Honeypots and canary files are two of the most underused tools in cybersecurity — and in this episode, Dr. Mike Saylor and I break down exactly how they work and why you should be using them. The short version: they're tripwires. They tell you a bad guy is poking around your network before anything gets encrypted.

Mike walks through his layered security analogy, explains the three different ways organizations use honeypots — learning attacker tactics, distraction, and testing — and then we get into canary files: what makes them different from a honeypot, how they beacon home when stolen, and why clock synchronization matters more than most people think if you ever want that evidence to hold up.

We also cover how to stand one up without a big budget, what tools are available, and why something is absolutely better than nothing. Plus, Mike and I have news about our new O'Reilly book, Learning Ransomware Response and Recovery.

0:00 - Intro and book news

1:09 - Meet the crew

3:45 - Security is all about layers

9:22 - What are honeypots and canary files?

11:00 - Three ways honeypots work for you

13:17 - Real-world examples: bait cars and glitter bombs

15:20 - Making your honeypot convincing

19:11 - Honeypot tools and options

21:13 - Something is better than nothing

24:10 - Monitoring and notifications

25:05 - Canary files explained

27:03 - How canary files beacon and track attackers

28:03 - Don't forget to sync your clocks

29:05 - Final thoughts