EN / ES

Deception Device Deployment Guide

How to deploy Cyber Defence deception devices as Docker images across internal, cloud, and remote environments.

Back to Deception Overview

Deploy deception safely and effectively

Cyber Defence deception devices are designed for rapid, safe deployment with minimal configuration. Delivered as Docker images, they run on Linux hosts in any environment with outbound connectivity to SOC365.

No inbound ports need to be opened. The devices present decoy services internally while forwarding telemetry securely to SOC365 over TLS. This makes them suitable for highly segmented networks, remote locations, cloud workloads, and OT environments.

Requirements

Host OS: Any modern Linux distribution supporting Docker (Debian, Ubuntu, RHEL, Rocky, Alpine, etc.)

Compute: 1 vCPU, 1GB RAM (minimum)

Network: Outbound HTTPS to SOC365 ingestion endpoint; no inbound ports required

Storage: 2–4GB

Privileges: Docker engine with permission to run containers

Pulling the deception image

Cyber Defence provides a private container registry. Credentials are issued to each client.

To pull the image:

docker pull registry.cyber-defence.io/deception/device:latest

Basic run command

Run a deception device with a minimal configuration:

docker run -d \
--name=cd-deception-01 \
-e SENSOR_CODE="YOUR-SENSOR-ID" \
-e SIEM_ENDPOINT="https://siem.cyber-defence.io/ingest" \
-e AUTH_TOKEN="TOKEN" \
registry.cyber-defence.io/deception/device:latest

Each deployment is issued a unique Sensor Code and Auth Token which map to your tenant and environment.

Modules

Deception modules included

SSH Honeypot

Simulates SSH daemons with fake credentials and realistic banners.

SMB/Fileshare Decoys

Fake Windows-like shares containing synthetic documents that beacon on access.

HTTP/HTTPS Decoys

Fake admin portals, API endpoints, login pages, and management consoles.

Database Decoys

Simulated MySQL/PostgreSQL/Mongo interfaces with crafted responses.

OT/ICS Protocol Lures

Decoy PLC services for capturing unauthorised device enumeration.

Credential Traps

Fake passwords, API keys, tokens, and service accounts placed inside the device.

Recommended deployment locations

• Internal corporate subnets

• DMZ networks

• OT/ICS segments

• Kubernetes clusters

• Remote sites or vessels

• Specialist enclaves or restricted zones

Placement should follow attacker movement patterns, not user traffic patterns.

SOC365 integration

All activity from deception devices is forwarded securely to SOC365. Each interaction generates low-noise, high-confidence alerts enabling early detection of unauthorised presence.

Deception telemetry is also used to:

• refine detection engineering

• trigger automated Pulsar responses

• support IR investigations

• map adversary tradecraft

SOC analysts receive the full interaction transcript, metadata, and behavioural indicators for investigation.

Need help deploying deception?

Cyber Defence provides engineering support, deployment reviews, and placement strategy for deception devices.

Contact our SOC365 engineering team for assistance.

Contact Support