Glossary

Complete definitions of terms used throughout the WebDecoy documentation.

A

A Record

A DNS record type that maps a domain name directly to an IPv4 address. In WebDecoy, A records point to the static IP 3.130.2.51.

ACME

Automated Certificate Management Environment. The protocol used by Let’s Encrypt to issue and renew SSL/TLS certificates automatically.

API Key

A secret token used to authenticate programmatic access to the WebDecoy API. Format: sk_live_xxxxx.

Attack Signature

A pattern in request data that indicates a known attack type, such as SQL injection or XSS.

Auth0

The third-party authentication service WebDecoy uses for user login and identity management.

B

Bot

Any automated software that accesses websites or APIs. Can be legitimate (search engines) or malicious (scrapers, attackers).

Bot Scanner

A JavaScript-based detection system that runs in visitors’ browsers to identify automation and bots.

Bot Score

A 0-100 score indicating the likelihood that a visitor is automated rather than human.

C

Challenge

An interactive test (like CAPTCHA) presented to visitors suspected of being bots.

CNAME Record

A DNS record type that creates an alias from one domain name to another. Used as an alternative to A records for custom domains.

Confidence Level

How certain WebDecoy is about a detection or classification. Values: High, Medium, Low.

Crawler

A bot that systematically browses websites, typically to index content (like search engines).

Custom Domain

A domain you own and configure to serve WebDecoy decoy content, making honeypots appear as part of your infrastructure.

D

Dashboard

The main WebDecoy web interface where you view detections, manage resources, and configure settings.

Decoy

A honeypot resource (link, endpoint, or form field) designed to catch attackers and bots. Legitimate users never access decoys.

Decoy Link

A hidden URL that triggers a detection when accessed. Also called a honeypot link.

Detection

A recorded event when someone interacts with a decoy or triggers bot detection. Contains full request details and threat assessment.

DNS

Domain Name System. The internet’s system for translating domain names to IP addresses.

E

Endpoint Decoy

A fake API endpoint that captures detailed request information including POST bodies and attack patterns.

F

False Positive

When legitimate traffic is incorrectly flagged as malicious.

Fingerprinting

Collecting browser characteristics (canvas, WebGL, fonts) to create a unique identifier for tracking and anomaly detection.

G

GeoIP

The process of determining geographic location from an IP address.

Good Bot

A legitimate automated crawler like Googlebot or social media preview fetchers.

H

Headless Browser

A web browser running without a graphical interface, commonly used for automation and by attackers.

Honeypot

A security resource designed to detect, deflect, or study unauthorized access attempts. Decoys are a type of honeypot.

I

Ingest Service

The WebDecoy backend component that receives decoy interactions and processes detections in real-time.

Integration

A connection to a third-party service like Cloudflare, Slack, or Datadog for automated actions or notifications.

IP Reputation

A score indicating whether an IP address has been associated with malicious activity.

J

JA3/JA4

TLS fingerprinting methods that create a hash from the TLS handshake, useful for identifying automated tools.

L

Let’s Encrypt

A free, automated certificate authority that provides SSL/TLS certificates. WebDecoy uses Let’s Encrypt for custom domain HTTPS.

M

MITRE ATT&CK

A globally recognized framework of adversary tactics and techniques, used to classify detected behaviors.

Multi-tenancy

An architecture where a single instance serves multiple customers (organizations) with data isolation.

O

Organization

The top-level container in WebDecoy. All resources belong to an organization, which is also the billing unit.

P

Poison

A decoy action that returns fake or misleading data to waste attacker time.

Property

A logical grouping within an organization for organizing related resources (e.g., different websites or environments).

Proxy

A server that acts as an intermediary for requests. Detected as a risk indicator when used for anonymization.

R

Rate Limiting

Restricting the number of requests a client can make within a time period.

Reconnaissance

The first phase of an attack where adversaries gather information about the target. MITRE ATT&CK tactic TA0043.

S

Scanner

Automated tools that probe systems for vulnerabilities.

Scope

The permissions assigned to an API key, limiting what actions it can perform.

Scraper

A bot that extracts content from websites, often without permission.

Sensitivity

A configuration setting that determines how strictly the detection system scores visitors.

SNI

Server Name Indication. A TLS extension that allows multiple SSL certificates on a single IP address.

SSL/TLS

Protocols for encrypting communication between browsers and servers. “SSL” often refers to both SSL and its successor TLS.

Stripe

The payment processing service WebDecoy uses for subscription billing.

T

Threat Level

A classification based on threat score: MINIMAL, LOW, MEDIUM, HIGH, or CRITICAL.

Threat Score

A unified 0-100 score combining multiple signals into a single risk assessment.

TOR

The Onion Router. An anonymity network that can be used to hide the source of web traffic.

Trigger Action

What happens when a decoy is accessed: Log, Block, Poison, or Redirect.

U

Unified Score

See “Threat Score.”

User Agent

An HTTP header identifying the client software making a request.

V

VPN

Virtual Private Network. Can be detected as a risk indicator when used for anonymization.

W

WAF

Web Application Firewall. A security system that filters HTTP traffic to protect web applications.

Webhook

A mechanism for one system to notify another of events via HTTP requests.

WebDriver

A browser automation interface used by tools like Selenium. Detected as an automation indicator.