When Agents Guess What Should Exist
Automated agents request paths that never existed on any observed property. The fabricated request reveals the model, not the target.
There is a well-known defensive idea: plant fake internal entries — decoy hostnames, bait files — that no human would ever request, so that an automated agent reaching for them gives itself away. It works because the trap is something a real user has no reason to touch.
This note is about something adjacent, and in a way stranger: agents that reach for things no one ever planted.
Across unrelated properties spanning very different sectors, automated agents requested the same small set of credential-style files — paths that had never existed on any of them. Nobody created these as bait. They were never linked, never referenced, never returned as redirects. They were not broken links, and they were not renamed resources. They were fabrications: paths the agent produced on its own, based on what it expected to find.
The distinction matters. A planted decoy catches an agent on the defender’s terms. A fabricated request reveals the agent on its own terms — it shows up uninvited, asking for something that exists only in its picture of the world.
The filenames were recognizable. They mirror the kind of default credential paths found in widely published cloud and developer tutorials — the sort of content that appears in countless guides, forum answers, and READMEs. They are, in other words, the kind of thing a model tends to absorb from its training corpus.
What makes this worth noting is not the probing. Credential scanning is as old as the web. It is the uniformity. The same kind of request appeared on properties with nothing in common — different sectors, different audiences, different underlying technology. The requests did not adapt to what was actually there. They followed a template that came from somewhere other than the target.
The agents presented themselves differently from one property to the next. The declared identity rotated — different operating systems, different devices. The underlying request pattern did not. The same nonexistent resources were requested regardless of how the visitor chose to identify itself.
This is consistent with requests generated from a model’s internal picture of what sites “like this” usually contain, rather than from anything observed about the target itself. The agent does not appear to act on what the site actually has. It acts on what its training suggests sites of this kind tend to have.
Seen this way, the request says little about the target and more about the sender. A fabricated request is a behavioral artifact — and unlike a declared identity, it is not something an operator can suppress with a configuration change. Cosmetic attributes — declared device, timing, network address — can be rotated freely. A request that originates from a deeper layer of how the sender was built is structural, not cosmetic.
No agent was intercepted. No model was reverse-engineered. Nothing was planted to provoke it. What was observed is what arrived on its own: requests for resources that never existed, following a pattern that recurred across unrelated properties.
Deception catches the agents you lure. The spontaneous ones give themselves away without any help. The question is not whether agents reach for things that aren’t there — that is settled. The question is what a receiver can notice from the request itself, and whether anyone is paying attention to what arrives at the door.
Empirical observation from a multi-property behavioral observation network. Receiver-side only. No sender cooperation or reverse engineering involved.
