You scatter realistic looking decoys across your network. A document called Salaries 2025, a fake VPN shortcut, a tracking pixel inside an outgoing email. Nobody on your team has any reason to touch them. The moment one is opened, an alert lands with the IP, the location, and the device that did it.
Pick a document, a tracking pixel, a fake login page, a Windows shortcut, a QR code, or another lure type. Drop it on the file share, in an outgoing email, on the company wiki, or on a desktop. No agents to install.
The file opens normally and looks like an ordinary document. There is no popup, no warning, no visible indicator. A silent callback fires from the lure to Hacked the moment it is rendered.
Each alert carries the IP, the country and city, the ASN, the operating system, the device fingerprint, and a VPN or proxy flag. Delivery by email, Slack, Microsoft Teams, or a webhook to your SIEM.
The alert names the IP that opened the file, the operating system, and the version of Office in use. Whether the IP belongs to a former employee, a contractor, or an attacker who came in through a stolen credential, you now know within the minute.
The decoy was labelled for the build team. It was opened from a finance laptop running an Outlook session that started ten minutes before the alert. That combination is a signal worth a phone call, and the alert tells you which device to pick up first.
The alert tells you which file, which IP, which operating system, and the geolocation in one line. The combination of off hours timing and an unfamiliar device deserves a phone call before the morning.
The decoy lived on a shared drive and the bait copy is now on a laptop outside the company. The alert names the country, the ASN, and the device fingerprint, so you know where the file went and what to assume is gone with it. The lure does not stop the exfiltration, it tells you what was taken and where it surfaced.
OOXML template injection. Fires a silent callback the moment the file is opened in Word on any platform.
The same mechanism applied to spreadsheets. The file opens normally and looks like a real document.
A small PDF that fires when opened in Adobe Acrobat or Foxit Reader. Browser PDF viewers do not load the callback.
A .url Internet Shortcut. Double clicking it in Explorer opens the tracker, logs the visit, then redirects to a realistic decoy destination you pick.
A small SVG with an external image reference. Fires when rendered in a browser, embedded in an Office document, previewed by a wiki, or unfurled by a link bot.
A 1x1 transparent image plus an HTML snippet for an outgoing email. Fires when the message is read in a client that loads remote images.
A tracked image URL for SharePoint, Confluence, Notion, OneNote, Teams, or Slack. Fires on render, including by link unfurl bots.
A hosted fake login page on hacked.endolum.io. Fires on page load and again on credential submission. Useful for catching phishing prep against your brand.
A tracker link you paste into emails, chat messages, or documents. The click is logged and then 302 redirects to a destination URL you pick.
A printable PNG QR code that encodes a tracker URL. Use it on invoice footers, door posters, or paper documents. Scanning logs the event and can redirect to a landing page you pick.
All ten types are live in the dashboard today. The free tier accepts the standard preset filenames. The Business plan accepts any custom filename, your own uploaded templates, and your own redirect destinations.
No card and no commitment to start.
CHF 1,910 per workspace yearly. Save 20 percent and cancel at the next monthly cycle.
You place files and trackers on your own systems and you monitor access to them. The technique is standard practice for security teams worldwide and is fully legal under Swiss and EU law.
Each lure renders as the genuine thing. A document opens like a real document, a login page looks like the real login page, a QR code resolves to a plausible destination. The tracking fires silently in the background. No popup, no warning, no visible indicator.
You generate a lure in the dashboard, download it or copy the tracker URL, and place it where it belongs. There are no agents, no software to install, and no configuration to push to endpoints.
Use deployment zones to label sanctioned access. Every alert ships with the source IP, ASN, and device fingerprint, so triage takes seconds. The Business plan also flags VPN and proxy traffic separately.
VPN, proxy, and Tor exit detection are built into every Business alert. The dashboard shows the original IP and the ASN and labels traffic from known commercial VPN providers. False positives from legitimate remote work are cut down without losing real signals.
The platform runs in Frankfurt on encrypted volumes. Swiss jurisdiction applies. Free tier alert data retains for 30 days. Business plan alert data retains for one year.
Business plan ships with a REST API using `eh_` prefix keys, plus webhook delivery to Slack, Microsoft Teams, and any custom endpoint that accepts JSON. CSV and JSON export are available for offline analysis.