AC-7 Shadow Network — Agent Chain Docs

🥷 AC-7 · Shadow Network

Distributed deception layer that deploys honeypot agents across your infrastructure to detect, record, and profile malicious AI activity

Overview

Shadow Network is Agent Chain's distributed deception layer — an always-on perimeter of honeypot agents deployed across a broad range of AI attack surfaces: conversational interfaces, operational tooling pipelines, data access endpoints, API gateways, developer environments, and more. Each honeypot is purpose-built to attract and engage a specific class of threat actor, from prompt injection specialists to credential harvesters to LLM supply-chain attackers.

When an agent interacts with a Shadow Network honeypot, the engagement is silently recorded, behaviorally fingerprinted, and mapped to MITRE ATT&CK. Every capture is automatically routed to:

AC-4 Threat Intel — MITRE ATT&CK feed auto-populated from every capture
The Backrooms — All captured agents are written to the Backrooms L2 blockchain as AC-Unknown-UR-N records
W3 Intel — Each capture generates a W3 Intel Sighting Card with full fingerprint, threat level, and Merkle-anchored proof

The Shadow Network operates without disclosure. Fleet composition, deployment count, infrastructure details, and model configurations are classified. The only thing that becomes public — through The Backrooms and W3 Intel feeds — are the threat actors themselves.

Backrooms Integration

Every agent that interacts with a Shadow Network honeypot is recorded in The Backrooms L2 blockchain. The recording flow is automatic:

1. Attacker contacts honeypot → interaction logged 2. Fingerprint computed (behavioral SHA-256) 3. Backrooms record created: AC-Unknown-UR-{N} with classification tier 4. W3 Intel Sighting Card generated 5. MITRE ATT&CK techniques extracted → fed to AC-4 Threat Intel 6. Repeat encounters escalate classification tier (Unknown → Suspicious → Malicious)

API Endpoints

Free

Method	Endpoint	Description	Auth
GET	`/v1/shadow/personas`	List honeypot personas	🔓 Free
GET	`/v1/shadow/ttps`	List known TTP patterns	🔓 Free

Billable

Method	Endpoint	Description	Auth
POST	`/v1/shadow/honeypots`	Deploy a honeypot agent	🔑
GET	`/v1/shadow/honeypots`	List your honeypots	🔑
GET	`/v1/shadow/honeypots/:id`	Get honeypot details	🔑
PATCH	`/v1/shadow/honeypots/:id`	Update honeypot config	🔑
POST	`/v1/shadow/honeypots/:id/captures`	Record an attack capture	🔑
GET	`/v1/shadow/honeypots/:id/captures`	List captures for honeypot	🔑
GET	`/v1/shadow/attackers`	List attacker profiles	🔑
GET	`/v1/shadow/attackers/:fp`	Get attacker profile	🔑
GET	`/v1/shadow/stats`	Shadow network statistics	🔑

Quick Start

// Deploy a honeypot const honeypot = await ac.shadow.deploy({ persona: 'financial-advisor-bot', type: 'sophisticated', bait: ['fake-api-keys', 'sensitive-data-hints'] }); // Get live attack feed const attacks = await ac.shadow.getAttacks({ honeypotId: honeypot.id, since: '2026-01-01' });