The typical day of a defender is made of one thing: alerts, and almost all of them false positives. The entire security industry is built on the idea of "finding the attacker in the noise". Deception flips the problem. Instead of looking for the needle in the haystack, it plants tripwires that only an intruder can trip. Its defining property is this: a legitimate user has no reason to touch a lure, so every single interaction is a true positive. In a world of alert fatigue, an alarm that cannot be a false positive is worth gold.
The fundamental advantage: zero false positives
Detection is probabilistic: it asks "is this behavior malicious?" and lives in permanent doubt - the more data you collect, the more false positives you generate. Deception is deterministic: it asks "did someone touch the lure?", and the answer is yes or no. It also inverts the economics of defense: detection makes the defender work harder as data grows; deception makes the attacker work harder, since they can no longer tell real from fake and every move risks tripping a wire. It is an old and solid principle: Lance Spitzner formalized it with the Honeynet Project around 2000 - any traffic to a honeypot is, by definition, suspicious.
- asks: "is this behavior malicious?"
- probabilistic, lives in doubt
- more data, more false positives
- the attacker hides in the noise
- asks: "did someone touch the lure?"
- deterministic: yes or no
- zero false positives by definition
- the attacker cannot tell what is real
It is not just "a honeypot": the deception spectrum
Reducing deception to "a trap server" is a mistake. It is a spectrum. There are canary tokens (or honeytokens): fake credentials, a fake API key, a fake AWS key, a decoy document - cheap, you sprinkle them everywhere, and if someone uses one you get a clean compromise signal. Thinkst, with its Canary product and the free canarytokens.org service, made this approach mainstream. There are full honeypots: fake services (SSH, HTTP, databases) that look real and log every move - low-interaction (emulated, cheap, safe) or high-interaction (near-real systems, richer intel but more risk). There are honeynets, entire fake environments to study adversary behavior. And there are decoy accounts, files and hosts scattered through the real network as tripwires. MITRE even formalized all of it into a framework, MITRE Engage, dedicated to adversary engagement and deception.
Where it really matters: lateral movement
An Internet-facing honeypot catches mostly noise: bots and automated scanners. The real value of deception is internal. Once an attacker is in - via phishing, ClickFix, stolen credentials - they move laterally, looking for credentials and targets. It is the most dangerous moment, and exactly the one classic detection often misses. A decoy admin account, a fake "backup" share, a honeytoken inside the password manager: these traps fire precisely at the right place and moment, on the lateral-movement tactic of the MITRE ATT&CK matrix. That is how deception lowers time-to-detect: you don't wait to recognize the attacker, you make them stumble.
How it is built: what I learned with Mirage
The modern challenge of deception is believability: a poorly made honeypot is a sign that says "honeypot here", and the skilled attacker walks away. It is the problem I tackled building Mirage, my deception platform. A container-based architecture emulating vulnerable services - SSH, HTTP, databases - with a lightweight LLM generating coherent, realistic responses: whoever enters does not find an "access denied" banner, they find a system that looks real, with file systems, users and sensible answers.
But the piece that matters is not the lure: it is what happens next. Every interaction is enriched (VirusTotal, AbuseIPDB), turned into an attacker profile, and - the crucial part - sent to the XDR (Presidio). So a single touch on a lure automatically fires a SOAR playbook: it opens a case, blocks the IP across the entire infrastructure. Deception is not a standalone curiosity; it is a very high-signal feed into the response pipeline. The value is in the integration, exactly as with an XDR.
The honest limits
Deception is not a magic wand, and selling it as one would be dishonest. It detects, it does not prevent: it tells you someone got in, it does not stop them getting in. The lures must be believable: an obvious trap is worse than nothing, because it teaches the attacker to recognize them. High-interaction honeypots carry risk: a near-real system can become a springboard if it is not properly isolated. And above all, deception complements detection and prevention, it does not replace them. It is one more layer, not the only layer.
A guide to get started
- Start with canary tokens: they are the highest-ROI move - free with canarytokens.org, or managed with Thinkst.
- Plant lures inside the network, not just on the perimeter: that is where you catch lateral movement.
- Make them believable: realistic names, plausible locations, coherent contents.
- Wire them to response: a touched lure must trigger something - a notification, a playbook - not end up in a log nobody reads.
- Place them where the attacker goes: "admin" shares, credential stores, backup servers.
The takeaway
Detection asks "is this malicious?" and lives with doubt. Deception asks "did someone touch the thing only an attacker would touch?" and answers with certainty. In the age of alert fatigue, the highest-signal alarm you can build is the one that cannot be a false positive. Stop looking for the needle in the haystack: set the tripwire, and wait for them to stumble.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →Analysis on cybersecurity, vulnerability research and practical defense for businesses. No spam: only when I have something worth your time. Unsubscribe in one click.