Early-stage attacker detection
Decoy services, credentials, and hosts reveal lateral movement and reconnaissance before attackers reach real systems.
Deception & Adversary Disruption
High-fidelity deceptive environments and telemetry that expose attacker movement early, reduce dwell time, and enable proactive disruption.
Turn attackers’ curiosity against them
Deception is one of the most effective modern defensive techniques. Rather than relying solely on preventative controls, it places attractive—but entirely controlled—targets inside your network. When an attacker probes, scans, or interacts with these deceptive assets, Cyber Defence receives high-confidence, low-noise telemetry indicating unauthorised behaviour.
Unlike normal security controls, deception is not reactive: it actively reveals adversary intent, lateral movement, credential testing, enumeration, and staging activities long before an incident becomes disruptive. Our deception platform, delivered as lightweight Docker-based devices, integrates directly with SOC365 for real-time monitoring and automated disruption options.
Capabilities
What deception achieves
Deception is designed to expose attacker behaviour early and with almost no false positives.
Zero false positives
Only adversarial activity triggers deception alerts; legitimate users never touch decoys.
Staged adversary observation
SOC365 can observe attacker TTPs in deception environments without risk to production systems.
Credential & identity deception
Planted fake credentials, tokens, and API keys expose password spraying, token abuse, and credential replay.
Decoy infrastructure
Emulated servers, file shares, OT services, web endpoints, databases, and service banners lure attackers into controlled traps.
Automated disruption
With Pulsar, deception events can initiate automatic blocking, isolation, rate limiting, or honeypot escalation.
How the deception platform works
Cyber Defence deception devices are delivered as containerised Docker images suitable for deployment on internal networks, DMZs, cloud workloads, remote sites, OT segments, or isolated VLANs.
Each deception device hosts multiple honeypot modules: SSH, RDP, SMB, HTTP/S, OT/ICS protocol decoys, fake file shares, credential traps, and beaconing services. Interaction triggers are forwarded securely to SOC365 using encrypted transport, generating high-confidence incidents for analyst review.
Because deception devices require no inbound access, they are safe to deploy in high-security environments with strict segmentation.
Use cases
Where deception is most effective
Internal lateral movement
Placing decoys near production systems exposes internal movement and privilege escalation attempts.
OT & ICS environments
Decoy PLC/RTU devices detect unauthorised probing without touching operational equipment.
Cloud workloads
Decoy APIs, fake service credentials, and cloud storage traps reveal misuse of cloud identity and API keys.
Remote sites & branches
Deploy lightweight deception nodes in remote offices and ships to detect local compromise.
High-value data enclaves
Fake file servers, shares, and credentials highlight data exfiltration attempts early.
Insider threat visibility
Decoy assets are untouched by legitimate users, making them ideal for detecting insider misuse.
Deploy deception in your environment
Deception dramatically enhances your SOC’s ability to detect adversaries early and with confidence. Cyber Defence provides deployment guidance, device images, and SOC365 integration as part of your service.
For technical deployment steps, installation and orchestration details, see the Deployment Guide.