Skip to main content
Thumper is the first open product from Jesta Security - the AI-native active layer of defense built for the machine-speed era. Just like the swarm of automated attackers it’s built to catch, Thumper is designed to fire the instant it’s touched.

Part of the Jesta platform

Jesta is building the AI-native active layer of defense for the machine-speed era. Thumper is the first piece you can run today; the rest of the platform is on its way.

The active layer

The AI-native active defense layer that fights back at the speed its attackers move. Coming soon.

Thumper

Honeytoken tripwires that detect endpoint compromise the moment bait is read. Available now - you’re reading its docs.

The Arena

A leaderboard where AI attackers prove who is best against production-grade systems we simulate. Coming soon.

What is Thumper?

Thumper is a self-hosted honeytoken platform. You plant fake-but-realistic credentials exactly where attackers - and self-replicating worms like Shai-Hulud - scan first. The tokens authenticate to nothing. A read is the signal. When a process reads the bait, the on-box agent fires an HMAC-signed, enriched callback (process, user, path) and the endpoint lights up as compromised in your dashboard - and in your SIEM - before any real secret leaves the box.
Why “Thumper”? In Dune, a thumper is a device you plant in the sand to attract Shai-Hulud, the great worm. Same idea here: plant the bait, and the worm comes to you.

How it works in three steps

1

Create a tripwire

Pick a credential type, a source, and a recommended path. A tripwire is just a definition - it lives on no machine yet.
2

Distribute the install command

Push it through your own MDM, SSH, or Ansible. Each machine self-enrolls and pulls its own unique honeytoken - unique content and a unique HMAC secret.
3

A read fires the agent

The on-box bash agent POSTs an HMAC-signed, enriched callback to the server, which records an alert and fans it out to your SIEM, EDR, or webhook.

Explore the docs

Quickstart

Get the whole stack running in one docker compose up and fire your first trigger end-to-end.

How it works

The full flow from tripwire definition to a fired alert.

Honeytokens we plant

The bait types and the exact paths attackers scan first.

Security model

Per-endpoint secrets, signed callbacks, and the gated installer.

Deploy & alert integrations

MDM, SSH, Splunk, Loki, webhooks - and how to write your own.

Architecture

One Docker image, three parts, two plugin seams.