Each Canary can take on the personality of real systems that you have deployed on your network (and maybe some that you don't), and the profiles are based on the OS and services attributes. These are called "personalities". Currently, the Canary can emulate any one of the following persona's at a time:

  • Windows 2000
  • Windows 2003
  • Windows 2008
  • Windows 2012
  • Windows XP Desktop
  • Windows 7 Desktop
  • Windows 8 Desktop
  • Windows 10 Desktop
  • Windows Sharepoint 2010
  • IIS 7
  • Standard Linux Server
  • Linux Database Server
  • Linux Proxy Server
  • macOS (Fileshare)
  • Dell Switch
  • Cisco Router
  • Diskstation NAS
  • VMWare ESXi server
  • HP iLO Server
  • Joomla Server
  • CUPS Server
  • JBOSS Server
  • Rockwell Automation PLC
  • Siemens Simatic PLC
  • IBM z/OS Mainframe

Note: Canaries are configured to emulate the above personalities, which means no licenses (e.g. Microsoft License) or OS images  are required when configuring your Canary.

The personality emulation goes beyond just an Operating System fingerprint and a some port listeners though, we do a bunch of stuff behind the scenes to make sure your Canaries also talk the right protocol for each of their services as well. So if your Canary has been setup as a SCADA device, it will talk proper Modbus protocol too!  

The figure below shows a port and OS scan performed on a Canary, which has been configured as a Cisco router.

As can be seen, we “spoof” the MAC address (so it looks legit) and the actual OS identifies as a version of
IOS running on Cisco kit.  To get this result, we take things like TTL response times, TCP Sequencing, OS fingerprint, etc. into account, so all that an attacker sees is a Cisco device, and you get an alert when any of the services are touched.