PATENT PENDING · BROWSER CREDENTIAL DETECTION
Hookset plants synthetic credentials and session cookies directly inside Chrome's credential stores. When an attacker validates what they stole, you get a confirmed detection with exact endpoint attribution. No guesswork, no triage sprawl.
HOW IT WORKS
Hookset operates outside the malware execution chain entirely. It catches commodity infostealers that bypass EDR and only fires when there is confirmed attacker activity on the other end.
Credentials injected at the source
Synthetic passwords and session cookies are written directly into Chrome's credential stores in a format indistinguishable from the real thing. Every harvesting tool treats them as legitimate.
Infostealer takes the bait
When a commodity infostealer runs on the endpoint, it exfiltrates the honeytoken credentials alongside everything else. No special behavior is needed to trigger detection.
Attacker fires the alarm
The moment stolen credentials are tested against Hookset's infrastructure, a confirmed detection event fires with full endpoint attribution, a timestamp, and attacker signal. No triage required.
FEATURES
Every design decision in Hookset traces back to real infostealer behavior and IR workflow pain that most tools never address.
Honeytoken passwords and cookies are written in a format native to each browser's credential store — byte-for-byte identical to what the browser itself writes. Passwords use a 50/50 mix of human-believable patterns and machine-generated styles to defeat entropy-analysis tools that attacker toolkits use to flag synthetic credentials in stolen dumps.
Cookie honeytokens are device-bound by design. When one fires, you know exactly which machine was compromised. No ambiguity, no cross-device noise.
Detection happens server-side at the point of credential validation, not on the endpoint. Infostealers that fully evade your EDR are still caught the moment the attacker tries to use what they took.
A library of over 40 keyword patterns covers the services attackers prize most: VPN gateways (Pulse, AnyConnect, GlobalProtect, Citrix), identity providers (Okta, ADFS, Azure AD, Ping, OneLogin), cloud consoles (AWS, Azure, GCP), and internal tooling — all generated using your customer's real domain so every credential looks exactly like it belongs there.
No SIEM rules. No behavioral thresholds. No false positives. A Hookset alert means an attacker validated stolen credentials. That is the whole signal.
Multi-tenant architecture, per-customer dashboards, configurable retention windows, and a lightweight Windows deployer. Built for managed service delivery from the start.
Every detection event is scored for automation signals — HTTP protocol version, header completeness, Sec-Fetch directives. When a credential stuffing tool submits stolen credentials in bulk the automation flag is set. When a human operator tests manually it is not. That distinction shapes IR response and feeds downstream threat intelligence.
USE CASE
This is the scenario Hookset was built to solve.
WITHOUT HOOKSET
Your IR team has to treat every machine that user touched as potentially compromised. Workstations, jump boxes, shared servers. That is 8 to 12 endpoints to analyze and remediate. Weeks of work and massive scope creep on every single incident.
WITH HOOKSET
THE THREAT
Infostealer malware is a category of commodity malware designed to do one thing: silently harvest credentials from infected endpoints and send them to attackers. No encryption, no ransom demand, no dramatic payload. It gets in, takes what it came for, and gets out. Most victims never know it happened.
What it steals is straightforward: saved passwords, active session cookies, autofill data, anything stored in your browser's credential stores. Session cookies are the highest value target. They allow an attacker to authenticate as a user without knowing their password and without triggering MFA. By the time a stolen cookie is used, the malware that took it is long gone.
The scale of the problem is not theoretical. Verizon's 2025 Data Breach Investigations Report found that 54% of ransomware victims had their domains appear in infostealer logs. Recorded Future indexed 1.95 billion compromised credentials in 2025 alone, 276 million of which carried active session cookies. The average infected device yields 87 stolen credentials across corporate and personal accounts.
The detection gap is where the real damage happens. Traditional security tools are built to catch malware on the endpoint. Infostealers are fast, quiet, and increasingly built to evade that layer entirely. By the time stolen credentials surface in a stealer log or get used in an attack, the window for endpoint-based detection has long closed. Security teams are left treating every machine a compromised user touched as a potential infection source, with no way to know which one actually was.
That is the problem Hookset solves.
Session cookie theft lets attackers authenticate as your users without a password and without triggering MFA. The cookie proves the session is already authenticated. The second factor already happened. Infostealers know this. Cookie harvesting has grown 30% in the last six months alone as attackers shift focus from passwords to session tokens specifically because MFA does not stop them.
Hookset plants honeytoken session cookies that look exactly like the real thing. When one gets harvested and used, you know. That is detection at the layer attackers are actually exploiting right now.
FAQ
No. Hookset operates at the credential validation layer, which is entirely separate from endpoint detection. EDR catches malware behavior on the endpoint. Hookset catches the attacker after the malware has already done its job and the stolen credentials are being put to use. They complement each other, and Hookset specifically covers the gap where EDR falls short.
Chrome, Edge, Brave, Opera, and Firefox — all five are supported in production. Hookset injects into every browser it detects on the endpoint automatically. If a user installs a new browser after initial deployment, the next scheduled check-in detects it and injects tokens without any operator action required.
Via a lightweight Windows deployer that is managed centrally. It is designed for deployment across a customer's endpoint fleet without requiring interaction from end users.
Every detection event delivers a complete forensic package: the exact hostname and OS username of the compromised endpoint, a precise UTC timestamp, the attacker's real egress IP (not a proxy or CDN address), user agent string, the specific credential or cookie that was used, and a full HTTP header fingerprint for downstream threat intelligence. An automation flag indicates whether the attempt came from a credential-stuffing tool or a human operator. An alert email fires immediately. What your IR team does from there is yours to run — Hookset tells you which machine to contain with certainty.
Because attackers steal both. Commodity infostealers harvest everything in a browser's credential stores indiscriminately: passwords and session cookies in the same pass. Session cookies are the higher value target for sophisticated attackers since they bypass authentication entirely without needing to know a password. Planting both means whichever surface the attacker hits fires a detection event. Redundancy is how you close gaps.
GET IN TOUCH
Hookset is in active development and we are selectively onboarding early partners. If you run an MSSP or are a security team dealing with infostealer exposure, reach out.
