents diverted away from production — across both attacker profiles
~78×
Selectivity — hacking-intent vs. normal-AI edge entry
Measured against Codex CLI · Claude Code · Gemini / Antigravity — 7 frontier models — plus Strix, an open-source red-team agent Controlled agentic-pentest benchmark. See the method →
The blind spot

Your WAF sees requests. It can't tell an AI hacking agent from ordinary automation.

Autonomous agents — Codex, Claude Code, open-source pentest bots — don't browse like people. They read the surfaces humans never see, and reason across them at machine speed.

They read machine surfaces

Source maps, build manifests, trace headers, .well-known catalogs, SDK artifacts, deprecated OpenAPI servers — parsed and chained into an attack path.

They probe at machine speed

A single agent fans out dozens of requests, reuses a leaked trace ID or token, and pivots to legacy, export and admin routes in seconds.

Your logs look like noise

In WAF and bot-management logs, that recon is indistinguishable from a scanner or a crawler. By the time it's obvious, it has already mapped your surface.

This isn't hypothetical — the tooling already ships
XBOW, an autonomous AI pentester, topped HackerOne's US leaderboard in 2025 — ranking above every human researcher.xbow.com · press coverage
Strix is a free, open-source "autonomous AI hacker" installable with a single curl command — recon, exploitation and OSINT built in.github.com/usestrix/strix
Coding agents like Codex CLI and Claude Code already read source maps and trace headers — pointed at a target, they probe like an attacker.our benchmark, see below

Autonomous pentesting is now a venture-funded product category — anyone can point an agent at your public surface tonight. Luremetry is the defensive counterpart: built to catch the moment one does.

How it works

Let the agent reveal its intent by choosing a path normal users never take.

Luremetry sits at your edge as a proxy. Normal traffic flows straight to your origin, untouched. Suspicious reconnaissance follows a breadcrumb into an isolated decoy — where every move is recorded.

Incoming request
User, crawler, or agent
Luremetry edge
CNAME / CF Worker
zero code changes
Pass-through
Your origin
0 / 42 normal-AI entered
Diverted · isolated
Luremetry edge
32 / 63 agents diverted
high-confidence signal Dashboard · Slack · webhook · SIEM
01 — PLANT

Plant breadcrumbs

The proxy adds machine-readable lures to responses — a trace ref in a 404, a source map, a build manifest — invisible in the UI and to SEO, meaningful only to an agent parsing for attack surface.

02 — DIVERT

Divert the agent

An agent that follows the lure is routed to a decoy edge on a customer-owned hostname — never your production origin. Normal requests are never affected.

03 — SIGNAL

Emit a signal

The full session — paths, trace/token reuse, TTPs — is replayed to your dashboard and pushed to Slack, webhook or SIEM as a high-confidence, low-noise attack signal.

One breadcrumb leads to the next — a fake attack path a human never sees, and an attacking agent can't resist
01trace_404Get a signal when an agent reuses a fake trace ID from a 404 no user would ever read.
02source_mapGet a signal when an agent parses a source map and chases the internal routes inside it.
03build_manifestGet a signal when an agent reads a build manifest to enumerate hidden endpoints.
04legacy_openapiGet a signal when an agent follows a deprecated OpenAPI server toward export & admin routes — the deeper it goes, the richer the signal.
The output

One alert. When it matters.

No new pane of glass to babysit. Luremetry stays silent until an AI agent takes the bait — then it hands your team a single, high-confidence signal with the full session attached: replay, TTPs and an agent fingerprint your SOC can act on.

SlackWebhookSplunkDatadogSentinel
Luremetry · #sec-alerts · now High confidence
AI recon session diverted from production — acme.com
agent0x7f3a · fingerprinted agentic tool · follows source maps triggertrace_ref reuse → source_map → edge diversion captured17 requests · 6 unique decoy paths · 0 reached origin TTPslegacy API probing · export intent · privilege paths source198.51.100.24 · ASN 20473 · watchlist +1
View session replay Push WAF rule Add to SIEM
Where it fits

A sensing layer that runs on top of your existing edge.

Luremetry doesn't replace your WAF or your CDN. It adds the one thing they don't have — the ability to tell an AI hacking agent apart from everything else, and to act on it. It's a sensor, not a shield: it won't block the attack, it tells you with high confidence that one is underway. This isn't deception tooling bolted onto your internal network — it's edge infrastructure for the era of autonomous attackers.

Capability Luremetry WAF / bot management Traditional honeypot / deception
Primary action Divert agentic recon at the public edge & identify intent Block or rate-limit traffic Decoy hosts & credentials, mostly internal network
Distinguishes AI agents from generic automation Yes — behavioral, sequence-level Limited — IP / UA reputation Not designed for it
Deployment CNAME or Cloudflare Worker · no app code Edge platform Agents, VM images, code & infra changes
Output Session replay + TTPs → SIEM, high confidence Block events, high noise Alert on decoy touch
Effect on production & SEO Pass-through for normal traffic · no SEO surface Inline with traffic Separate infrastructure

Already run Cloudflare AI Labyrinth or Block AI Bots? Luremetry complements them: they shape and block crawler traffic broadly; Luremetry turns a targeted hacking agent's own reasoning into an actionable, per-customer detection.

Evidence

Normal AI leaves it alone. Hacking-intent agents follow the lure.

In a controlled benchmark across seven frontier models and an open-source red-team agent, we measured how selectively the lures divert agents to the edge.

0 / 42
Normal-AI sessions that entered the decoy edge
76%
Hacking-intent agents diverted (contextual profile)
~78×
Selectivity — hacking-intent vs. normal-AI sessions
0%
Scripted normal / QA / SEO exposure
Normal AI assistants product & docs tasks
0%
Hacking-intent agents minimal profile
52%
Hacking-intent agents contextual profile
76%

Honest framing: these are results from a controlled agentic-pentest benchmark, not live customer traffic. We're now proving the same behavior on real staging domains with design partners — which is exactly what a pilot measures.

Deployment

Live in about 15 minutes. No SDK, no code, no rewrite.

Point a hostname at Luremetry, or drop in a Cloudflare Worker. Normal traffic passes straight through. If anything fails, it fails open.

Option A — CNAME a decoy subdomainDNS
# Point a spare hostname at the Luremetry edge
debug.acme.com   CNAME  edge.luremetry.com
legacy.acme.com  CNAME  edge.luremetry.com

# TLS, routing and session capture: handled for you
# Rollback: remove the CNAME — traffic returns to origin
Option B — Cloudflare WorkerEDGE
export default {
  async fetch(req, env) {
    // normal traffic → your origin, untouched
    // suspicious recon → Luremetry edge
    return luremetry.route(req, {
      profile: "minimal",
      mode: "hybrid",   // fail-open
    })
  }
}

Built for a security team's approval

  • Fail-open — an outage never blocks your users.
  • One-click kill switch and instant rollback.
  • Start on a staging or preview domain — no production required.

Safe by construction

  • No production credentials ever live in a decoy.
  • No request body, cookie or auth collection by default.
  • Contained observation only — no hack-back, no outbound to third parties.
Who it's for

Teams whose public surface is an obvious target for autonomous recon.

01

Security & DevTool SaaS

Public developer docs, API references and dashboards that attract automated exploration — with a security team that will act on a signal.

02

API-first B2B SaaS

OpenAPI schemas, SDKs and staging endpoints where token and credential abuse is a real, budgeted concern.

03

Cloud & observability infra

Broad public surface, existing SOC / SIEM, and detection engineers who want higher-fidelity, lower-noise input.

Best fit: US B2B SaaS, 20–500 people, already on Cloudflare, with public docs or a login portal and a security owner reachable directly.

Design-partner program

We're taking five US B2B SaaS design partners.

A focused, 30-day pilot on a staging or preview domain — set up by us, run against authorized AI security agents, with a report your team can act on.

Pilot engagement

AI Recon Exposure Assessment

No cost · 30-day design-partner pilot · limited to five slots

Connect one staging or preview hostname. We test it end-to-end against authorized AI security agents and hand back a session-level report of what an autonomous attacker would find — and what to do about it.

What you get
  • CNAME or Worker install, done with you in one call
  • Normal-traffic & SEO impact report
  • Authorized AI security-agent test
  • Diversion session replays & raw evidence
  • Recommended WAF / SIEM detection rules
  • 30-minute results review with your team
For the security buyer

The questions a CISO asks first.

What code do we put in our production edge?

None in your application. You either CNAME a spare hostname to our edge, or add a Cloudflare Worker on the routes you choose. Normal traffic is passed straight through to your origin; only requests that follow a lure are routed to the decoy.

What happens to our site if Luremetry has an outage?

It fails open. If the sensing layer is unavailable, requests continue to your origin as normal. There's also a one-click kill switch and instant rollback, so you're never dependent on us to serve your users.

Do you touch cookies, auth headers or customer data?

No request bodies, cookies or auth are collected by default. We record request metadata and the agent's behavior inside the decoy edge — not your users' data. Decoys never contain real credentials or grant access to production.

Could this hurt our SEO or real users?

The lures are machine-readable breadcrumbs, not visible links, and are kept out of sitemaps and canonical tags. In our tests, scripted normal browsing, QA link-checking and SEO crawlers had 0% exposure. Every pilot ships a normal-traffic and SEO impact report so you can verify it on your own domain.

How is this different from Cloudflare AI Labyrinth?

Labyrinth and Block AI Bots shape and block crawler traffic broadly across Cloudflare's network. Luremetry runs on top of your edge and does something narrower and higher-value: it distinguishes a targeted, hacking-intent agent from generic automation, diverts it, and hands your team a per-customer, high-confidence detection with a full session replay.

Is this entrapment or hack-back?

No. Everything happens inside an edge you or we control. We observe an agent that chose to follow a lure; we never attack back, never touch third-party systems, and never grant access to real assets. It's contained, passive observation — the accepted side of active defense.

What does it cost after the pilot?

Design-partner pilots are free. After the pilot, pricing is a flat annual subscription per protected domain — not per request, so machine-speed recon never inflates your bill. We're finalizing tiers with our first design partners, and partners lock in founding pricing before public launch.

Where is captured session data stored, and for how long?

Decoy session data — request metadata, decoy paths and TTPs; never bodies, cookies or auth — is stored encrypted in the US. Default retention is 90 days, configurable per customer, with deletion on request. Everything exports to your own SIEM, so you can treat our copy as disposable.

What's your compliance posture?

We're early-stage and say so plainly: SOC 2 Type I is on our roadmap alongside our first paying customers. Pilots are designed not to need it — they run on staging or preview domains, decoys never hold production credentials or customer PII, and we'll sign your security addendum and walk your team through the architecture before anything goes live.

Request a private pilot

See what an AI attacker finds on your domain — before one does.

Tell us a little about your environment. If it's a fit, we'll set up a private pilot on a staging or preview domain and walk your team through the results.

  • 15-minute install, staging domain is fine
  • No production code changes
  • Report your security team can act on

Pilots are set up and run directly by the founder — [email protected]. We reply within one business day.

We'll only use this to evaluate pilot fit and reach out. No newsletters.