US Patent 11057428 Honeytoken tracker

Disclosed herein are methods, systems, and processes for tracking honeytokens. A malicious attack from an attacker is received at a honeypot and a determination is made that an attack event associated with the malicious attack has compromised deceptive credential information maintained by the honeypot. A unique credential pair that corresponds to the deceptive credential information sought by the attack event is generated and a honeytoken tracker state table is modified to include the unique credential pair and attack event metadata in association with the attack event. The unique credential pair is then transmitted to the attacker.