I’ve been working on a small defensive security tool and wanted to share it here.
It’s called Cloud Sync Decoy Monitor. The basic idea is pretty simple: it places decoy files inside cloud-synced folders like OneDrive or Google Drive, and if one of those files gets opened, it logs the event and can send an alert.
The phrase I kept using in my head while building it was “a GPS tracker for accounts.” That’s not literal, obviously. I just mean I wanted something that gives an early signal when activity gets close to the data itself, instead of only watching login history and auth events.
A lot of security tooling is really good at telling you when someone signed in. I was more interested in the next layer down: what happens when files inside a synced account start getting touched unexpectedly?
Right now the project includes:
a Windows desktop GUI
decoy deployment into detected OneDrive / Google Drive folders
a local receiver for callbacks
SQLite logging and JSON evidence output
optional signed beacons
rate limiting, dedupe, and retention cleanup
It’s still early and definitely rough around the edges. It’s Windows-first, Python-based, and more “useful prototype / open-source defensive tool” than polished product. But it works, and I thought the idea might be interesting to people here.
I’d really appreciate feedback, especially on:
whether this threat model is useful
where this would break down in the real world
false positive / false negative concerns
packaging and distribution
integrations I should prioritize
Repo: https://github.com/HSkribe/CSDM
If people find it interesting, I’m happy to keep improving it.
HSkribe•1h ago
It’s called Cloud Sync Decoy Monitor. The basic idea is pretty simple: it places decoy files inside cloud-synced folders like OneDrive or Google Drive, and if one of those files gets opened, it logs the event and can send an alert.
The phrase I kept using in my head while building it was “a GPS tracker for accounts.” That’s not literal, obviously. I just mean I wanted something that gives an early signal when activity gets close to the data itself, instead of only watching login history and auth events.
A lot of security tooling is really good at telling you when someone signed in. I was more interested in the next layer down: what happens when files inside a synced account start getting touched unexpectedly?
Right now the project includes:
a Windows desktop GUI decoy deployment into detected OneDrive / Google Drive folders a local receiver for callbacks SQLite logging and JSON evidence output optional signed beacons rate limiting, dedupe, and retention cleanup It’s still early and definitely rough around the edges. It’s Windows-first, Python-based, and more “useful prototype / open-source defensive tool” than polished product. But it works, and I thought the idea might be interesting to people here.
I’d really appreciate feedback, especially on:
whether this threat model is useful where this would break down in the real world false positive / false negative concerns packaging and distribution integrations I should prioritize Repo: https://github.com/HSkribe/CSDM
If people find it interesting, I’m happy to keep improving it.