Level D: Honeypot Endpoints¶
Fake API endpoints that return 501 "Coming Soon" responses. If a competitor clones the API, these endpoints will exist on their server with distinctive response signatures.
Endpoints¶
| Endpoint | Router | Cover Story |
|---|---|---|
GET /api/v1/engagements/{name}/compliance-matrix |
engagements.py | Compliance framework mapping (Enterprise) |
GET /api/v1/engagements/{name}/report/export/sarif |
reports.py | SARIF export for IDE integration (Professional) |
POST /api/v1/auth/sso/saml |
auth_routes.py | SAML 2.0 SSO (Enterprise) |
Response Signature¶
Each endpoint returns:
- Status: 501 Not Implemented
- Body: JSON with detail, feature, status, expected fields
- Header: X-Request-Id with bd-{installation_hash} prefix
Example Response¶
{
"detail": "Compliance matrix mapping is coming soon",
"feature": "compliance-matrix",
"status": "planned",
"expected": "Q3 2026",
"frameworks": ["PCI-DSS", "SOC2", "ISO27001", "NIST-CSF", "OWASP-ASVS"]
}
Detection¶
Monthly scanning of competitor domains:
The combination of:
1. Exact endpoint paths
2. 501 status code
3. Specific JSON structure
4. "Coming soon" messaging
5. X-Request-Id prefix
...makes accidental collision extremely unlikely.
Files¶
| File | Purpose |
|---|---|
dashboard/backend/app/routers/engagements.py |
Compliance matrix honeypot |
dashboard/backend/app/routers/reports.py |
SARIF export honeypot |
dashboard/backend/app/routers/auth_routes.py |
SAML SSO honeypot |
scripts/scan-honeypots.py |
Monthly competitor scanner |