Server Features — a guided tour

Create a tripwire

Pick a technology — PostgreSQL, a Word document, an AWS key, a kubeconfig — name it, tag it, choose a namespace, and the server mints the decoy and its artifact for you.

Dashboard → New Tripwire

Search, filter & organise

Server-side search, category and status filters, tag filters and pagination keep a large estate manageable.

Dashboard

Tripwire detail & history

Open any decoy to see its configuration, the artifact to plant, and the full timeline of trips against it.

Dashboard → any tripwire

OpenID Connect (OIDC) SSO

Federate with Keycloak, Okta, Entra ID or any OIDC provider. Users click “Continue with SSO” and land in the right role.

Admin → System Setup → Single Sign-On

SAML 2.0 SSO

For IdPs that speak SAML — ADFS, Entra ID, Okta. The server publishes SP metadata, verifies the signed assertion and issues the session.

Admin → System Setup → SAML

Active Directory / LDAP

Bind directly against your directory so existing AD accounts log in with no extra provisioning, with a group mapping to the admin role.

Admin → System Setup → LDAP

Read the Active Directory / LDAP guide

Account security

Each user manages their own password and session security from their account screen.

User menu → Account Security

Roles & organisations (RBAC)

Share an estate as an organisation with owner / admin / member / viewer roles, so people get exactly the power they need — no more.

Admin → Users · org switcher

Hierarchical namespaces

Path-based scoping like Vault: a grant on eu/db sees eu/db and everything beneath it, but never its parent or siblings. Map namespaces to teams, regions or business units.

Create tripwire → Namespace

User management

Create, disable, search and re-role users; see status, subscription and last-login at a glance.

Admin → Users

Scoped API keys

Long-lived keys for CI and automation, restricted to specific actions (e.g. create-only) so a key baked into an image can’t read the dashboard or touch billing.

Settings → API Keys

SCIM 2.0 provisioning

Your identity provider pushes user and group lifecycle automatically — joiners, movers and leavers — and AD groups map straight to Tripwire roles. Protected accounts can’t be locked out.

Configured by your IdP → /scim/v2

SCIM setup in the configuration guide

SIEM / SOC forwarding

Forward every detection to your collector as a generic JSON webhook and/or ArcSight CEF over syslog — Splunk, Sentinel, QRadar, Elastic.

Admin → System Setup (env-configured)

Notifications (Slack & email)

Per-user Slack and email alerts the moment a decoy is touched, so the right people know in seconds.

Settings → Notifications

Detections feed

Real connections to decoys surface as trips within seconds, with the captured credentials, source and context.

Admin → Detections

System health

A live health view in the console, plus /healthz, /readyz and a Prometheus /metrics endpoint your platform team can scrape directly.

Admin → System Health

Audit log

Every privileged action — including IdP-driven SCIM changes — is recorded with actor, target and time for compliance.

Admin → Audit log

Tripwire inventory

A cross-user inventory of every decoy in the deployment, who owns it and its state.

Admin → Tripwires

Support tickets

An in-product support channel for your users, handled by your admins.

Admin → Support

Zero-egress / air-gapped

The admin UI in the server image makes no third-party requests: analytics, the cookie banner, web fonts, Stripe and the CAPTCHA loader are stripped and assets are vendored locally. Safe behind an air gap.

Built in — no configuration

How the zero-egress build works

Health probes & metrics

Native liveness and readiness probes (the readiness check verifies the database) wired as the container HEALTHCHECK, plus a Prometheus exposition with request, detection and notification counters.

GET /healthz · /readyz · /metrics

Observability & metrics reference