LobsterHoney Docs
Integration

Webhook Setup

Configure Slack webhooks and custom notifications for real-time AI agent detection alerts.

Get real-time notifications when AI agents are detected by configuring Slack incoming webhooks.

Configure Slack Notifications

Create a Slack App

Go to api.slack.com/apps and create a new app (or use an existing one).

Enable Incoming Webhooks

Navigate to Incoming Webhooks in your Slack app settings and toggle it on.

Add Webhook to Workspace

Click Add New Webhook to Workspace and select the channel where you want LobsterHoney alerts to appear.

Copy the Webhook URL

Copy the webhook URL -- it looks like https://hooks.slack.com/services/T00/B00/xxx.

Configure in LobsterHoney

In the LobsterHoney dashboard, go to your organization settings and paste the Slack webhook URL. You can also set it via the onboarding flow when you first create your account.

The webhook URL is stored securely and is only used to send notifications from LobsterHoney to your Slack workspace.

Notification Payload

When an AI agent is detected, LobsterHoney sends a Slack message with the following information:

{
  "text": "AI Agent Detected by LobsterHoney",
  "blocks": [
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "*AI Agent Detected*\n*Classification:* AI_AGENT_MALICIOUS\n*Score:* 78\n*Confidence:* 92%\n*Severity:* Critical"
      }
    },
    {
      "type": "section",
      "fields": [
        { "type": "mrkdwn", "text": "*Source IP:*\n203.0.113.42" },
        { "type": "mrkdwn", "text": "*Trap:*\n/robots.txt" },
        { "type": "mrkdwn", "text": "*Signals:*\nCALLBACK_HIT, INJECTION_FOLLOWED" },
        { "type": "mrkdwn", "text": "*Time:*\n2026-03-20 10:15 UTC" }
      ]
    }
  ]
}

Notification Triggers

Notifications are sent when:

  • A session is classified as AI_AGENT or AI_AGENT_MALICIOUS
  • A tripwire signal fires (callback hit, injection followed, system prompt leaked, credential used)
  • A session's severity is escalated to high or critical

Notifications are deduplicated per session -- you won't receive multiple alerts for the same agent session as new signals accumulate. Only the initial detection and any severity escalation trigger notifications.

Testing Your Webhook

To verify your webhook is configured correctly:

  1. Set up the webhook URL in the dashboard
  2. Hit one of your traps with curl:
$curl https://your-beacon-domain.com/s/your-org/robots.txt
  1. Check your Slack channel for the notification

If you don't see a notification, verify that:

  • The webhook URL is correct and the Slack app is still active
  • The session classification meets the notification threshold
  • Your organization is on a plan that supports webhook notifications (Pro or Enterprise)

Rate Limits

LobsterHoney respects Slack's rate limits (1 message per second per webhook). During high-traffic periods, notifications may be batched or slightly delayed to avoid hitting Slack's limits.

Custom Webhook Endpoints

Beyond Slack and Discord notifications, you can register custom HTTP webhook endpoints to receive real-time events from LobsterHoney. This is useful for building your own integrations, forwarding events to a SIEM, or displaying threat data in your own admin dashboard.

Custom webhook endpoints are available on the Pro plan and above.

Creating an Endpoint

Go to Settings > Integrations > Webhooks and click Add Endpoint. Provide:

  • URL: The HTTPS endpoint that will receive POST requests
  • Event types: Which events to deliver (threat.detected, threat.updated, callback.received, system_prompt.extracted, trap.triggered)
  • Description: A label for your reference

After creation, you'll see a signing secret (starts with whsec_). Copy it immediately — it won't be shown again.

Signature Verification

Every webhook delivery includes three headers for signature verification:

HeaderDescription
webhook-idUnique message ID (e.g. msg_abc123)
webhook-timestampUnix timestamp in seconds
webhook-signaturev1,{base64_hmac}

The signature is computed as:

HMAC-SHA256(signing_secret, "{webhook-id}.{webhook-timestamp}.{body}")

Base64-encoded, prefixed with v1,.

Always verify signatures to ensure events are from LobsterHoney and not forged. Reject events with timestamps older than 5 minutes to prevent replay attacks.

Node.js example:

const crypto = require('crypto');

function verifyWebhook(rawBody, headers, secret) {
  const msgId = headers['webhook-id'];
  const timestamp = headers['webhook-timestamp'];
  const signature = headers['webhook-signature'];
  if (!msgId || !timestamp || !signature) return false;

  // Replay protection
  if (Math.floor(Date.now() / 1000) - parseInt(timestamp, 10) > 300) return false;

  const toSign = `${msgId}.${timestamp}.${rawBody}`;
  const expected = `v1,${crypto.createHmac('sha256', secret).update(toSign).digest('base64')}`;

  if (signature.length !== expected.length) return false;
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Python example:

import hmac, hashlib, base64, time

def verify_webhook(raw_body, headers, secret):
    msg_id = headers.get("webhook-id", "")
    timestamp = headers.get("webhook-timestamp", "")
    signature = headers.get("webhook-signature", "")
    if not msg_id or not timestamp or not signature:
        return False
    if int(time.time()) - int(timestamp) > 300:
        return False
    to_sign = f"{msg_id}.{timestamp}.{raw_body}"
    expected = "v1," + base64.b64encode(
        hmac.new(secret.encode(), to_sign.encode(), hashlib.sha256).digest()
    ).decode()
    return hmac.compare_digest(signature, expected)

Integration Prompt Generator

For a guided setup experience, use the Integrate page in the dashboard (Protect > Integrate). It generates a complete AI-ready prompt that your coding agent can use to build threat panels in your own admin dashboard — including webhook receiver code, API client setup, and UI components tailored to your framework.

Event Payload

Webhook events have the same shape as the Events API:

{
  "id": "evt_abc123",
  "type": "threat.detected",
  "api_version": "2024-01-01",
  "created_at": "2026-03-20T10:15:00Z",
  "data": {
    "session_id": "ses_xyz",
    "source_ip": "203.0.113.42",
    "classification": "ai_agent",
    "severity": "high",
    "score": 85,
    "extracted_model": "gpt-4",
    "extracted_operator": "SomeCompany"
  }
}

Delivery and Retries

  • Events are delivered as HTTP POST with Content-Type: application/json
  • Your endpoint must return a 2xx status code within 15 seconds
  • Failed deliveries are retried with exponential backoff
  • After 10 consecutive failures, the endpoint is automatically disabled
  • You can re-enable it in Settings after fixing the issue
FAQAlert Setup

API Reference

REST API documentation for managing LobsterHoney traps, querying sessions, and pulling analytics data.

FAQ

Frequently asked questions about LobsterHoney setup, detection, and troubleshooting.

On this page

Configure Slack NotificationsCreate a Slack AppEnable Incoming WebhooksAdd Webhook to WorkspaceCopy the Webhook URLConfigure in LobsterHoneyNotification PayloadNotification TriggersTesting Your WebhookRate LimitsCustom Webhook EndpointsCreating an EndpointSignature VerificationIntegration Prompt GeneratorEvent PayloadDelivery and Retries