7 top deception technology vendors for active defense

How to choose a deception technology vendor

The quality of cyber deception technology -- and its ability to both mimic your targeted assets and avoid detection by attackers -- is critically important. So are the following factors:

• Complexity. The effort necessary to implement the technology and maintain it over time. Because static decoy assets appear suspicious to attackers, look for platforms that don't require your team to spend unreasonable time and effort deploying and managing them. User-friendly, centralized management consoles are also important.
• Interoperability. The technology's ability to integrate with other incident response-related technologies in your security operations center -- e.g., SIEM; security orchestration, automation and response (SOAR); endpoint detection and response (EDR); and extended detection and response (XDR).
• Data intelligence. The technology's data collection, logging and analysis functions.
• Scalability and versatility. The ability to mimic on-premises, cloud, infrastructure, endpoint, IT, operational technology (OT) and IoT assets across your environment, as your use cases require.

7 top deception technology vendors

Each of the cyber deception platforms that follows uses decoys that mirror or mimic an organization's legitimate assets, plus a variety of deception techniques. Their common purpose is to identify attackers within an organization's environment, delay or divert them, and collect threat intelligence on their activities that the organization can use to prevent future attacks.

Editor's note: The author selected the following cyber deception tools, listed in alphabetical order, based on market research. She prioritized offerings that have sizable customer bases; are under active development -- i.e., not nearing end of life; have recent user reviews that are mostly positive; and have distinguishing characteristics and features.

Acalvio's ShadowPlex

Acalvio's ShadowPlex lets organizations deploy agentless decoys across IT, OT, cloud and hybrid environments. It uses AI-driven playbooks to automatically design deception strategies for each subnet, adjust to network changes and triage alerts.

ShadowPlex is available in on-premises, private cloud and public cloud deployments, with SIEM, SOAR, EDR and XDR integrations.

Commvault's Threatwise

Threatwise, part of the Commvault Cloud data resiliency and recovery product, specializes in targeting ransomware threat actors. The technology is lightweight, easy to use and scalable, according to Commvault, with users able to deploy thousands of decoys across their IT, OT and backup environments in a matter of minutes. The platform's AI offers guided recommendations for optimal placement of decoys.

CounterCraft the Platform

CounterCraft the Platform automates the design and deployment of synthetic environments that mirror organizations' real IT, OT, industrial control system and SCADA environments. CounterCraft enables users to choose between deploying template-based deception campaigns or customizing their own, with drag-and-drop functionality and single-click deployment.

The platform supports integration with a wide variety of SIEM, SOAR and messaging platforms via a fully documented RESTful API. Customers can deploy it on-premises or in the cloud.

CyberTrap's Deceptor

CyberTrap's Deceptor uses AI to continuously generate new digital twins of an organization's environment across cloud assets, servers, APIs and endpoints, each populated with synthetic logins, credentials and data. The platform dynamically adapts the layout, services and complexity of the decoy environment to manipulate attackers based on their real-time behavior.

Deceptor has native, out-of-the-box support for integration with top SIEM, SOAR and endpoint platforms, such as Splunk, Sentinel, CrowdStrike, Elastic and QRadar.

Fidelis Deception

Fidelis Deception from Fidelis Security uses machine learning to continuously and automatically map IT environments and analyze which assets -- from hardware and software to IoT devices and Active Directory accounts -- are the most likely targets for attackers. It then creates and continuously updates decoys, lures and breadcrumbs that look like those high-risk assets.

Customers can use Fidelis Deception alone or as part of the Fidelis Elevate XDR platform.

Proofpoint Shadow

Proofpoint Shadow, part of the Proofpoint Identity Threat Defense platform, has an agentless approach and more than 75 active deception techniques, including fake Word and Excel files, Microsoft Teams chats, FTP and RDP/SSH connections, emails, database connections, Windows credentials, browser histories, network sessions and scripts. The product automatically creates, manages, adapts and scales tailored deceptions with single-click deployment.

Zscaler Deception

Zscaler Deception, delivered as part of the Zscaler Zero Trust Exchange architecture, uses a variety of decoys across client environments, including deceptive GenAI chatbots, LLM APIs and AI agents. At the network level, if attackers try to move laterally and engage with decoy servers, apps or databases, the Zscaler platform terminates their access.

Zscaler Deception integrates with Zscaler Private Access for cloud-native deployments, without the need for additional hardware or VMs.

Karen Scarfone is principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.