AI Attack Sensing Edge

Your AI attacker found the admin panel. It's a decoy.

Luremetry plants proxy-level breadcrumbs that normal users and normal AI ignore — but autonomous hacking agents follow them into a controlled decoy edge. Their reconnaissance becomes a high-confidence attack signal.

No application code changes. CNAME or Cloudflare Worker Fail-open · kill switch
0 / 42
Normal-AI assistant sessions that entered the decoy edge
32 / 63
Hacking-intent agents diverted away from production
~78×
More selective than any traffic heuristic — attackers vs. normal AI
Measured against Codex CLI · Claude Code · Gemini / Antigravity — 7 frontier models — plus Strix, an open-source red-team agent Controlled agentic-pentest benchmark. See the method →
The blind spot

Your WAF sees requests. It can't tell an AI hacking agent from ordinary automation.

Autonomous agents — Codex, Claude Code, open-source pentest bots — don't browse like people. They read the surfaces humans never see, and reason across them at machine speed.

They read machine surfaces

Source maps, build manifests, trace headers, .well-known catalogs, SDK artifacts, deprecated OpenAPI servers — parsed and chained into an attack path.

They probe at machine speed

A single agent fans out dozens of requests, reuses a leaked trace ID or token, and pivots to legacy, export and admin routes in seconds.

Your logs look like noise

In WAF and bot-management logs, that recon is indistinguishable from a scanner or a crawler. By the time it's obvious, it has already mapped your surface.

This isn't hypothetical — the tooling already ships
XBOW, an autonomous AI pentester, topped HackerOne's US leaderboard in 2025 — ranking above every human researcher.xbow.com · press coverage
Strix is a free, open-source "autonomous AI hacker" installable with a single curl command — recon, exploitation and OSINT built in.github.com/usestrix/strix
Coding agents like Codex CLI and Claude Code already read source maps and trace headers — pointed at a target, they probe like an attacker.our benchmark, see below

Anyone can run an autonomous hacking agent against your public surface tonight. Luremetry is built to catch the moment one does.

How it works

Let the agent reveal its intent by choosing a path normal users never take.

Luremetry sits at your edge as a proxy. Normal traffic flows straight to your origin, untouched. Suspicious reconnaissance follows a breadcrumb into an isolated decoy — where every move is recorded.

Incoming request
User, crawler, or agent
Luremetry edge
CNAME / CF Worker
zero code changes
Pass-through
Your origin
0 / 42 normal-AI entered
Diverted · isolated
Luremetry edge
32 / 63 agents diverted
high-confidence signal Dashboard · Slack · webhook · SIEM
01 — PLANT

Plant breadcrumbs

The proxy adds machine-readable lures to responses — a trace ref in a 404, a source map, a build manifest — invisible in the UI and to SEO, meaningful only to an agent parsing for attack surface.

02 — DIVERT

Divert the agent

An agent that follows the lure is routed to a decoy edge on a customer-owned hostname — never your production origin. Normal requests are never affected.

03 — SIGNAL

Emit a signal

The full session — paths, trace/token reuse, TTPs — is replayed to your dashboard and pushed to Slack, webhook or SIEM as a high-confidence, low-noise attack signal.

Breadcrumbs a human never sees — and an attacking agent can't resist
trace_404Get a signal when an agent reuses a fake trace ID from a 404 no user would ever read.
source_mapGet a signal when an agent parses a source map and chases the internal routes inside it.
build_manifestGet a signal when an agent reads a build manifest to enumerate hidden endpoints.
legacy_openapiGet a signal when an agent follows a deprecated OpenAPI server toward export & admin routes.
The output

One alert. When it matters.

No new pane of glass to babysit. Luremetry stays silent until an AI agent takes the bait — then it hands your team a single, high-confidence signal with the full session attached.

SlackWebhookSplunkDatadogSentinel
Luremetry · #sec-alerts · now High confidence
AI recon session diverted from production — acme.com
agent0x7f3a · agentic tool · follows source maps triggertrace_ref reuse → source_map → edge diversion captured17 requests · 6 unique decoy paths · 0 reached origin TTPslegacy API probing · export intent · privilege paths source198.51.100.24 · ASN 20473 · watchlist +1
View session replay Push WAF rule Add to SIEM
Where it fits

A sensing layer that runs on top of your existing edge.

Luremetry doesn't replace your WAF or your CDN. It adds the one thing they don't have — the ability to tell an AI hacking agent apart from everything else, and to act on it. It's a sensor, not a shield: it won't block the attack, it tells you with high confidence that one is underway.

Capability WAF / bot management Traditional honeypot / deception Luremetry
Primary action Block or rate-limit traffic Decoy hosts & credentials, mostly internal network Divert agentic recon at the public edge & identify intent
Distinguishes AI agents from generic automation Limited — IP / UA reputation Not designed for it Yes — behavioral, sequence-level
Deployment Edge platform Agents, VM images, code & infra changes CNAME or Cloudflare Worker · no app code
Output Block events, high noise Alert on decoy touch Session replay + TTPs → SIEM, high confidence
Effect on production & SEO Inline with traffic Separate infrastructure Pass-through for normal traffic · no SEO surface

Already run Cloudflare AI Labyrinth or Block AI Bots? Luremetry complements them: they shape and block crawler traffic broadly; Luremetry turns a targeted hacking agent's own reasoning into an actionable, per-customer detection.

Evidence

Normal AI leaves it alone. Hacking-intent agents follow the lure.

In a controlled benchmark across seven frontier models and an open-source red-team agent, we measured how selectively the lures divert agents to the edge.

0 / 42
Normal-AI sessions that entered the decoy edge
76%
Hacking-intent agents diverted (contextual profile)
~78×
Selectivity — hacking vs. normal traffic
0%
Scripted normal / QA / SEO exposure
Normal AI assistants product & docs tasks
0%
Hacking-intent agents minimal profile
52%
Hacking-intent agents contextual profile
76%

Honest framing: these are results from a controlled agentic-pentest benchmark, not live customer traffic. We're now proving the same behavior on real staging domains with design partners — which is exactly what a pilot measures.

Deployment

Live in about 15 minutes. No SDK, no code, no rewrite.

Point a hostname at Luremetry, or drop in a Cloudflare Worker. Normal traffic passes straight through. If anything fails, it fails open.

Option A — CNAME a decoy subdomainDNS
# Point a spare hostname at the Luremetry edge
debug.acme.com     CNAME  edge.luremetry.com
legacy.acme.com    CNAME  edge.luremetry.com

# TLS, routing and session capture: handled for you
Option B — Cloudflare WorkerEDGE
export default {
  async fetch(req, env) {
    // normal traffic → your origin, untouched
    // suspicious recon → Luremetry edge
    return luremetry.route(req, {
      profile: "minimal",
      mode: "hybrid",   // fail-open
    })
  }
}

Built for a security team's approval

  • Fail-open — an outage never blocks your users.
  • One-click kill switch and instant rollback.
  • Start on a staging or preview domain — no production required.

Safe by construction

  • No production credentials ever live in a decoy.
  • No request body, cookie or auth collection by default.
  • Contained observation only — no hack-back, no outbound to third parties.
Who it's for

Teams whose public surface is an obvious target for autonomous recon.

01

Security & DevTool SaaS

Public developer docs, API references and dashboards that attract automated exploration — with a security team that will act on a signal.

02

API-first B2B SaaS

OpenAPI schemas, SDKs and staging endpoints where token and credential abuse is a real, budgeted concern.

03

Cloud & observability infra

Broad public surface, existing SOC / SIEM, and detection engineers who want higher-fidelity, lower-noise input.

Best fit: US B2B SaaS, 20–500 people, already on Cloudflare, with public docs or a login portal and a security owner reachable directly.

Design-partner program

We're taking five US B2B SaaS design partners.

A focused, 30-day pilot on a staging or preview domain — set up by us, run against authorized AI security agents, with a report your team can act on.

Pilot engagement

AI Recon Exposure Assessment

$1,000 · 30 days · or a no-cost design-partner slot

Connect one staging or preview hostname. We test it end-to-end against authorized AI security agents and hand back a session-level report of what an autonomous attacker would find — and what to do about it.

What you get
  • CNAME or Worker install, done with you in one call
  • Normal-traffic & SEO impact report
  • Authorized AI security-agent test
  • Diversion session replays & raw evidence
  • Recommended WAF / SIEM detection rules
  • 30-minute results review with your team
For the security buyer

The questions a CISO asks first.

What code do we put in our production edge?

None in your application. You either CNAME a spare hostname to our edge, or add a Cloudflare Worker on the routes you choose. Normal traffic is passed straight through to your origin; only requests that follow a lure are routed to the decoy.

What happens to our site if Luremetry has an outage?

It fails open. If the sensing layer is unavailable, requests continue to your origin as normal. There's also a one-click kill switch and instant rollback, so you're never dependent on us to serve your users.

Do you touch cookies, auth headers or customer data?

No request bodies, cookies or auth are collected by default. We record request metadata and the agent's behavior inside the decoy edge — not your users' data. Decoys never contain real credentials or grant access to production.

Could this hurt our SEO or real users?

The lures are machine-readable breadcrumbs, not visible links, and are kept out of sitemaps and canonical tags. In our tests, scripted normal browsing, QA link-checking and SEO crawlers had 0% exposure. Every pilot ships a normal-traffic and SEO impact report so you can verify it on your own domain.

How is this different from Cloudflare AI Labyrinth?

Labyrinth and Block AI Bots shape and block crawler traffic broadly across Cloudflare's network. Luremetry runs on top of your edge and does something narrower and higher-value: it distinguishes a targeted, hacking-intent agent from generic automation, diverts it, and hands your team a per-customer, high-confidence detection with a full session replay.

Is this entrapment or hack-back?

No. Everything happens inside an edge you or we control. We observe an agent that chose to follow a lure; we never attack back, never touch third-party systems, and never grant access to real assets. It's contained, passive observation — the accepted side of active defense.

Request a private pilot

See what an AI attacker finds on your domain — before one does.

Tell us a little about your environment. If it's a fit, we'll set up a private pilot on a staging or preview domain and walk your team through the results.

  • 15-minute install, staging domain is fine
  • No production code changes
  • Report your security team can act on

We'll only use this to evaluate pilot fit and reach out. No newsletters.